# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import typing as ty
import warnings

from keystoneauth1.identity.v3 import base
from keystoneauth1 import loading
from keystoneauth1 import plugin

__all__ = ('MultiFactor',)


class MultiFactor(base.Auth):
    """A plugin for authenticating with multiple auth methods.

    :param string auth_url: Identity service endpoint for authentication.
    :param string auth_methods: names of the methods to authenticate with.
    :param string trust_id: Trust ID for trust scoping.
    :param string system_scope: System information to scope to.
    :param string domain_id: Domain ID for domain scoping.
    :param string domain_name: Domain name for domain scoping.
    :param string project_id: Project ID for project scoping.
    :param string project_name: Project name for project scoping.
    :param string project_domain_id: Project's domain ID for project.
    :param string project_domain_name: Project's domain name for project.
    :param bool reauthenticate: Allow fetching a new token if the current one
                                is going to expire. (optional) default True

    Also accepts various keyword args based on which methods are specified.
    """

    def __init__(
        self,
        auth_url: str,
        auth_methods: list[str],
        *,
        unscoped: bool = False,
        trust_id: ty.Optional[str] = None,
        system_scope: ty.Optional[str] = None,
        domain_id: ty.Optional[str] = None,
        domain_name: ty.Optional[str] = None,
        project_id: ty.Optional[str] = None,
        project_name: ty.Optional[str] = None,
        project_domain_id: ty.Optional[str] = None,
        project_domain_name: ty.Optional[str] = None,
        reauthenticate: bool = True,
        include_catalog: bool = True,
        **kwargs: ty.Any,
    ):
        method_instances: list[base.AuthMethod] = []
        method_keys: set[str] = set()
        for method in auth_methods:
            # Using the loaders we pull the related auth method class
            loader: loading.BaseLoader[plugin.BaseAuthPlugin] = (
                loading.get_plugin_loader(method)
            )
            plugin_class = loader.plugin_class

            if issubclass(plugin_class, base.AuthConstructor):  # legacy path
                warnings.warn(
                    f"Support for {base.AuthConstructor.__qualname__} is "
                    f"deprecated and will be removed in a future release. "
                    f"Plugins should subclass for {base.Auth.__qualname__}.",
                    category=DeprecationWarning,
                )
                method_class = plugin_class._auth_method_class
                method_parameters = method_class._method_parameters or []
            elif issubclass(plugin_class, base.Auth) and isinstance(
                plugin_class, base.SupportsMultiFactor
            ):
                method_class = plugin_class._auth_method_class
                method_parameters = list(method_class.__annotations__)
            else:
                raise TypeError(
                    'The multifactor auth method can only be used with v3 '
                    'auth plugins that implement the SupportsMultiFactor '
                    'protocol'
                )

            # We build some new kwargs for the method from required parameters
            method_kwargs = {}
            for key in method_parameters:
                method_kwargs[key] = kwargs.get(key, None)
                # we also add them to method_keys to pop later from global
                # kwargs rather than here as other methods may need them too
                method_keys.add(key)

            # We initialize the method class using just required kwargs
            method_instances.append(method_class(**method_kwargs))

        # We now pop all the keys used for methods as otherwise they get passed
        # to the super class and throw errors
        for key in method_keys:
            kwargs.pop(key, None)

        # This should now be empty
        assert not kwargs  # nosec B101

        super().__init__(
            auth_url=auth_url,
            auth_methods=method_instances,
            unscoped=unscoped,
            trust_id=trust_id,
            system_scope=system_scope,
            domain_id=domain_id,
            domain_name=domain_name,
            project_id=project_id,
            project_name=project_name,
            project_domain_id=project_domain_id,
            project_domain_name=project_domain_name,
            reauthenticate=reauthenticate,
            include_catalog=include_catalog,
        )