using EntrustSettle.AuthHelper;
using EntrustSettle.Common;
using EntrustSettle.Common.AppConfig;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Text;

namespace EntrustSettle.Extensions
{
    /// <summary>
    /// 系统 授权服务 配置
    /// </summary>
    public static class AuthorizationSetup
    {
        public static void AddAuthorizationSetup(this IServiceCollection services)
        {
            if (services == null) throw new ArgumentNullException(nameof(services));

            // 以下四种常见的授权方式。

            // 1.基于角色的授权方式 只需要在API层的controller上边，增加特性即可
            // [Authorize(Roles = "Admin,System")]


            // 2.基于策略(角色)的授权方式，好处就是不用在controller中，写多个 roles 。在API层的controller上边，增加特性[Authorize(Policy = "Admin")]
            //services.AddAuthorization(options =>
            //{
            //    options.AddPolicy("Client", policy => policy.RequireRole("Client").Build());
            //    options.AddPolicy("Admin", policy => policy.RequireRole("Admin").Build());
            //    options.AddPolicy("SystemOrAdmin", policy => policy.RequireRole("Admin", "System"));
            //    options.AddPolicy("A_S_O", policy => policy.RequireRole("Admin", "System", "Others"));
            //});

            //#region 参数
            //读取配置文件
            //var symmetricKeyAsBase64 = AppSecretConfig.Audience_Secret_String;
            //var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
            //var signingKey = new SymmetricSecurityKey(keyByteArray);
            //var Issuer = AppSettings.app(new string[] { "Audience", "Issuer" });
            //var Audience = AppSettings.app(new string[] { "Audience", "Audience" });

            //var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);

            //// 如果要数据库动态绑定，这里先留个空，后边处理器里动态赋值
            //var permission = new List<PermissionItem>();

            //// 角色与接口的权限要求参数
            //var permissionRequirement = new PermissionRequirement(
            //    "/api/denied",// 拒绝授权的跳转地址（目前无用）
            //    permission,
            //    ClaimTypes.Role,//基于角色的授权
            //    Issuer,//发行人
            //    Audience,//听众
            //    signingCredentials,//签名凭据
            //    expiration: TimeSpan.FromSeconds(60 * 60)//接口的过期时间
            //    );
            //#endregion

            //// 3、自定义复杂的策略授权
            //services.AddAuthorization(options =>
            //{
            //    options.AddPolicy(Permissions.Name,
            //             policy => policy.Requirements.Add(permissionRequirement));
            //});
            //services.AddScoped<IAuthorizationHandler, PermissionHandler>(); // 注入权限处理器
            //services.AddSingleton(permissionRequirement);
        }
    }
}