import nacl
import base64

from nacl import pwhash, secret
from django.db import models
from django.core.cache import cache
from django.utils.translation import gettext_lazy as _
from django.contrib.auth.models import BaseUserManager, AbstractBaseUser


class UserManager(BaseUserManager):
    def create_user(self, email, password=None):
        """
        Creates and saves a User with the given email, date of
        birth and password.
        """
        if not email:
            raise ValueError("Users must have an email address")

        user = self.model(
            email=self.normalize_email(email),
        )

        user.set_password(password)
        user.save(using=self._db)
        return user

    def create_superuser(self, email, password=None):
        """
        Creates and saves a superuser with the given email, date of
        birth and password.
        """
        user = self.create_user(
            email,
            password=password,
        )
        user.is_admin = True
        user.save(using=self._db)
        return user


class User(AbstractBaseUser):
    email = models.EmailField(
        _('Email address'),
        max_length=255,
        unique=True,
    )
    is_active = models.BooleanField(default=True)
    is_admin = models.BooleanField(default=False)
    first_name = models.CharField(_("First name"), max_length=255, blank=True, null=True)
    last_name = models.CharField(_("Last name"), max_length=255, blank=True, null=True)
    encrypted_sensitive_data = models.CharField(max_length=255)
    salt = models.CharField(max_length=255)
    accept_gdpr = models.BooleanField(default=False)

    objects = UserManager()

    USERNAME_FIELD = "email"
    REQUIRED_FIELDS = []

    def __str__(self):
        return self.email

    def has_perm(self, perm, obj=None):
        "Does the user have a specific permission?"
        # Simplest possible answer: Yes, always
        return True

    def has_module_perms(self, app_label):
        "Does the user have permissions to view the app `app_label`?"
        # Simplest possible answer: Yes, always
        return True

    @property
    def is_staff(self):
        "Is the user a member of staff?"
        # Simplest possible answer: All admins are staff
        return self.is_admin

    @property
    def username(self):
        "Is the email of the user"
        return self.email

    def get_memberships(self):
        members = set(
            str(dict(x.Types.choices)[x.type]) for x in self.memberships.all()
        )
        return ", ".join(members)

    def get_roles(self):
        roles = []
        for s in self.roles.all():
            for r in s.service.rol.all():
                roles.append(r.name)
        return ", ".join(set(roles))

    def derive_key_from_password(self, password=None):
        if not password:
            password = cache.get("KEY_DIDS").encode('utf-8')

        kdf = pwhash.argon2i.kdf
        ops = pwhash.argon2i.OPSLIMIT_INTERACTIVE
        mem = pwhash.argon2i.MEMLIMIT_INTERACTIVE
        return kdf(
            secret.SecretBox.KEY_SIZE,
            password,
            self.get_salt(),
            opslimit=ops,
            memlimit=mem
        )

    def decrypt_sensitive_data(self, data=None):
        sb_key = self.derive_key_from_password()
        sb = secret.SecretBox(sb_key)
        if not data:
            data = self.get_encrypted_sensitive_data()
        if not isinstance(data, bytes):
            data = data.encode('utf-8')

        return sb.decrypt(data).decode('utf-8')

    def encrypt_sensitive_data(self, data):
        sb_key = self.derive_key_from_password()
        sb = secret.SecretBox(sb_key)
        if not isinstance(data, bytes):
            data = data.encode('utf-8')
        
        return base64.b64encode(sb.encrypt(data)).decode('utf-8')

    def get_salt(self):
        return base64.b64decode(self.salt.encode('utf-8'))

    def set_salt(self):
        self.salt = base64.b64encode(nacl.utils.random(16)).decode('utf-8')

    def get_encrypted_sensitive_data(self):
        return base64.b64decode(self.encrypted_sensitive_data.encode('utf-8'))

    def set_encrypted_sensitive_data(self):
        key = base64.b64encode(nacl.utils.random(64))
        self.set_salt()

        key_crypted = self.encrypt_sensitive_data(key)
        self.encrypted_sensitive_data = key_crypted

    def encrypt_data(self, data):
        pw = self.decrypt_sensitive_data().encode('utf-8')
        sb = self.get_secret_box(pw)
        value_enc = sb.encrypt(data.encode('utf-8'))
        return base64.b64encode(value_enc).decode('utf-8')

    def decrypt_data(self, data):
        pw = self.decrypt_sensitive_data().encode('utf-8')
        sb = self.get_secret_box(pw)
        value = base64.b64decode(data.encode('utf-8'))
        return sb.decrypt(value).decode('utf-8')

    def get_secret_box(self, password):
        sb_key = self.derive_key_from_password(password)
        return secret.SecretBox(sb_key)

    def change_password_key(self, new_password):
        data = self.decrypt_sensitive_data()
        sb_key = self.derive_key_from_password(new_password)
        sb = secret.SecretBox(sb_key)
        if not isinstance(data, bytes):
            data = data.encode('utf-8')
        
        encrypted_data = base64.b64encode(sb.encrypt(data)).decode('utf-8')
        self.encrypted_sensitive_data = encrypted_data