# Copyright 2018 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#            http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import logging
import google.auth
from google.auth import iam
from google.auth.credentials import with_scopes_if_required
from google.auth._default import load_credentials_from_file
from google.auth.transport import requests
from google.oauth2 import service_account
from googleapiclient import discovery

logger = logging.getLogger(__name__)

_TOKEN_URI = 'https://accounts.google.com/o/oauth2/token'
_TOKEN_SCOPE = frozenset(['https://www.googleapis.com/auth/iam'])


def build_service(api,
                  version,
                  credentials_path=None,
                  user_email=None,
                  scopes=None):
    """Build and returns a service object.

    Allows delegation of GSuite permissions to the service account when the `user_email` argument is passed.

    Args:
      api (str): The Admin SDK API to use.
      version (str): The Admin SDK API version to use.
      credentials_path (str, optional): The path to the service account credentials.
      user_email (str): The email of the user. Needs permissions to access the Admin APIs.
      scopes (list, optional): A list of scopes to authenticate the request with.

    Returns:
      Google Service object.
    """
    if credentials_path is not None:
        logger.info("Getting credentials from file '%s' ...", credentials_path)
        credentials, _ = load_credentials_from_file(credentials_path)
    else:
        logger.info("Getting default application credentials ...")
        credentials, _ = google.auth.default()

    if user_email is not None:  # make delegated credentials
        credentials = _make_delegated_credentials(credentials, user_email,
                                                  scopes)

    return discovery.build(api, version, credentials=credentials)


def _make_delegated_credentials(credentials, user_email, scopes):
    """Make delegated credentials.

    Allows a service account to impersonate the user passed in `user_email`,
    using a restricted set of scopes.

    Args:
        credentials (service_account.Credentials): The service account credentials.
        user_email (str): The email for the user to impersonate.
        scopes (list): A list of scopes.

    Returns:
        service_account.Credentials: The delegated credentials
    """
    request = requests.Request()
    credentials = with_scopes_if_required(credentials, _TOKEN_SCOPE)
    credentials.refresh(request)
    email = credentials.service_account_email
    signer = iam.Signer(request, credentials, email)
    return service_account.Credentials(signer,
                                       email,
                                       _TOKEN_URI,
                                       scopes=scopes,
                                       subject=user_email)