import base64
from elastic.es_connect import get_user_by_username as es_get_user_by_username
from .crypto import salt_for_username, derive_password


def get_user_by_username(username: str):
    """
    从Elasticsearch获取用户数据；若不存在则回退到内置admin。
    期望ES中存储的是明文密码，登录时按用户名盐派生后对nonce做HMAC验证。
    """
    es_user = es_get_user_by_username(username)
    if es_user:
        salt = salt_for_username(username)
        derived = derive_password(es_user.get('password', ''), salt)
        return {
            'user_id': es_user.get('user_id', 0),
            'username': es_user.get('username', ''),
            'password': base64.b64encode(derived).decode('ascii'),
            'permission': es_user.get('permission', 1),
        }

    salt = salt_for_username('admin')
    derived = derive_password('admin', salt)
    return {
        'user_id': 0,
        'username': 'admin',
        'password': base64.b64encode(derived).decode('ascii'),
        'permission': 0,
    }