package seedjobs

import (
	"context"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"strings"

	"github.com/jenkinsci/kubernetes-operator/pkg/apis/jenkinsio/v1alpha1"
	"github.com/jenkinsci/kubernetes-operator/pkg/log"

	"github.com/go-logr/logr"
	stackerr "github.com/pkg/errors"
	"k8s.io/api/core/v1"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	"k8s.io/apimachinery/pkg/types"
)

// ValidateSeedJobs verify seed jobs configuration
func (r *SeedJobs) ValidateSeedJobs(jenkins *v1alpha1.Jenkins) (bool, error) {
	valid := true

	// TODO id must be unique
	if jenkins.Spec.SeedJobs != nil {
		for _, seedJob := range jenkins.Spec.SeedJobs {
			logger := r.logger.WithValues("seedJob", fmt.Sprintf("%+v", seedJob)).V(log.VWarn)

			if len(seedJob.ID) == 0 {
				logger.Info("id can't be empty")
				valid = false
			}

			if len(seedJob.RepositoryBranch) == 0 {
				logger.Info("repository branch can't be empty")
				valid = false
			}

			if len(seedJob.RepositoryURL) == 0 {
				logger.Info("repository URL branch can't be empty")
				valid = false
			}

			if len(seedJob.Targets) == 0 {
				logger.Info("targets can't be empty")
				valid = false
			}

			if _, ok := v1alpha1.AllowedJenkinsCredentialMap[string(seedJob.JenkinsCredentialType)]; !ok {
				logger.Info("unknown credential type")
				return false, nil
			}

			if (seedJob.JenkinsCredentialType == v1alpha1.BasicSSHCredentialType ||
				seedJob.JenkinsCredentialType == v1alpha1.UsernamePasswordCredentialType) && len(seedJob.CredentialID) == 0 {
				logger.Info("credential ID can't be empty")
				valid = false
			}

			// validate repository url match private key
			if strings.Contains(seedJob.RepositoryURL, "git@") && seedJob.JenkinsCredentialType == v1alpha1.NoJenkinsCredentialCredentialType {
				logger.Info("Jenkins credential must be set while using ssh repository url")
				valid = false
			}

			if seedJob.JenkinsCredentialType == v1alpha1.BasicSSHCredentialType || seedJob.JenkinsCredentialType == v1alpha1.UsernamePasswordCredentialType {
				secret := &v1.Secret{}
				namespaceName := types.NamespacedName{Namespace: jenkins.Namespace, Name: seedJob.CredentialID}
				err := r.k8sClient.Get(context.TODO(), namespaceName, secret)
				if err != nil && apierrors.IsNotFound(err) {
					logger.Info(fmt.Sprintf("required secret '%s' with Jenkins credential not found", seedJob.CredentialID))
					return false, nil
				} else if err != nil {
					return false, stackerr.WithStack(err)
				}

				if seedJob.JenkinsCredentialType == v1alpha1.BasicSSHCredentialType {
					if ok := validateBasicSSHSecret(logger, *secret); !ok {
						valid = false
					}
				}
				if seedJob.JenkinsCredentialType == v1alpha1.UsernamePasswordCredentialType {
					if ok := validateUsernamePasswordSecret(logger, *secret); !ok {
						valid = false
					}
				}
			}
		}
	}
	return valid, nil
}

func validateBasicSSHSecret(logger logr.InfoLogger, secret v1.Secret) bool {
	valid := true
	username, exists := secret.Data[UsernameSecretKey]
	if !exists {
		logger.Info(fmt.Sprintf("required data '%s' not found in secret '%s'", UsernameSecretKey, secret.ObjectMeta.Name))
		valid = false
	}
	if len(username) == 0 {
		logger.Info(fmt.Sprintf("required data '%s' is empty in secret '%s'", UsernameSecretKey, secret.ObjectMeta.Name))
		valid = false
	}

	privateKey, exists := secret.Data[PrivateKeySecretKey]
	if !exists {
		logger.Info(fmt.Sprintf("required data '%s' not found in secret '%s'", PrivateKeySecretKey, secret.ObjectMeta.Name))
		valid = false
	}
	if len(string(privateKey)) == 0 {
		logger.Info(fmt.Sprintf("required data '%s' not found in secret '%s'", PrivateKeySecretKey, secret.ObjectMeta.Name))
		return false
	}
	if err := validatePrivateKey(string(privateKey)); err != nil {
		logger.Info(fmt.Sprintf("private key '%s' invalid in secret '%s': %s", PrivateKeySecretKey, secret.ObjectMeta.Name, err))
		valid = false
	}

	return valid
}

func validateUsernamePasswordSecret(logger logr.InfoLogger, secret v1.Secret) bool {
	valid := true
	username, exists := secret.Data[UsernameSecretKey]
	if !exists {
		logger.Info(fmt.Sprintf("required data '%s' not found in secret '%s'", UsernameSecretKey, secret.ObjectMeta.Name))
		valid = false
	}
	if len(username) == 0 {
		logger.Info(fmt.Sprintf("required data '%s' is empty in secret '%s'", UsernameSecretKey, secret.ObjectMeta.Name))
		valid = false
	}
	password, exists := secret.Data[PasswordSecretKey]
	if !exists {
		logger.Info(fmt.Sprintf("required data '%s' not found in secret '%s'", PasswordSecretKey, secret.ObjectMeta.Name))
		valid = false
	}
	if len(password) == 0 {
		logger.Info(fmt.Sprintf("required data '%s' is empty in secret '%s'", PasswordSecretKey, secret.ObjectMeta.Name))
		valid = false
	}

	return valid
}

func validatePrivateKey(privateKey string) error {
	block, _ := pem.Decode([]byte(privateKey))
	if block == nil {
		return stackerr.New("failed to decode PEM block")
	}

	priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
	if err != nil {
		return stackerr.WithStack(err)
	}

	err = priv.Validate()
	if err != nil {
		return stackerr.WithStack(err)
	}

	return nil
}