package vault

import (
	"encoding/json"
	"fmt"
	"log/slog"
	"path/filepath"
	"regexp"
	"strings"
	"time"

	"filippo.io/age"
	"git.eeqj.de/sneak/secret/internal/secret"
	"github.com/spf13/afero"
)

// ListSecrets returns a list of secret names in this vault
func (v *Vault) ListSecrets() ([]string, error) {
	secret.DebugWith("Listing secrets in vault", slog.String("vault_name", v.Name))

	vaultDir, err := v.GetDirectory()
	if err != nil {
		secret.Debug("Failed to get vault directory for secret listing", "error", err, "vault_name", v.Name)
		return nil, err
	}

	secretsDir := filepath.Join(vaultDir, "secrets.d")

	// Check if secrets directory exists
	exists, err := afero.DirExists(v.fs, secretsDir)
	if err != nil {
		secret.Debug("Failed to check secrets directory", "error", err, "secrets_dir", secretsDir)
		return nil, fmt.Errorf("failed to check if secrets directory exists: %w", err)
	}
	if !exists {
		secret.Debug("Secrets directory does not exist", "secrets_dir", secretsDir, "vault_name", v.Name)
		return []string{}, nil
	}

	// List directories in secrets.d
	files, err := afero.ReadDir(v.fs, secretsDir)
	if err != nil {
		secret.Debug("Failed to read secrets directory", "error", err, "secrets_dir", secretsDir)
		return nil, fmt.Errorf("failed to read secrets directory: %w", err)
	}

	var secrets []string
	for _, file := range files {
		if file.IsDir() {
			// Convert storage name back to secret name
			secretName := strings.ReplaceAll(file.Name(), "%", "/")
			secrets = append(secrets, secretName)
		}
	}

	secret.DebugWith("Found secrets in vault",
		slog.String("vault_name", v.Name),
		slog.Int("secret_count", len(secrets)),
		slog.Any("secret_names", secrets),
	)

	return secrets, nil
}

// isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+
func isValidSecretName(name string) bool {
	if name == "" {
		return false
	}
	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)
	return matched
}

// AddSecret adds a secret to this vault
func (v *Vault) AddSecret(name string, value []byte, force bool) error {
	secret.DebugWith("Adding secret to vault",
		slog.String("vault_name", v.Name),
		slog.String("secret_name", name),
		slog.Int("value_length", len(value)),
		slog.Bool("force", force),
	)

	// Validate secret name
	if !isValidSecretName(name) {
		secret.Debug("Invalid secret name provided", "secret_name", name)
		return fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
	}
	secret.Debug("Secret name validation passed", "secret_name", name)

	secret.Debug("Getting vault directory")
	vaultDir, err := v.GetDirectory()
	if err != nil {
		secret.Debug("Failed to get vault directory for secret addition", "error", err, "vault_name", v.Name)
		return err
	}
	secret.Debug("Got vault directory", "vault_dir", vaultDir)

	// Convert slashes to percent signs for storage
	storageName := strings.ReplaceAll(name, "/", "%")
	secretDir := filepath.Join(vaultDir, "secrets.d", storageName)

	secret.DebugWith("Secret storage details",
		slog.String("storage_name", storageName),
		slog.String("secret_dir", secretDir),
	)

	// Check if secret already exists
	secret.Debug("Checking if secret already exists", "secret_dir", secretDir)
	exists, err := afero.DirExists(v.fs, secretDir)
	if err != nil {
		secret.Debug("Failed to check if secret exists", "error", err, "secret_dir", secretDir)
		return fmt.Errorf("failed to check if secret exists: %w", err)
	}
	secret.Debug("Secret existence check complete", "exists", exists)

	// Handle existing secret case
	now := time.Now()
	var previousVersion *secret.SecretVersion

	if exists {
		if !force {
			secret.Debug("Secret already exists and force not specified", "secret_name", name, "secret_dir", secretDir)
			return fmt.Errorf("secret %s already exists (use --force to overwrite)", name)
		}

		// Get the current version to update its notAfter timestamp
		currentVersionName, err := secret.GetCurrentVersion(v.fs, secretDir)
		if err == nil && currentVersionName != "" {
			previousVersion = secret.NewSecretVersion(v, name, currentVersionName)
			// We'll need to load and update its metadata after we unlock the vault
		}
	} else {
		// Create secret directory for new secret
		secret.Debug("Creating secret directory", "secret_dir", secretDir)
		if err := v.fs.MkdirAll(secretDir, secret.DirPerms); err != nil {
			secret.Debug("Failed to create secret directory", "error", err, "secret_dir", secretDir)
			return fmt.Errorf("failed to create secret directory: %w", err)
		}
		secret.Debug("Created secret directory successfully")
	}

	// Generate new version name
	versionName, err := secret.GenerateVersionName(v.fs, secretDir)
	if err != nil {
		secret.Debug("Failed to generate version name", "error", err, "secret_name", name)
		return fmt.Errorf("failed to generate version name: %w", err)
	}

	secret.Debug("Generated new version name", "version", versionName, "secret_name", name)

	// Create new version
	newVersion := secret.NewSecretVersion(v, name, versionName)

	// Set version timestamps
	if previousVersion == nil {
		// First version: notBefore = epoch + 1 second
		epochPlusOne := time.Unix(1, 0)
		newVersion.Metadata.NotBefore = &epochPlusOne
	} else {
		// New version: notBefore = now
		newVersion.Metadata.NotBefore = &now

		// We'll update the previous version's notAfter after we save the new version
	}

	// Save the new version
	if err := newVersion.Save(value); err != nil {
		secret.Debug("Failed to save new version", "error", err, "version", versionName)
		return fmt.Errorf("failed to save version: %w", err)
	}

	// Update previous version if it exists
	if previousVersion != nil {
		// Get long-term key to decrypt/encrypt metadata
		ltIdentity, err := v.GetOrDeriveLongTermKey()
		if err != nil {
			secret.Debug("Failed to get long-term key for metadata update", "error", err)
			return fmt.Errorf("failed to get long-term key: %w", err)
		}

		// Load previous version metadata
		if err := previousVersion.LoadMetadata(ltIdentity); err != nil {
			secret.Debug("Failed to load previous version metadata", "error", err)
			return fmt.Errorf("failed to load previous version metadata: %w", err)
		}

		// Update notAfter timestamp
		previousVersion.Metadata.NotAfter = &now

		// Re-save the metadata (we need to implement an update method)
		if err := updateVersionMetadata(v.fs, previousVersion, ltIdentity); err != nil {
			secret.Debug("Failed to update previous version metadata", "error", err)
			return fmt.Errorf("failed to update previous version metadata: %w", err)
		}
	}

	// Set current symlink to new version
	if err := secret.SetCurrentVersion(v.fs, secretDir, versionName); err != nil {
		secret.Debug("Failed to set current version", "error", err, "version", versionName)
		return fmt.Errorf("failed to set current version: %w", err)
	}

	secret.Debug("Successfully added secret version to vault", "secret_name", name, "version", versionName, "vault_name", v.Name)
	return nil
}

// updateVersionMetadata updates the metadata of an existing version
func updateVersionMetadata(fs afero.Fs, version *secret.SecretVersion, ltIdentity *age.X25519Identity) error {
	// Read the version's encrypted private key
	encryptedPrivKeyPath := filepath.Join(version.Directory, "priv.age")
	encryptedPrivKey, err := afero.ReadFile(fs, encryptedPrivKeyPath)
	if err != nil {
		return fmt.Errorf("failed to read encrypted version private key: %w", err)
	}

	// Decrypt version private key using long-term key
	versionPrivKeyData, err := secret.DecryptWithIdentity(encryptedPrivKey, ltIdentity)
	if err != nil {
		return fmt.Errorf("failed to decrypt version private key: %w", err)
	}

	// Parse version private key
	versionIdentity, err := age.ParseX25519Identity(string(versionPrivKeyData))
	if err != nil {
		return fmt.Errorf("failed to parse version private key: %w", err)
	}

	// Marshal updated metadata
	metadataBytes, err := json.MarshalIndent(version.Metadata, "", "  ")
	if err != nil {
		return fmt.Errorf("failed to marshal version metadata: %w", err)
	}

	// Encrypt metadata to the version's public key
	encryptedMetadata, err := secret.EncryptToRecipient(metadataBytes, versionIdentity.Recipient())
	if err != nil {
		return fmt.Errorf("failed to encrypt version metadata: %w", err)
	}

	// Write encrypted metadata
	metadataPath := filepath.Join(version.Directory, "metadata.age")
	if err := afero.WriteFile(fs, metadataPath, encryptedMetadata, secret.FilePerms); err != nil {
		return fmt.Errorf("failed to write encrypted version metadata: %w", err)
	}

	return nil
}

// GetSecret retrieves a secret from this vault
func (v *Vault) GetSecret(name string) ([]byte, error) {
	secret.DebugWith("Getting secret from vault",
		slog.String("vault_name", v.Name),
		slog.String("secret_name", name),
	)

	return v.GetSecretVersion(name, "")
}

// GetSecretVersion retrieves a specific version of a secret (empty version means current)
func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
	secret.DebugWith("Getting secret version from vault",
		slog.String("vault_name", v.Name),
		slog.String("secret_name", name),
		slog.String("version", version),
	)

	// Get vault directory
	vaultDir, err := v.GetDirectory()
	if err != nil {
		secret.Debug("Failed to get vault directory", "error", err, "vault_name", v.Name)
		return nil, err
	}

	// Convert slashes to percent signs for storage
	storageName := strings.ReplaceAll(name, "/", "%")
	secretDir := filepath.Join(vaultDir, "secrets.d", storageName)

	// Check if secret exists
	exists, err := afero.DirExists(v.fs, secretDir)
	if err != nil {
		secret.Debug("Failed to check if secret exists", "error", err, "secret_name", name)
		return nil, fmt.Errorf("failed to check if secret exists: %w", err)
	}
	if !exists {
		secret.Debug("Secret not found in vault", "secret_name", name, "vault_name", v.Name)
		return nil, fmt.Errorf("secret %s not found", name)
	}

	// Determine which version to get
	if version == "" {
		// Get current version
		currentVersion, err := secret.GetCurrentVersion(v.fs, secretDir)
		if err != nil {
			secret.Debug("Failed to get current version", "error", err, "secret_name", name)
			return nil, fmt.Errorf("failed to get current version: %w", err)
		}
		version = currentVersion
		secret.Debug("Using current version", "version", version, "secret_name", name)
	}

	// Create version object
	secretVersion := secret.NewSecretVersion(v, name, version)

	// Check if version exists
	versionPath := filepath.Join(secretDir, "versions", version)
	exists, err = afero.DirExists(v.fs, versionPath)
	if err != nil {
		secret.Debug("Failed to check if version exists", "error", err, "version", version)
		return nil, fmt.Errorf("failed to check if version exists: %w", err)
	}
	if !exists {
		secret.Debug("Version not found", "version", version, "secret_name", name)
		return nil, fmt.Errorf("version %s not found for secret %s", version, name)
	}

	secret.Debug("Version exists, proceeding with vault unlock and decryption", "version", version, "secret_name", name)

	// Unlock the vault (get long-term key in memory)
	longTermIdentity, err := v.UnlockVault()
	if err != nil {
		secret.Debug("Failed to unlock vault", "error", err, "vault_name", v.Name)
		return nil, fmt.Errorf("failed to unlock vault: %w", err)
	}

	secret.DebugWith("Successfully unlocked vault",
		slog.String("vault_name", v.Name),
		slog.String("secret_name", name),
		slog.String("version", version),
		slog.String("long_term_public_key", longTermIdentity.Recipient().String()),
	)

	// Get the version's value
	decryptedValue, err := secretVersion.GetValue(longTermIdentity)
	if err != nil {
		secret.Debug("Failed to decrypt version value", "error", err, "version", version, "secret_name", name)
		return nil, fmt.Errorf("failed to decrypt version: %w", err)
	}

	secret.DebugWith("Successfully decrypted secret version",
		slog.String("secret_name", name),
		slog.String("version", version),
		slog.String("vault_name", v.Name),
		slog.Int("decrypted_length", len(decryptedValue)),
	)

	return decryptedValue, nil
}

// UnlockVault unlocks the vault and returns the long-term private key
func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
	secret.Debug("Unlocking vault", "vault_name", v.Name)

	// If vault is already unlocked, return the cached key
	if !v.Locked() {
		secret.Debug("Vault already unlocked, returning cached long-term key", "vault_name", v.Name)
		return v.longTermKey, nil
	}

	// Get or derive the long-term key (but don't store it yet)
	longTermIdentity, err := v.GetOrDeriveLongTermKey()
	if err != nil {
		secret.Debug("Failed to get or derive long-term key", "error", err, "vault_name", v.Name)
		return nil, fmt.Errorf("failed to get long-term key: %w", err)
	}

	// Now unlock the vault by storing the key in memory
	v.Unlock(longTermIdentity)

	secret.DebugWith("Successfully unlocked vault",
		slog.String("vault_name", v.Name),
		slog.String("public_key", longTermIdentity.Recipient().String()),
	)

	return longTermIdentity, nil
}

// GetSecretObject retrieves a Secret object with metadata loaded from this vault
func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
	// First check if the secret exists by checking for the metadata file
	vaultDir, err := v.GetDirectory()
	if err != nil {
		return nil, err
	}

	// Convert slashes to percent signs for storage
	storageName := strings.ReplaceAll(name, "/", "%")
	secretDir := filepath.Join(vaultDir, "secrets.d", storageName)

	// Check if secret directory exists
	exists, err := afero.DirExists(v.fs, secretDir)
	if err != nil {
		return nil, fmt.Errorf("failed to check if secret exists: %w", err)
	}
	if !exists {
		return nil, fmt.Errorf("secret %s not found", name)
	}

	// Create a Secret object
	secretObj := secret.NewSecret(v, name)

	// Load the metadata from disk
	if err := secretObj.LoadMetadata(); err != nil {
		return nil, err
	}

	return secretObj, nil
}