package cli

import (
	"encoding/json"
	"fmt"
	"os"
	"path/filepath"
	"syscall"

	"git.eeqj.de/sneak/secret/internal/secret"
	"git.eeqj.de/sneak/secret/pkg/agehd"
	"github.com/spf13/afero"
	"github.com/spf13/cobra"
	"github.com/tyler-smith/go-bip39"
	"golang.org/x/term"
)

func newVaultCmd() *cobra.Command {
	cmd := &cobra.Command{
		Use:   "vault",
		Short: "Manage vaults",
		Long:  `Create, list, and select vaults for organizing secrets.`,
	}

	cmd.AddCommand(newVaultListCmd())
	cmd.AddCommand(newVaultCreateCmd())
	cmd.AddCommand(newVaultSelectCmd())
	cmd.AddCommand(newVaultImportCmd())

	return cmd
}

func newVaultListCmd() *cobra.Command {
	cmd := &cobra.Command{
		Use:   "list",
		Short: "List available vaults",
		RunE: func(cmd *cobra.Command, args []string) error {
			jsonOutput, _ := cmd.Flags().GetBool("json")

			cli := NewCLIInstance()
			return cli.VaultList(jsonOutput)
		},
	}

	cmd.Flags().Bool("json", false, "Output in JSON format")
	return cmd
}

func newVaultCreateCmd() *cobra.Command {
	return &cobra.Command{
		Use:   "create <name>",
		Short: "Create a new vault",
		Args:  cobra.ExactArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {
			cli := NewCLIInstance()
			return cli.VaultCreate(args[0])
		},
	}
}

func newVaultSelectCmd() *cobra.Command {
	return &cobra.Command{
		Use:   "select <name>",
		Short: "Select a vault as current",
		Args:  cobra.ExactArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {
			cli := NewCLIInstance()
			return cli.VaultSelect(args[0])
		},
	}
}

func newVaultImportCmd() *cobra.Command {
	return &cobra.Command{
		Use:   "import <vault-name>",
		Short: "Import a mnemonic into a vault",
		Long:  `Import a BIP39 mnemonic phrase into the specified vault (default if not specified).`,
		Args:  cobra.MaximumNArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {
			vaultName := "default"
			if len(args) > 0 {
				vaultName = args[0]
			}

			cli := NewCLIInstance()
			return cli.Import(vaultName)
		},
	}
}

// VaultList lists available vaults
func (cli *CLIInstance) VaultList(jsonOutput bool) error {
	vaults, err := secret.ListVaults(cli.fs, cli.stateDir)
	if err != nil {
		return err
	}

	if jsonOutput {
		// JSON output
		output := map[string]interface{}{
			"vaults": vaults,
		}

		jsonBytes, err := json.MarshalIndent(output, "", "  ")
		if err != nil {
			return fmt.Errorf("failed to marshal JSON: %w", err)
		}

		fmt.Println(string(jsonBytes))
	} else {
		// Pretty table output
		if len(vaults) == 0 {
			fmt.Println("No vaults found.")
			fmt.Println("Run 'secret init' to create the default vault.")
			return nil
		}

		// Get current vault for highlighting
		currentVault, err := secret.GetCurrentVault(cli.fs, cli.stateDir)
		if err != nil {
			fmt.Printf("%-20s %s\n", "VAULT", "STATUS")
			fmt.Printf("%-20s %s\n", "-----", "------")

			for _, vault := range vaults {
				fmt.Printf("%-20s %s\n", vault, "")
			}
		} else {
			fmt.Printf("%-20s %s\n", "VAULT", "STATUS")
			fmt.Printf("%-20s %s\n", "-----", "------")

			for _, vault := range vaults {
				status := ""
				if vault == currentVault.Name {
					status = "(current)"
				}
				fmt.Printf("%-20s %s\n", vault, status)
			}
		}

		fmt.Printf("\nTotal: %d vault(s)\n", len(vaults))
	}

	return nil
}

// VaultCreate creates a new vault
func (cli *CLIInstance) VaultCreate(name string) error {
	_, err := secret.CreateVault(cli.fs, cli.stateDir, name)
	return err
}

// VaultSelect selects a vault as current
func (cli *CLIInstance) VaultSelect(name string) error {
	return secret.SelectVault(cli.fs, cli.stateDir, name)
}

// Import imports a mnemonic into a vault
func (cli *CLIInstance) Import(vaultName string) error {
	var mnemonicStr string

	// Check if mnemonic is set in environment variable
	if envMnemonic := os.Getenv(secret.EnvMnemonic); envMnemonic != "" {
		mnemonicStr = envMnemonic
	} else {
		// Read mnemonic from stdin using shared line reader
		var err error
		mnemonicStr, err = readLineFromStdin("Enter your BIP39 mnemonic phrase: ")
		if err != nil {
			return fmt.Errorf("failed to read mnemonic: %w", err)
		}
	}

	if mnemonicStr == "" {
		return fmt.Errorf("mnemonic cannot be empty")
	}

	// Validate the mnemonic using BIP39
	if !bip39.IsMnemonicValid(mnemonicStr) {
		return fmt.Errorf("invalid BIP39 mnemonic phrase\nRun 'secret generate mnemonic' to create a valid mnemonic")
	}

	return cli.importMnemonic(vaultName, mnemonicStr)
}

// importMnemonic imports a BIP39 mnemonic into the specified vault
func (cli *CLIInstance) importMnemonic(vaultName, mnemonic string) error {
	// Derive long-term keypair from mnemonic
	ltIdentity, err := agehd.DeriveIdentity(mnemonic, 0)
	if err != nil {
		return fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
	}

	// Check if vault exists
	stateDir := cli.GetStateDir()
	vaultDir := filepath.Join(stateDir, "vaults.d", vaultName)
	exists, err := afero.DirExists(cli.fs, vaultDir)
	if err != nil {
		return fmt.Errorf("failed to check if vault exists: %w", err)
	}
	if !exists {
		return fmt.Errorf("vault %s does not exist", vaultName)
	}

	// Store long-term public key in vault
	ltPubKey := ltIdentity.Recipient().String()
	if err := afero.WriteFile(cli.fs, filepath.Join(vaultDir, "pub.age"), []byte(ltPubKey), 0600); err != nil {
		return fmt.Errorf("failed to write long-term public key: %w", err)
	}

	// Get the vault instance and unlock it
	vault := secret.NewVault(cli.fs, vaultName, cli.stateDir)
	vault.Unlock(ltIdentity)

	fmt.Printf("Successfully imported mnemonic into vault '%s'\n", vaultName)
	fmt.Printf("Long-term public key: %s\n", ltPubKey)

	// Try to create unlock key only if running interactively
	if term.IsTerminal(int(syscall.Stderr)) {
		// Get or create passphrase for unlock key
		var passphraseStr string
		if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
			passphraseStr = envPassphrase
		} else {
			// Use secure passphrase input with confirmation
			passphraseStr, err = readSecurePassphrase("Enter passphrase for unlock key: ")
			if err != nil {
				fmt.Printf("Warning: Failed to create unlock key: %v\n", err)
				fmt.Printf("You can create unlock keys later with 'secret keys add passphrase'\n")
				return nil
			}
		}

		// Create passphrase-protected unlock key (vault is now unlocked)
		passphraseKey, err := vault.CreatePassphraseKey(passphraseStr)
		if err != nil {
			fmt.Printf("Warning: Failed to create unlock key: %v\n", err)
			fmt.Printf("You can create unlock keys later with 'secret keys add passphrase'\n")
			return nil
		}

		fmt.Printf("Unlock key ID: %s\n", passphraseKey.GetMetadata().ID)
	} else {
		fmt.Printf("Running in non-interactive mode - unlock key not created\n")
		fmt.Printf("You can create unlock keys later with 'secret keys add passphrase'\n")
	}

	return nil
}