package handlers

import (
	"bytes"
	"context"
	"errors"
	"fmt"
	"log/slog"
	"net/http"
	"strconv"

	"github.com/gin-gonic/gin"
	qrcode "github.com/skip2/go-qrcode"

	"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
	"git.netcell-it.de/projekte/edgeguard-native/internal/models"
	"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
	"git.netcell-it.de/projekte/edgeguard-native/internal/services/secrets"
	"git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
)

// WireguardHandler exposes /api/v1/wireguard/* — interfaces, peers,
// per-peer config download (wg-quick text + QR PNG) and a one-shot
// keypair generator. Mutations trigger Reloader so the kernel state
// stays in sync.
type WireguardHandler struct {
	Ifaces   *wireguard.InterfacesRepo
	Peers    *wireguard.PeersRepo
	Box      *secrets.Box
	Audit    *audit.Repo
	NodeID   string
	Reloader func(ctx context.Context) error
}

func NewWireguardHandler(
	ifaces *wireguard.InterfacesRepo,
	peers *wireguard.PeersRepo,
	box *secrets.Box,
	a *audit.Repo,
	nodeID string,
	reloader func(context.Context) error,
) *WireguardHandler {
	return &WireguardHandler{Ifaces: ifaces, Peers: peers, Box: box, Audit: a, NodeID: nodeID, Reloader: reloader}
}

func (h *WireguardHandler) reload(ctx context.Context, op string) {
	if h.Reloader == nil {
		return
	}
	if err := h.Reloader(ctx); err != nil {
		slog.Warn("wireguard: render after mutation failed", "op", op, "error", err)
	}
}

func (h *WireguardHandler) Register(rg *gin.RouterGroup) {
	g := rg.Group("/wireguard")

	// Standalone keygen — no DB write. Frontend uses this to fill
	// the form when the operator wants a fresh keypair without
	// committing.
	g.POST("/generate-keypair", h.GenerateKeypair)

	g.GET("/interfaces", h.ListIfaces)
	g.POST("/interfaces", h.CreateIface)
	g.GET("/interfaces/:id", h.GetIface)
	g.PUT("/interfaces/:id", h.UpdateIface)
	g.DELETE("/interfaces/:id", h.DeleteIface)

	g.GET("/interfaces/:id/peers", h.ListPeers)
	g.POST("/interfaces/:id/peers", h.CreatePeer)
	g.GET("/peers/:pid", h.GetPeer)
	g.PUT("/peers/:pid", h.UpdatePeer)
	g.DELETE("/peers/:pid", h.DeletePeer)

	// Per-peer config download — wg-quick text and QR PNG. The QR
	// embeds the same text so mobile apps can import directly.
	g.GET("/peers/:pid/config", h.PeerConfig)
	g.GET("/peers/:pid/qr", h.PeerQR)
}

// ── Keygen ────────────────────────────────────────────────────────

func (h *WireguardHandler) GenerateKeypair(c *gin.Context) {
	kp, err := wireguard.GenerateKeypair()
	if err != nil {
		response.Internal(c, err)
		return
	}
	response.OK(c, gin.H{
		"private_key": kp.Private,
		"public_key":  kp.Public,
	})
}

// ── Interfaces ────────────────────────────────────────────────────

// ifaceCreateReq splits the wire shape from the model so we can
// accept a private key by value (operator paste) or auto-generate
// (operator ticked "generate keypair") without leaking the
// encrypted-bytes field into the JSON contract.
type ifaceCreateReq struct {
	Name                string  `json:"name"`
	Mode                string  `json:"mode"`
	AddressCIDR         string  `json:"address_cidr"`
	ListenPort          *int    `json:"listen_port,omitempty"`
	PeerEndpoint        *string `json:"peer_endpoint,omitempty"`
	PeerPublicKey       *string `json:"peer_public_key,omitempty"`
	PeerPSK             *string `json:"peer_psk,omitempty"`
	AllowedIPs          *string `json:"allowed_ips,omitempty"`
	PersistentKeepalive *int    `json:"persistent_keepalive,omitempty"`
	MTU                 *int    `json:"mtu,omitempty"`
	Role                string  `json:"role"`
	Active              bool    `json:"active"`
	Description         *string `json:"description,omitempty"`

	// Either GenerateKeypair=true (server picks one) or PrivateKey
	// is filled in by the operator. PublicKey is always derived.
	GenerateKeypair bool   `json:"generate_keypair,omitempty"`
	PrivateKey      string `json:"private_key,omitempty"`
}

func (h *WireguardHandler) CreateIface(c *gin.Context) {
	var req ifaceCreateReq
	if err := c.ShouldBindJSON(&req); err != nil {
		response.BadRequest(c, err)
		return
	}
	priv := req.PrivateKey
	if req.GenerateKeypair || priv == "" {
		kp, err := wireguard.GenerateKeypair()
		if err != nil {
			response.Internal(c, err)
			return
		}
		priv = kp.Private
	}
	pub, err := wireguard.PublicFromPrivate(priv)
	if err != nil {
		response.BadRequest(c, fmt.Errorf("private_key: %w", err))
		return
	}
	encPriv, err := h.Box.Seal([]byte(priv))
	if err != nil {
		response.Internal(c, err)
		return
	}
	var encPSK []byte
	if req.PeerPSK != nil && *req.PeerPSK != "" {
		encPSK, err = h.Box.Seal([]byte(*req.PeerPSK))
		if err != nil {
			response.Internal(c, err)
			return
		}
	}
	ifc := models.WireguardInterface{
		Name: req.Name, Mode: req.Mode, AddressCIDR: req.AddressCIDR,
		ListenPort: req.ListenPort, PublicKey: pub, PrivateKeyEnc: encPriv,
		PeerEndpoint: req.PeerEndpoint, PeerPublicKey: req.PeerPublicKey,
		PeerPSKEnc: encPSK, AllowedIPs: req.AllowedIPs,
		PersistentKeepalive: req.PersistentKeepalive, MTU: req.MTU,
		Role: req.Role, Active: req.Active, Description: req.Description,
	}
	if ifc.Role == "" {
		ifc.Role = "wan"
	}
	out, err := h.Ifaces.Create(c.Request.Context(), ifc)
	if err != nil {
		response.Internal(c, err)
		return
	}
	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.iface.create", out.Name, out, h.NodeID)
	response.Created(c, out)
	h.reload(c.Request.Context(), "iface.create")
}

// ifaceUpdateReq mirrors ifaceCreateReq but PrivateKey is optional
// — an empty PrivateKey + GenerateKeypair=false leaves the existing
// key untouched. This lets the operator edit metadata (description,
// allowed_ips, etc.) without re-rolling the tunnel keypair.
type ifaceUpdateReq struct {
	ifaceCreateReq
}

func (h *WireguardHandler) UpdateIface(c *gin.Context) {
	id, ok := parseID(c)
	if !ok {
		return
	}
	var req ifaceUpdateReq
	if err := c.ShouldBindJSON(&req); err != nil {
		response.BadRequest(c, err)
		return
	}
	cur, err := h.Ifaces.Get(c.Request.Context(), id)
	if err != nil {
		if errors.Is(err, wireguard.ErrIfaceNotFound) {
			response.NotFound(c, err)
			return
		}
		response.Internal(c, err)
		return
	}

	encPriv := cur.PrivateKeyEnc
	pub := cur.PublicKey
	if req.GenerateKeypair {
		kp, err := wireguard.GenerateKeypair()
		if err != nil {
			response.Internal(c, err)
			return
		}
		encPriv, err = h.Box.Seal([]byte(kp.Private))
		if err != nil {
			response.Internal(c, err)
			return
		}
		pub = kp.Public
	} else if req.PrivateKey != "" {
		p, err := wireguard.PublicFromPrivate(req.PrivateKey)
		if err != nil {
			response.BadRequest(c, fmt.Errorf("private_key: %w", err))
			return
		}
		encPriv, err = h.Box.Seal([]byte(req.PrivateKey))
		if err != nil {
			response.Internal(c, err)
			return
		}
		pub = p
	}
	encPSK := cur.PeerPSKEnc
	if req.PeerPSK != nil {
		if *req.PeerPSK == "" {
			encPSK = nil
		} else {
			encPSK, err = h.Box.Seal([]byte(*req.PeerPSK))
			if err != nil {
				response.Internal(c, err)
				return
			}
		}
	}

	ifc := models.WireguardInterface{
		Name: req.Name, Mode: req.Mode, AddressCIDR: req.AddressCIDR,
		ListenPort: req.ListenPort, PublicKey: pub, PrivateKeyEnc: encPriv,
		PeerEndpoint: req.PeerEndpoint, PeerPublicKey: req.PeerPublicKey,
		PeerPSKEnc: encPSK, AllowedIPs: req.AllowedIPs,
		PersistentKeepalive: req.PersistentKeepalive, MTU: req.MTU,
		Role: req.Role, Active: req.Active, Description: req.Description,
	}
	if ifc.Role == "" {
		ifc.Role = cur.Role
	}
	out, err := h.Ifaces.Update(c.Request.Context(), id, ifc)
	if err != nil {
		response.Internal(c, err)
		return
	}
	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.iface.update", out.Name, out, h.NodeID)
	response.OK(c, out)
	h.reload(c.Request.Context(), "iface.update")
}

func (h *WireguardHandler) ListIfaces(c *gin.Context) {
	out, err := h.Ifaces.List(c.Request.Context())
	if err != nil {
		response.Internal(c, err)
		return
	}
	response.OK(c, gin.H{"interfaces": out})
}

func (h *WireguardHandler) GetIface(c *gin.Context) {
	id, ok := parseID(c)
	if !ok {
		return
	}
	x, err := h.Ifaces.Get(c.Request.Context(), id)
	if err != nil {
		if errors.Is(err, wireguard.ErrIfaceNotFound) {
			response.NotFound(c, err)
			return
		}
		response.Internal(c, err)
		return
	}
	response.OK(c, x)
}

func (h *WireguardHandler) DeleteIface(c *gin.Context) {
	id, ok := parseID(c)
	if !ok {
		return
	}
	if err := h.Ifaces.Delete(c.Request.Context(), id); err != nil {
		if errors.Is(err, wireguard.ErrIfaceNotFound) {
			response.NotFound(c, err)
			return
		}
		response.Internal(c, err)
		return
	}
	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.iface.delete", strconv.FormatInt(id, 10), gin.H{"id": id}, h.NodeID)
	response.NoContent(c)
	h.reload(c.Request.Context(), "iface.delete")
}

// ── Peers ─────────────────────────────────────────────────────────

func (h *WireguardHandler) ListPeers(c *gin.Context) {
	id, ok := parseID(c)
	if !ok {
		return
	}
	out, err := h.Peers.ListForInterface(c.Request.Context(), id)
	if err != nil {
		response.Internal(c, err)
		return
	}
	response.OK(c, gin.H{"peers": out})
}

type peerReq struct {
	Name        string  `json:"name"`
	PublicKey   string  `json:"public_key,omitempty"`
	PrivateKey  string  `json:"private_key,omitempty"`
	PSK         *string `json:"psk,omitempty"`
	AllowedIPs  string  `json:"allowed_ips"`
	Keepalive   *int    `json:"keepalive,omitempty"`
	Enabled     bool    `json:"enabled"`
	Description *string `json:"description,omitempty"`

	GenerateKeypair bool `json:"generate_keypair,omitempty"`
	GeneratePSK     bool `json:"generate_psk,omitempty"`
}

func (h *WireguardHandler) CreatePeer(c *gin.Context) {
	ifaceID, ok := parseID(c)
	if !ok {
		return
	}
	var req peerReq
	if err := c.ShouldBindJSON(&req); err != nil {
		response.BadRequest(c, err)
		return
	}
	pub := req.PublicKey
	var encPriv []byte
	if req.GenerateKeypair || (req.PublicKey == "" && req.PrivateKey == "") {
		kp, err := wireguard.GenerateKeypair()
		if err != nil {
			response.Internal(c, err)
			return
		}
		pub = kp.Public
		encPriv, err = h.Box.Seal([]byte(kp.Private))
		if err != nil {
			response.Internal(c, err)
			return
		}
	} else if req.PrivateKey != "" {
		p, err := wireguard.PublicFromPrivate(req.PrivateKey)
		if err != nil {
			response.BadRequest(c, fmt.Errorf("private_key: %w", err))
			return
		}
		pub = p
		encPriv, err = h.Box.Seal([]byte(req.PrivateKey))
		if err != nil {
			response.Internal(c, err)
			return
		}
	}
	var encPSK []byte
	switch {
	case req.GeneratePSK:
		psk, err := wireguard.GeneratePresharedKey()
		if err != nil {
			response.Internal(c, err)
			return
		}
		encPSK, err = h.Box.Seal([]byte(psk))
		if err != nil {
			response.Internal(c, err)
			return
		}
	case req.PSK != nil && *req.PSK != "":
		var err error
		encPSK, err = h.Box.Seal([]byte(*req.PSK))
		if err != nil {
			response.Internal(c, err)
			return
		}
	}

	p := models.WireguardPeer{
		InterfaceID:   ifaceID,
		Name:          req.Name,
		PublicKey:     pub,
		PrivateKeyEnc: encPriv,
		PSKEnc:        encPSK,
		AllowedIPs:    req.AllowedIPs,
		Keepalive:     req.Keepalive,
		Enabled:       req.Enabled,
		Description:   req.Description,
	}
	out, err := h.Peers.Create(c.Request.Context(), p)
	if err != nil {
		response.Internal(c, err)
		return
	}
	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.peer.create", out.Name, out, h.NodeID)
	response.Created(c, out)
	h.reload(c.Request.Context(), "peer.create")
}

func (h *WireguardHandler) UpdatePeer(c *gin.Context) {
	id := parsePeerID(c)
	if id == 0 {
		return
	}
	var req peerReq
	if err := c.ShouldBindJSON(&req); err != nil {
		response.BadRequest(c, err)
		return
	}
	cur, err := h.Peers.Get(c.Request.Context(), id)
	if err != nil {
		if errors.Is(err, wireguard.ErrPeerNotFound) {
			response.NotFound(c, err)
			return
		}
		response.Internal(c, err)
		return
	}
	pub := cur.PublicKey
	encPriv := cur.PrivateKeyEnc
	if req.GenerateKeypair {
		kp, err := wireguard.GenerateKeypair()
		if err != nil {
			response.Internal(c, err)
			return
		}
		pub = kp.Public
		encPriv, err = h.Box.Seal([]byte(kp.Private))
		if err != nil {
			response.Internal(c, err)
			return
		}
	} else if req.PrivateKey != "" {
		p, err := wireguard.PublicFromPrivate(req.PrivateKey)
		if err != nil {
			response.BadRequest(c, fmt.Errorf("private_key: %w", err))
			return
		}
		pub = p
		encPriv, err = h.Box.Seal([]byte(req.PrivateKey))
		if err != nil {
			response.Internal(c, err)
			return
		}
	} else if req.PublicKey != "" {
		pub = req.PublicKey
		encPriv = nil
	}
	encPSK := cur.PSKEnc
	if req.GeneratePSK {
		psk, err := wireguard.GeneratePresharedKey()
		if err != nil {
			response.Internal(c, err)
			return
		}
		encPSK, err = h.Box.Seal([]byte(psk))
		if err != nil {
			response.Internal(c, err)
			return
		}
	} else if req.PSK != nil {
		if *req.PSK == "" {
			encPSK = nil
		} else {
			var err error
			encPSK, err = h.Box.Seal([]byte(*req.PSK))
			if err != nil {
				response.Internal(c, err)
				return
			}
		}
	}
	p := models.WireguardPeer{
		Name: req.Name, PublicKey: pub, PrivateKeyEnc: encPriv, PSKEnc: encPSK,
		AllowedIPs: req.AllowedIPs, Keepalive: req.Keepalive,
		Enabled: req.Enabled, Description: req.Description,
	}
	out, err := h.Peers.Update(c.Request.Context(), id, p)
	if err != nil {
		response.Internal(c, err)
		return
	}
	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.peer.update", out.Name, out, h.NodeID)
	response.OK(c, out)
	h.reload(c.Request.Context(), "peer.update")
}

func (h *WireguardHandler) GetPeer(c *gin.Context) {
	id := parsePeerID(c)
	if id == 0 {
		return
	}
	x, err := h.Peers.Get(c.Request.Context(), id)
	if err != nil {
		if errors.Is(err, wireguard.ErrPeerNotFound) {
			response.NotFound(c, err)
			return
		}
		response.Internal(c, err)
		return
	}
	response.OK(c, x)
}

func (h *WireguardHandler) DeletePeer(c *gin.Context) {
	id := parsePeerID(c)
	if id == 0 {
		return
	}
	if err := h.Peers.Delete(c.Request.Context(), id); err != nil {
		if errors.Is(err, wireguard.ErrPeerNotFound) {
			response.NotFound(c, err)
			return
		}
		response.Internal(c, err)
		return
	}
	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.peer.delete", strconv.FormatInt(id, 10), gin.H{"id": id}, h.NodeID)
	response.NoContent(c)
	h.reload(c.Request.Context(), "peer.delete")
}

// ── Per-peer config download ──────────────────────────────────────

// peerConfigText assembles a wg-quick-style client config from a
// peer row + its parent interface. Requires the peer to have a
// stored private key (generated server-side); manual-pubkey rows
// can't have a config because we never knew their private half.
func (h *WireguardHandler) peerConfigText(ctx context.Context, peerID int64) (string, error) {
	p, err := h.Peers.Get(ctx, peerID)
	if err != nil {
		return "", err
	}
	if len(p.PrivateKeyEnc) == 0 {
		return "", errors.New("no private key stored for this peer — config download only works for peers whose keypair was generated by edgeguard")
	}
	priv, err := h.Box.Open(p.PrivateKeyEnc)
	if err != nil {
		return "", fmt.Errorf("decrypt: %w", err)
	}
	ifc, err := h.Ifaces.Get(ctx, p.InterfaceID)
	if err != nil {
		return "", err
	}
	if ifc.Mode != "server" {
		return "", errors.New("config download only available for server-mode interfaces")
	}
	var b bytes.Buffer
	b.WriteString("[Interface]\n")
	fmt.Fprintf(&b, "PrivateKey = %s\n", string(priv))
	fmt.Fprintf(&b, "Address = %s\n", p.AllowedIPs)
	if p.Keepalive == nil || *p.Keepalive == 0 {
		// PersistentKeepalive defaults to 25s for client side so
		// NAT traversal stays alive.
		b.WriteString("\n")
	}
	b.WriteString("\n[Peer]\n")
	fmt.Fprintf(&b, "PublicKey = %s\n", ifc.PublicKey)
	if len(p.PSKEnc) > 0 {
		psk, err := h.Box.Open(p.PSKEnc)
		if err != nil {
			return "", fmt.Errorf("decrypt psk: %w", err)
		}
		fmt.Fprintf(&b, "PresharedKey = %s\n", string(psk))
	}
	// AllowedIPs on the client side is "everything that should go
	// through the tunnel". For a server hosting an internal LAN
	// this is typically 10.x/8 or the server's address range. We
	// default to the iface address (so the client can at least
	// reach the gateway) — operator can edit downloaded conf.
	fmt.Fprintf(&b, "AllowedIPs = %s\n", ifc.AddressCIDR)
	// Endpoint — the operator's public host:port that peers dial.
	// We don't know this here (could be a CNAME or behind a load
	// balancer); leave a placeholder the operator must fill in.
	if ifc.ListenPort != nil {
		fmt.Fprintf(&b, "Endpoint = REPLACE_WITH_PUBLIC_HOST:%d\n", *ifc.ListenPort)
	}
	if p.Keepalive != nil && *p.Keepalive > 0 {
		fmt.Fprintf(&b, "PersistentKeepalive = %d\n", *p.Keepalive)
	} else {
		b.WriteString("PersistentKeepalive = 25\n")
	}
	return b.String(), nil
}

func (h *WireguardHandler) PeerConfig(c *gin.Context) {
	id := parsePeerID(c)
	if id == 0 {
		return
	}
	conf, err := h.peerConfigText(c.Request.Context(), id)
	if err != nil {
		response.BadRequest(c, err)
		return
	}
	c.Header("Content-Disposition", `attachment; filename="peer-`+strconv.FormatInt(id, 10)+`.conf"`)
	c.Data(http.StatusOK, "text/plain; charset=utf-8", []byte(conf))
}

func (h *WireguardHandler) PeerQR(c *gin.Context) {
	id := parsePeerID(c)
	if id == 0 {
		return
	}
	conf, err := h.peerConfigText(c.Request.Context(), id)
	if err != nil {
		response.BadRequest(c, err)
		return
	}
	png, err := qrcode.Encode(conf, qrcode.Medium, 512)
	if err != nil {
		response.Internal(c, err)
		return
	}
	c.Data(http.StatusOK, "image/png", png)
}

// parsePeerID parses the :pid path param. Returns 0 on parse error
// after writing a 400 response.
func parsePeerID(c *gin.Context) int64 {
	id, err := strconv.ParseInt(c.Param("pid"), 10, 64)
	if err != nil {
		response.BadRequest(c, errors.New("invalid peer id"))
		return 0
	}
	return id
}