package models

import (
	"crypto/aes"
	"crypto/cipher"
	"crypto/rand"
	"encoding/hex"
	"errors"
	"fmt"
	"io"
	"os"

	"github.com/jmoiron/sqlx"
)

// We use the json:"-" field tag to prevent showing these details to the user
type Secret struct {
	SecretId       int    `db:"SecretId" json:"-"`
	RoleId         int    `db:"RoleId" json:"-"`
	DeviceName     string `db:"DeviceName"`
	DeviceCategory string `db:"DeviceCategory"`
	UserName       string `db:"UserName"`
	Secret         string `db:"Secret"`
}

const nonceSize = 12

func (s *Secret) SaveSecret() (*Secret, error) {

	var err error

	fmt.Printf("SaveSecret storing values '%v'\n", s)
	result, err := db.NamedExec((`INSERT INTO secrets (RoleId, DeviceName, DeviceCategory, UserName, Secret) VALUES (:RoleId, :DeviceName, :DeviceCategory, :UserName, :Secret)`), s)

	if err != nil {
		fmt.Printf("StoreSecret error executing sql record : '%s'\n", err)
		return s, err
	} else {
		affected, _ := result.RowsAffected()
		id, _ := result.LastInsertId()
		fmt.Printf("StoreSecret insert returned result id '%d' affecting %d row(s).\n", id, affected)
	}

	return s, nil
}

// Returns all matching secrets, up to caller to determine how to deal with multiple results
func GetSecrets(s *Secret) ([]Secret, error) {
	var err error
	var rows *sqlx.Rows
	var secretResults []Secret

	fmt.Printf("GetSecret querying values '%v'\n", s)

	// Determine whether to query for a specific device or a category of devices
	// Prefer querying device name than category
	if s.DeviceName != "" && s.DeviceCategory != "" {
		rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.RoleId)
	} else if s.DeviceName != "" {
		rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId)
	} else if s.DeviceCategory != "" {
		rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId)
	} else {
		fmt.Printf("GetSecret no valid search options specified\n")
		err = errors.New("no valid search options specified")
		return secretResults, err
	}

	if err != nil {
		fmt.Printf("GetSecret error executing sql record : '%s'\n", err)
		return secretResults, err
	} else {
		// parse all the results into a slice
		for rows.Next() {
			var r Secret
			err = rows.StructScan(&r)
			if err != nil {
				fmt.Printf("GetSecret error parsing sql record : '%s'\n", err)
				return secretResults, err
			}

			// Decrypt the secret
			_, err = r.DecryptSecret()
			if err != nil {
				fmt.Printf("GetSecret unable to decrypt stored secret '%v', skipping result.\n", r.Secret)
			} else {
				secretResults = append(secretResults, r)
			}

		}
		fmt.Printf("GetSecret retrieved '%d' results\n", len(secretResults))
	}

	return secretResults, nil
}

func (s *Secret) UpdateSecret() (*Secret, error) {

	var err error

	fmt.Printf("UpdateSecret storing values '%v'\n", s)

	if s.SecretId == 0 {
		err = errors.New("UpdateSecret unable to locate secret with empty secretId field")
		fmt.Printf("UpdateSecret error in pre-check : '%s'\n", err)
		return s, err
	}

	result, err := db.NamedExec((`UPDATE secrets SET DeviceName = :DeviceName, DeviceCategory = :DeviceCategory, UserName = :UserName, Secret = :Secret WHERE SecretId = :SecretId`), s)
	if err != nil {
		fmt.Printf("UpdateSecret error executing sql record : '%s'\n", err)
		return &Secret{}, err
	} else {
		affected, _ := result.RowsAffected()
		id, _ := result.LastInsertId()
		fmt.Printf("UpdateSecret insert returned result id '%d' affecting %d row(s).\n", id, affected)
	}

	return s, nil
}

func (s *Secret) EncryptSecret() (*Secret, error) {

	keyString := os.Getenv("SECRETS_KEY")
	// The key argument should be the AES key, either 16 or 32 bytes
	// to select AES-128 or AES-256.
	key := []byte(keyString)
	//key := []byte("ECB518652A170880555136EA1F9752D6")
	plaintext := []byte(s.Secret)

	fmt.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret)

	block, err := aes.NewCipher(key)
	if err != nil {
		fmt.Printf("EncryptSecret NewCipher error '%s'\n", err)
		return s, err
	}

	// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
	nonce := make([]byte, nonceSize)
	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
		fmt.Printf("EncryptSecret nonce generation error '%s'\n", err)
		return s, err
	}
	fmt.Printf("EncryptSecret random nonce value is '%x'\n", nonce)

	aesgcm, err := cipher.NewGCM(block)
	if err != nil {
		fmt.Printf("EncryptSecret NewGCM error '%s'\n", err)
		return s, err
	}

	ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
	fmt.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext)

	// Create a new slice to store nonce at the start and then the resulting ciphertext
	// Nonce is always 12 bytes
	combinedText := append(nonce, ciphertext...)
	fmt.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText)

	// Store the value back into the struct ready for database operations
	s.Secret = hex.EncodeToString(combinedText)

	return s, nil

	//return string(ciphertext[:]), nil
}

func (s *Secret) DecryptSecret() (*Secret, error) {

	keyString := os.Getenv("SECRETS_KEY")
	key := []byte(keyString)
	// The key argument should be the AES key, either 16 or 32 bytes
	// to select AES-128 or AES-256.
	//key := []byte("ECB518652A170880555136EA1F9752D6")

	if len(s.Secret) < nonceSize {
		fmt.Printf("DecryptSecret ciphertext is too short to decrypt\n")
		return s, errors.New("ciphertext is too short")
	}

	crypted, err := hex.DecodeString(s.Secret)
	if err != nil {
		fmt.Printf("DecryptSecret unable to convert hex encoded string due to  error '%s'\n", err)
		return s, err
	}

	fmt.Printf("DecryptSecret processing secret '%x'\n", crypted)

	//nonce, _ := hex.DecodeString("64a9433eae7ccceee2fc0eda")
	// The nonce is the first 12 bytes from the ciphertext
	nonce := crypted[:nonceSize]
	ciphertext := crypted[nonceSize:]

	fmt.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)

	block, err := aes.NewCipher(key)
	if err != nil {
		fmt.Printf("DecryptSecret NewCipher error '%s'\n", err)
		return s, err
	}

	aesgcm, err := cipher.NewGCM(block)
	if err != nil {
		fmt.Printf("DecryptSecret NewGCM error '%s'\n", err)
		return s, err
	}

	plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil)
	if err != nil {
		fmt.Printf("DecryptSecret Open error '%s'\n", err)
		return s, err
	}

	fmt.Printf("DecryptSecret plaintext is '%s'\n", plaintext)

	s.Secret = string(plaintext)
	return s, nil
}