package secret

import (
	"context"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"

	zitadelv1alpha1 "gitea.corredorconect.com/software-engineering/zitadel-k8s-operator/api/v1alpha1"
	builder "gitea.corredorconect.com/software-engineering/zitadel-k8s-operator/pkg/builder"
	"github.com/sethvargo/go-password/password"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/types"
	"sigs.k8s.io/controller-runtime/pkg/client"
)

type SecretReconciler struct {
	client.Client
	Builder *builder.Builder
}

func NewSecretReconciler(client client.Client, builder *builder.Builder) *SecretReconciler {
	return &SecretReconciler{
		Client:  client,
		Builder: builder,
	}
}

func (r *SecretReconciler) ReconcileRandomPassword(ctx context.Context, key types.NamespacedName, secretKey string,
	zitadel *zitadelv1alpha1.Cluster) (string, error) {
	var existingSecret corev1.Secret
	if err := r.Get(ctx, key, &existingSecret); err == nil {
		return string(existingSecret.Data[secretKey]), nil
	}
	password, err := password.Generate(32, 4, 2, false, false)
	if err != nil {
		return "", fmt.Errorf("error generating replication password: %v", err)
	}
	opts := builder.SecretOpts{
		Zitadel:   zitadel,
		Key:       key,
		Immutable: true,
		Data: map[string][]byte{
			secretKey: []byte(password),
		},
	}
	secret, err := r.Builder.BuildSecret(opts, zitadel)
	if err != nil {
		return "", fmt.Errorf("error building replication password Secret: %v", err)
	}
	if err := r.Create(ctx, secret); err != nil {
		return "", fmt.Errorf("error creating replication password Secret: %v", err)
	}

	return password, nil
}

func (r *SecretReconciler) ReconcileRandomPrivateRSA(ctx context.Context, key types.NamespacedName, secretKey string,
	zitadel *zitadelv1alpha1.Cluster) (string, error) {
	var existingSecret corev1.Secret
	if err := r.Get(ctx, key, &existingSecret); err == nil {
		return string(existingSecret.Data[secretKey]), nil
	}
	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		return "", fmt.Errorf("error generating replication private key: %v", err)
	}
	privkeyPem := pem.EncodeToMemory(
		&pem.Block{
			Type:  "RSA PRIVATE KEY",
			Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
		},
	)
	opts := builder.SecretOpts{
		Zitadel:   zitadel,
		Key:       key,
		Immutable: true,
		Data: map[string][]byte{
			secretKey: privkeyPem,
		},
	}
	secret, err := r.Builder.BuildSecret(opts, zitadel)
	if err != nil {
		return "", fmt.Errorf("error building replication password Secret: %v", err)
	}
	if err := r.Create(ctx, secret); err != nil {
		return "", fmt.Errorf("error creating replication password Secret: %v", err)
	}

	return string(privkeyPem), nil
}