// Copyright The Forgejo Authors.
// SPDX-License-Identifier: MIT

package forgejo

import (
	"context"
	"encoding/hex"
	"fmt"
	"io"
	"os"
	"strings"

	actions_model "code.gitea.io/gitea/models/actions"
	"code.gitea.io/gitea/modules/private"
	"code.gitea.io/gitea/modules/setting"
	private_routers "code.gitea.io/gitea/routers/private"

	"github.com/urfave/cli/v2"
)

func CmdActions(ctx context.Context) *cli.Command {
	return &cli.Command{
		Name:  "actions",
		Usage: "Commands for managing Forgejo Actions",
		Subcommands: []*cli.Command{
			SubcmdActionsGenerateRunnerToken(ctx),
			SubcmdActionsGenerateRunnerSecret(ctx),
			SubcmdActionsRegister(ctx),
		},
	}
}

func SubcmdActionsGenerateRunnerToken(ctx context.Context) *cli.Command {
	return &cli.Command{
		Name:   "generate-runner-token",
		Usage:  "Generate a new token for a runner to use to register with the server",
		Before: prepareWorkPathAndCustomConf(ctx),
		Action: func(cliCtx *cli.Context) error { return RunGenerateActionsRunnerToken(ctx, cliCtx) },
		Flags: []cli.Flag{
			&cli.StringFlag{
				Name:    "scope",
				Aliases: []string{"s"},
				Value:   "",
				Usage:   "{owner}[/{repo}] - leave empty for a global runner",
			},
		},
	}
}

func SubcmdActionsGenerateRunnerSecret(ctx context.Context) *cli.Command {
	return &cli.Command{
		Name:   "generate-secret",
		Usage:  "Generate a secret suitable for input to the register subcommand",
		Action: func(cliCtx *cli.Context) error { return RunGenerateSecret(ctx, cliCtx) },
	}
}

func SubcmdActionsRegister(ctx context.Context) *cli.Command {
	return &cli.Command{
		Name:   "register",
		Usage:  "Idempotent registration of a runner using a shared secret",
		Before: prepareWorkPathAndCustomConf(ctx),
		Action: func(cliCtx *cli.Context) error { return RunRegister(ctx, cliCtx) },
		Flags: []cli.Flag{
			&cli.StringFlag{
				Name:  "secret",
				Usage: "the secret the runner will use to connect as a 40 character hexadecimal string",
			},
			&cli.StringFlag{
				Name:  "secret-stdin",
				Usage: "the secret the runner will use to connect as a 40 character hexadecimal string, read from stdin",
			},
			&cli.StringFlag{
				Name:  "secret-file",
				Usage: "path to the file containing the secret the runner will use to connect as a 40 character hexadecimal string",
			},
			&cli.StringFlag{
				Name:    "scope",
				Aliases: []string{"s"},
				Value:   "",
				Usage:   "{owner}[/{repo}] - leave empty for a global runner",
			},
			&cli.StringFlag{
				Name:  "labels",
				Value: "",
				Usage: "comma separated list of labels supported by the runner (e.g. docker,ubuntu-latest,self-hosted)  (not required since v1.21)",
			},
			&cli.BoolFlag{
				Name:  "keep-labels",
				Value: false,
				Usage: "do not affect the labels when updating an existing runner",
			},
			&cli.StringFlag{
				Name:  "name",
				Value: "runner",
				Usage: "name of the runner (default runner)",
			},
			&cli.StringFlag{
				Name:  "version",
				Value: "",
				Usage: "version of the runner (not required since v1.21)",
			},
		},
	}
}

func readSecret(ctx context.Context, cliCtx *cli.Context) (string, error) {
	if cliCtx.IsSet("secret") {
		return cliCtx.String("secret"), nil
	}
	if cliCtx.IsSet("secret-stdin") {
		buf, err := io.ReadAll(ContextGetStdin(ctx))
		if err != nil {
			return "", err
		}
		return string(buf), nil
	}
	if cliCtx.IsSet("secret-file") {
		path := cliCtx.String("secret-file")
		buf, err := os.ReadFile(path)
		if err != nil {
			return "", err
		}
		return string(buf), nil
	}
	return "", fmt.Errorf("at least one of the --secret, --secret-stdin, --secret-file options is required")
}

func validateSecret(secret string) error {
	secretLen := len(secret)
	if secretLen != 40 {
		return fmt.Errorf("the secret must be exactly 40 characters long, not %d: generate-secret can provide a secret matching the requirements", secretLen)
	}
	if _, err := hex.DecodeString(secret); err != nil {
		return fmt.Errorf("the secret must be an hexadecimal string: %w", err)
	}
	return nil
}

func getLabels(cliCtx *cli.Context) (*[]string, error) {
	if !cliCtx.Bool("keep-labels") {
		lblValue := strings.Split(cliCtx.String("labels"), ",")
		return &lblValue, nil
	}
	if cliCtx.String("labels") != "" {
		return nil, fmt.Errorf("--labels and --keep-labels should not be used together")
	}
	return nil, nil
}

func RunRegister(ctx context.Context, cliCtx *cli.Context) error {
	var cancel context.CancelFunc
	if !ContextGetNoInit(ctx) {
		ctx, cancel = installSignals(ctx)
		defer cancel()

		if err := initDB(ctx); err != nil {
			return err
		}
	}
	setting.MustInstalled()

	secret, err := readSecret(ctx, cliCtx)
	if err != nil {
		return err
	}
	if err := validateSecret(secret); err != nil {
		return err
	}
	scope := cliCtx.String("scope")
	name := cliCtx.String("name")
	version := cliCtx.String("version")
	labels, err := getLabels(cliCtx)
	if err != nil {
		return err
	}

	//
	// There are two kinds of tokens
	//
	// - "registration token" only used when a runner interacts to
	//   register
	//
	// - "token" obtained after a successful registration and stored by
	//   the runner to authenticate
	//
	// The register subcommand does not need a "registration token", it
	// needs a "token". Using the same name is confusing and secret is
	// preferred for this reason in the cli.
	//
	// The ActionsRunnerRegister argument is token to be consistent with
	// the internal naming. It is still confusing to the developer but
	// not to the user.
	//
	owner, repo, err := private_routers.ParseScope(ctx, scope)
	if err != nil {
		return err
	}

	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, labels, name, version)
	if err != nil {
		return fmt.Errorf("error while registering runner: %v", err)
	}

	if _, err := fmt.Fprintf(ContextGetStdout(ctx), "%s", runner.UUID); err != nil {
		panic(err)
	}
	return nil
}

func RunGenerateSecret(ctx context.Context, cliCtx *cli.Context) error {
	runner := actions_model.ActionRunner{}
	if err := runner.GenerateToken(); err != nil {
		return err
	}
	if _, err := fmt.Fprintf(ContextGetStdout(ctx), "%s", runner.Token); err != nil {
		panic(err)
	}
	return nil
}

func RunGenerateActionsRunnerToken(ctx context.Context, cliCtx *cli.Context) error {
	if !ContextGetNoInit(ctx) {
		var cancel context.CancelFunc
		ctx, cancel = installSignals(ctx)
		defer cancel()
	}

	setting.MustInstalled()

	scope := cliCtx.String("scope")

	respText, extra := private.GenerateActionsRunnerToken(ctx, scope)
	if extra.HasError() {
		return handleCliResponseExtra(ctx, extra)
	}
	if _, err := fmt.Fprintf(ContextGetStdout(ctx), "%s", respText.Text); err != nil {
		panic(err)
	}
	return nil
}