package manta

import (
	"context"
	"encoding/pem"
	"errors"
	"fmt"
	"io/ioutil"
	"os"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/go-multierror"
	"github.com/hashicorp/terraform/backend"
	"github.com/hashicorp/terraform/helper/schema"
	triton "github.com/joyent/triton-go"
	"github.com/joyent/triton-go/authentication"
	"github.com/joyent/triton-go/storage"
)

func New() backend.Backend {
	s := &schema.Backend{
		Schema: map[string]*schema.Schema{
			"account": {
				Type:        schema.TypeString,
				Required:    true,
				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"TRITON_ACCOUNT", "SDC_ACCOUNT"}, ""),
			},

			"user": {
				Type:        schema.TypeString,
				Optional:    true,
				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"TRITON_USER", "SDC_USER"}, ""),
			},

			"url": {
				Type:        schema.TypeString,
				Optional:    true,
				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"MANTA_URL"}, "https://us-east.manta.joyent.com"),
			},

			"key_material": {
				Type:        schema.TypeString,
				Optional:    true,
				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"TRITON_KEY_MATERIAL", "SDC_KEY_MATERIAL"}, ""),
			},

			"key_id": {
				Type:        schema.TypeString,
				Required:    true,
				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"TRITON_KEY_ID", "SDC_KEY_ID"}, ""),
			},

			"insecure_skip_tls_verify": {
				Type:        schema.TypeBool,
				Optional:    true,
				DefaultFunc: schema.EnvDefaultFunc("TRITON_SKIP_TLS_VERIFY", false),
			},

			"path": {
				Type:     schema.TypeString,
				Required: true,
			},

			"object_name": {
				Type:     schema.TypeString,
				Optional: true,
				Default:  "terraform.tfstate",
			},
		},
	}

	result := &Backend{Backend: s}
	result.Backend.ConfigureFunc = result.configure
	return result
}

type Backend struct {
	*schema.Backend
	data *schema.ResourceData

	// The fields below are set from configure
	storageClient *storage.StorageClient
	path          string
	objectName    string
}

type BackendConfig struct {
	AccountId   string
	Username    string
	KeyId       string
	AccountUrl  string
	KeyMaterial string
	SkipTls     bool
}

func (b *Backend) configure(ctx context.Context) error {
	if b.path != "" {
		return nil
	}

	data := schema.FromContextBackendConfig(ctx)

	config := &BackendConfig{
		AccountId:  data.Get("account").(string),
		AccountUrl: data.Get("url").(string),
		KeyId:      data.Get("key_id").(string),
		SkipTls:    data.Get("insecure_skip_tls_verify").(bool),
	}

	if v, ok := data.GetOk("user"); ok {
		config.Username = v.(string)
	}

	if v, ok := data.GetOk("key_material"); ok {
		config.KeyMaterial = v.(string)
	}

	b.path = data.Get("path").(string)
	b.objectName = data.Get("object_name").(string)

	// If object_name is not set, try the deprecated objectName.
	if b.objectName == "" {
		b.objectName = data.Get("objectName").(string)
	}

	var validationError *multierror.Error

	if data.Get("account").(string) == "" {
		validationError = multierror.Append(validationError, errors.New("`Account` must be configured for the Triton provider"))
	}
	if data.Get("key_id").(string) == "" {
		validationError = multierror.Append(validationError, errors.New("`Key ID` must be configured for the Triton provider"))
	}
	if b.path == "" {
		validationError = multierror.Append(validationError, errors.New("`Path` must be configured for the Triton provider"))
	}

	if validationError != nil {
		return validationError
	}

	var signer authentication.Signer
	var err error

	if config.KeyMaterial == "" {
		input := authentication.SSHAgentSignerInput{
			KeyID:       config.KeyId,
			AccountName: config.AccountId,
			Username:    config.Username,
		}
		signer, err = authentication.NewSSHAgentSigner(input)
		if err != nil {
			return errwrap.Wrapf("Error Creating SSH Agent Signer: {{err}}", err)
		}
	} else {
		var keyBytes []byte
		if _, err = os.Stat(config.KeyMaterial); err == nil {
			keyBytes, err = ioutil.ReadFile(config.KeyMaterial)
			if err != nil {
				return fmt.Errorf("Error reading key material from %s: %s",
					config.KeyMaterial, err)
			}
			block, _ := pem.Decode(keyBytes)
			if block == nil {
				return fmt.Errorf(
					"Failed to read key material '%s': no key found", config.KeyMaterial)
			}

			if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
				return fmt.Errorf(
					"Failed to read key '%s': password protected keys are\n"+
						"not currently supported. Please decrypt the key prior to use.", config.KeyMaterial)
			}

		} else {
			keyBytes = []byte(config.KeyMaterial)
		}

		input := authentication.PrivateKeySignerInput{
			KeyID:              config.KeyId,
			PrivateKeyMaterial: keyBytes,
			AccountName:        config.AccountId,
			Username:           config.Username,
		}

		signer, err = authentication.NewPrivateKeySigner(input)
		if err != nil {
			return errwrap.Wrapf("Error Creating SSH Private Key Signer: {{err}}", err)
		}
	}

	clientConfig := &triton.ClientConfig{
		MantaURL:    config.AccountUrl,
		AccountName: config.AccountId,
		Username:    config.Username,
		Signers:     []authentication.Signer{signer},
	}
	triton, err := storage.NewClient(clientConfig)
	if err != nil {
		return err
	}

	b.storageClient = triton

	return nil
}