//go:build standalone

package checker

import (
	"encoding/json"
	"errors"
	"fmt"
	"net"
	"net/http"
	"strconv"
	"strings"

	"github.com/miekg/dns"

	sdk "git.happydns.org/checker-sdk-go/checker"
	tls "git.happydns.org/checker-tls/checker"
)

// tlsaLookup fetches TLSA records for owner via the system resolver.
// It is a package variable so tests can swap it for a fixture.
var tlsaLookup = lookupTLSA

// RenderForm lets a human run this checker standalone. The form only
// collects the endpoint coordinates; the expected TLSA records are read
// from DNS by ParseForm and the live certificate is fetched in-process by
// the SDK running checker-tls as a sibling (see RelatedProviders).
func (p *daneProvider) RenderForm() []sdk.CheckerOptionField {
	return []sdk.CheckerOptionField{
		{Id: OptionDomain, Type: "string", Label: "Domain", Placeholder: "example.com", Required: true},
		{Id: "port", Type: "uint", Label: "Port", Default: float64(443), Required: true},
		{Id: "proto", Type: "string", Label: "Protocol", Choices: []string{"tcp", "udp"}, Default: "tcp"},
		{
			Id:          "starttls",
			Type:        "string",
			Label:       "STARTTLS override",
			Description: "Leave empty to auto-derive from port (25→smtp, 587→submission, 143→imap, …).",
		},
		{
			Id:          OptionProbeTimeoutMs,
			Type:        "uint",
			Label:       "Probe timeout (ms)",
			Default:     float64(tls.DefaultProbeTimeoutMs),
			Description: "Forwarded to checker-tls for the live probe.",
		},
	}
}

// ParseForm turns the submitted endpoint into the same CheckerOptions
// shape happyDomain would feed Collect. The TLSA RRset expected by
// Collect is resolved live from DNS at _<port>._<proto>.<domain>; if
// nothing is published there, no validation is possible and the form is
// re-rendered with the error.
func (p *daneProvider) ParseForm(r *http.Request) (sdk.CheckerOptions, error) {
	domain := strings.TrimSuffix(strings.TrimSpace(r.FormValue(OptionDomain)), ".")
	if domain == "" {
		return nil, errors.New("domain is required")
	}
	portStr := strings.TrimSpace(r.FormValue("port"))
	if portStr == "" {
		return nil, errors.New("port is required")
	}
	port64, err := strconv.ParseUint(portStr, 10, 16)
	if err != nil || port64 == 0 {
		return nil, fmt.Errorf("invalid port %q: must be 1-65535", portStr)
	}
	port := uint16(port64)
	proto := strings.TrimSpace(r.FormValue("proto"))
	if proto == "" {
		proto = "tcp"
	}
	if proto != "tcp" && proto != "udp" {
		return nil, fmt.Errorf("invalid protocol %q: must be tcp or udp", proto)
	}

	owner := tlsaOwnerName(port, proto, domain)
	records, err := tlsaLookup(owner)
	if err != nil {
		return nil, fmt.Errorf("TLSA lookup for %s: %w", owner, err)
	}
	if len(records) == 0 {
		return nil, fmt.Errorf("no TLSA records found at %s", owner)
	}

	tlsaEntries := make([]map[string]any, 0, len(records))
	for _, t := range records {
		tlsaEntries = append(tlsaEntries, map[string]any{
			"Hdr":          map[string]any{"Name": owner},
			"Usage":        t.Usage,
			"Selector":     t.Selector,
			"MatchingType": t.MatchingType,
			"Certificate":  strings.ToLower(t.Certificate),
		})
	}
	body, err := json.Marshal(map[string]any{"tlsa": tlsaEntries})
	if err != nil {
		return nil, fmt.Errorf("marshal TLSAs service: %w", err)
	}

	opts := sdk.CheckerOptions{
		OptionDomain: domain,
		OptionService: serviceMessage{
			Type:    serviceType,
			Domain:  domain,
			Service: body,
		},
	}

	if s := strings.TrimSpace(r.FormValue("starttls")); s != "" {
		opts[OptionSTARTTLS] = map[string]string{
			starttlsKey(port, proto): s,
		}
	}
	if v := strings.TrimSpace(r.FormValue(OptionProbeTimeoutMs)); v != "" {
		if n, err := strconv.Atoi(v); err == nil && n > 0 {
			opts[OptionProbeTimeoutMs] = float64(n)
		}
	}
	return opts, nil
}

// RelatedProviders declares checker-tls as the sibling the SDK should run
// in-process during the interactive flow. The SDK harvests the discovery
// entries this checker publishes via DiscoverEntries and auto-fills
// checker-tls's OptionEndpoints (the option tagged
// sdk.AutoFillDiscoveryEntries in its definition), so the probe map the
// rule reads via GetRelated is populated with live data.
func (p *daneProvider) RelatedProviders() []sdk.ObservationProvider {
	return []sdk.ObservationProvider{tls.Provider()}
}

// lookupTLSA queries the system resolver for TLSA records at owner.
// Falls back to 1.1.1.1 when /etc/resolv.conf is unreadable.
func lookupTLSA(owner string) ([]*dns.TLSA, error) {
	resolver, err := interactiveResolver()
	if err != nil {
		return nil, err
	}
	msg := new(dns.Msg)
	msg.SetQuestion(dns.Fqdn(owner), dns.TypeTLSA)
	msg.RecursionDesired = true
	msg.SetEdns0(4096, true)

	c := new(dns.Client)
	in, _, err := c.Exchange(msg, resolver)
	if err != nil {
		return nil, err
	}
	if in.Rcode != dns.RcodeSuccess && in.Rcode != dns.RcodeNameError {
		return nil, fmt.Errorf("rcode %s", dns.RcodeToString[in.Rcode])
	}
	var out []*dns.TLSA
	for _, rr := range in.Answer {
		if t, ok := rr.(*dns.TLSA); ok {
			out = append(out, t)
		}
	}
	return out, nil
}

func interactiveResolver() (string, error) {
	cfg, err := dns.ClientConfigFromFile("/etc/resolv.conf")
	if err != nil || len(cfg.Servers) == 0 {
		return net.JoinHostPort("1.1.1.1", "53"), nil
	}
	return net.JoinHostPort(cfg.Servers[0], cfg.Port), nil
}