package checker

import (
	"encoding/json"
	"net"
	"strconv"
	"strings"
	"time"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

// TLSRelatedKey is the observation key we expect a TLS checker to publish
// for the endpoints we discover. Matches the cross-checker convention
// documented in the happyDomain plan.
const TLSRelatedKey sdk.ObservationKey = "tls_probes"

// tlsProbeView is a permissive view of a TLS checker's payload: we read
// only the fields we need and tolerate missing ones. The TLS checker owns
// the full schema.
type tlsProbeView struct {
	Host          string    `json:"host,omitempty"`
	Port          uint16    `json:"port,omitempty"`
	Endpoint      string    `json:"endpoint,omitempty"`
	TLSVersion    string    `json:"tls_version,omitempty"`
	CipherSuite   string    `json:"cipher_suite,omitempty"`
	HostnameMatch *bool     `json:"hostname_match,omitempty"`
	ChainValid    *bool     `json:"chain_valid,omitempty"`
	NotAfter      time.Time `json:"not_after,omitempty"`
	Issues        []struct {
		Code     string `json:"code"`
		Severity string `json:"severity"`
		Message  string `json:"message,omitempty"`
		Fix      string `json:"fix,omitempty"`
	} `json:"issues,omitempty"`
}

func (v *tlsProbeView) address() string {
	if v.Endpoint != "" {
		return v.Endpoint
	}
	if v.Host != "" && v.Port != 0 {
		return net.JoinHostPort(v.Host, strconv.Itoa(int(v.Port)))
	}
	return ""
}

// parseTLSRelated decodes a RelatedObservation as a TLS probe, gracefully
// returning nil when the payload doesn't look like one. Handles both
// {"probes": {"<ref>": <probe>}} and a bare <probe> shape.
func parseTLSRelated(r sdk.RelatedObservation) *tlsProbeView {
	var keyed struct {
		Probes map[string]tlsProbeView `json:"probes"`
	}
	if err := json.Unmarshal(r.Data, &keyed); err == nil && keyed.Probes != nil {
		if p, ok := keyed.Probes[r.Ref]; ok {
			return &p
		}
		return nil
	}
	var v tlsProbeView
	if err := json.Unmarshal(r.Data, &v); err != nil {
		return nil
	}
	return &v
}

// tlsStatesFromRelated converts downstream TLS observations into CheckStates
// so certificate problems land on the LDAP service page.
func tlsStatesFromRelated(related []sdk.RelatedObservation) []sdk.CheckState {
	var out []sdk.CheckState
	for _, r := range related {
		v := parseTLSRelated(r)
		if v == nil {
			continue
		}
		addr := v.address()
		if len(v.Issues) > 0 {
			for _, is := range v.Issues {
				sev := strings.ToLower(is.Severity)
				switch sev {
				case SeverityCrit, SeverityWarn, SeverityInfo:
				default:
					continue
				}
				code := is.Code
				if code == "" {
					code = "tls.unknown"
				}
				out = append(out, stateWithFix(
					severityToStatus(sev),
					"ldap.tls."+code,
					strings.TrimSpace("TLS on "+addr+": "+is.Message),
					addr,
					is.Fix,
				))
			}
			continue
		}
		// Flag-only payload: synthesize a single summary state.
		sev := v.worstSeverity()
		if sev == "" {
			continue
		}
		msg := "TLS issue reported on " + addr
		switch {
		case v.ChainValid != nil && !*v.ChainValid:
			msg = "Invalid certificate chain on " + addr
		case v.HostnameMatch != nil && !*v.HostnameMatch:
			msg = "Certificate does not cover the domain on " + addr
		case !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 0:
			msg = "Certificate expired on " + addr + " (" + v.NotAfter.Format(time.RFC3339) + ")"
		case !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 14*24*time.Hour:
			msg = "Certificate expiring soon on " + addr + " (" + v.NotAfter.Format(time.RFC3339) + ")"
		}
		out = append(out, stateWithFix(
			severityToStatus(sev),
			"ldap.tls.probe",
			msg,
			addr,
			"See the TLS checker report for details.",
		))
	}
	return out
}

// severityToStatus bridges a TLS-related severity string to sdk.Status. The
// severity strings remain stable so JSON payloads from older TLS checkers
// still decode.
func severityToStatus(sev string) sdk.Status {
	switch sev {
	case SeverityCrit:
		return sdk.StatusCrit
	case SeverityWarn:
		return sdk.StatusWarn
	case SeverityInfo:
		return sdk.StatusInfo
	default:
		return sdk.StatusOK
	}
}

func (v *tlsProbeView) worstSeverity() string {
	worst := ""
	for _, is := range v.Issues {
		switch strings.ToLower(is.Severity) {
		case SeverityCrit:
			return SeverityCrit
		case SeverityWarn:
			if worst != SeverityCrit {
				worst = SeverityWarn
			}
		case SeverityInfo:
			if worst == "" {
				worst = SeverityInfo
			}
		}
	}
	if v.ChainValid != nil && !*v.ChainValid {
		return SeverityCrit
	}
	if v.HostnameMatch != nil && !*v.HostnameMatch {
		return SeverityCrit
	}
	if !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 0 {
		return SeverityCrit
	}
	if !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 14*24*time.Hour {
		if worst != SeverityCrit {
			return SeverityWarn
		}
	}
	return worst
}