package cmd

import (
	"fmt"
	"os"
	"strings"
	"time"

	"github.com/spf13/cobra"

	"guardianproject.dev/ops/nix-cache-login/internal/config"
	"guardianproject.dev/ops/nix-cache-login/internal/netrc"
	"guardianproject.dev/ops/nix-cache-login/internal/token"
)

var statusCmd = &cobra.Command{
	Use:   "status",
	Short: "Show current token status",
	Long:  `Decodes the JWT from the netrc file (without verification) and shows expiry information.`,
	RunE:  runStatus,
}

func init() {
	rootCmd.AddCommand(statusCmd)
}

func runStatus(cmd *cobra.Command, args []string) error {
	exitNonZero := false

	configuredServiceAccountMode := isConfiguredServiceAccountMode(cfg)
	if configuredServiceAccountMode {
		fmt.Fprintln(os.Stdout, "Mode: service-account")
		fmt.Fprintf(os.Stdout, "Client ID: %s\n", cfg.ClientID)
	} else {
		fmt.Fprintln(os.Stdout, "Mode: user")
	}

	// Read token from netrc
	pw, err := netrc.GetPassword(cfg.NetrcPath, cfg.CacheHost)
	if err != nil {
		return fmt.Errorf("reading netrc: %w", err)
	}

	if pw == "" {
		fmt.Fprintln(os.Stdout, "Status: NOT AUTHENTICATED (no token found in netrc)")
		return nil
	}

	// Decode JWT payload
	claims, err := token.DecodePayload(pw)
	if err != nil {
		return fmt.Errorf("decoding token: %w", err)
	}

	// Show claims
	if iss, ok := claims["iss"].(string); ok {
		fmt.Fprintf(os.Stdout, "Issuer:  %s\n", iss)
	}
	if sub, ok := claims["sub"].(string); ok {
		fmt.Fprintf(os.Stdout, "Subject: %s\n", sub)
	}
	if name, ok := claims["preferred_username"].(string); ok {
		fmt.Fprintf(os.Stdout, "User:    %s\n", name)
	}
	tokenServiceAccountMode := isServiceAccountToken(claims)
	serviceAccountMismatch := false
	if configuredServiceAccountMode {
		if tokenServiceAccountMode {
			fmt.Fprintln(os.Stdout, "Token mode: service-account")
		} else {
			fmt.Fprintln(os.Stdout, "Token mode: user")
			fmt.Fprintln(os.Stdout, "Warning: config expects a service-account token, but netrc token looks like a user token")
			serviceAccountMismatch = true
		}
		if claimedClientID := tokenClientID(claims); claimedClientID != "" {
			fmt.Fprintf(os.Stdout, "Token client: %s\n", claimedClientID)
			if claimedClientID != cfg.ClientID {
				fmt.Fprintf(os.Stdout, "Warning: token client_id/azp (%s) does not match configured client_id (%s)\n", claimedClientID, cfg.ClientID)
				serviceAccountMismatch = true
			}
		}
	}

	exp, remaining := token.ExpiryInfo(claims)
	if !exp.IsZero() {
		fmt.Fprintf(os.Stdout, "Expires: %s\n", exp.Local().Format(time.RFC1123))
		if remaining > 0 {
			fmt.Fprintf(os.Stdout, "Remaining: %s\n", remaining.Round(time.Second))
			if configuredServiceAccountMode && serviceAccountMismatch {
				fmt.Fprintln(os.Stdout, "Status: WARNING (token is valid but does not match configured service-account client)")
				exitNonZero = true
			} else if configuredServiceAccountMode && tokenServiceAccountMode {
				fmt.Fprintln(os.Stdout, "Status: OK (service-account token valid)")
			} else {
				fmt.Fprintln(os.Stdout, "Status: OK")
			}
		} else {
			fmt.Fprintf(os.Stdout, "Status: EXPIRED (%s ago)\n", (-remaining).Round(time.Second))
			exitNonZero = true
		}
	} else {
		fmt.Fprintln(os.Stdout, "Status: UNKNOWN (token has no exp claim)")
	}

	// Check refresh token
	rtPath := config.RefreshTokenPath()
	_, rtErr := os.Stat(rtPath)
	if configuredServiceAccountMode {
		if rtErr == nil {
			fmt.Fprintf(os.Stdout, "Refresh token: present (not used in service-account mode)\n")
		} else {
			fmt.Fprintf(os.Stdout, "Refresh token: not used in service-account mode\n")
		}
	} else {
		if rtErr == nil {
			fmt.Fprintf(os.Stdout, "Refresh token: present\n")
		} else {
			fmt.Fprintf(os.Stdout, "Refresh token: not found\n")
		}
	}

	if exitNonZero {
		os.Exit(1)
	}

	return nil
}

func isConfiguredServiceAccountMode(cfg *config.Config) bool {
	return cfg != nil && strings.TrimSpace(cfg.ClientSecretFile) != ""
}

func isServiceAccountToken(claims map[string]interface{}) bool {
	if claims == nil {
		return false
	}
	if grantType, ok := claims["gty"].(string); ok && (grantType == "client_credentials" || grantType == "client-credentials") {
		return true
	}
	if username, ok := claims["preferred_username"].(string); ok && strings.HasPrefix(username, "service-account-") {
		return true
	}
	if subject, ok := claims["sub"].(string); ok && strings.HasPrefix(subject, "service-account-") {
		return true
	}
	return false
}

func tokenClientID(claims map[string]interface{}) string {
	if claims == nil {
		return ""
	}
	if azp, ok := claims["azp"].(string); ok {
		return azp
	}
	if clientID, ok := claims["client_id"].(string); ok {
		return clientID
	}
	return ""
}