// Package infoblox implements a DNS provider for solving the DNS-01 challenge using on prem infoblox DNS.
package infoblox

import (
	"errors"
	"fmt"
	"strconv"
	"sync"
	"time"

	"github.com/go-acme/lego/v4/challenge/dns01"
	"github.com/go-acme/lego/v4/platform/config/env"
	infoblox "github.com/infobloxopen/infoblox-go-client"
)

// Environment variables names.
const (
	envNamespace = "INFOBLOX_"

	EnvHost        = envNamespace + "HOST"
	EnvPort        = envNamespace + "PORT"
	EnvUsername    = envNamespace + "USERNAME"
	EnvPassword    = envNamespace + "PASSWORD"
	EnvDNSView     = envNamespace + "DNS_VIEW"
	EnvWApiVersion = envNamespace + "WAPI_VERSION"
	EnvSSLVerify   = envNamespace + "SSL_VERIFY"

	EnvTTL                = envNamespace + "TTL"
	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
	EnvHTTPTimeout        = envNamespace + "HTTP_TIMEOUT"
)

const (
	defaultPoolConnections = 10
	defaultUserAgent       = "go-acme/lego"
)

// Config is used to configure the creation of the DNSProvider.
type Config struct {
	// Host is the URL of the grid manager.
	Host string
	// Port is the Port for the grid manager.
	Port string

	// Username the user for accessing API.
	Username string
	// Password the password for accessing API.
	Password string

	// DNSView is the dns view to put new records and search from.
	DNSView string
	// WapiVersion is the version of web api used.
	WapiVersion string

	// SSLVerify is whether or not to verify the ssl of the server being hit.
	SSLVerify bool

	PropagationTimeout time.Duration
	PollingInterval    time.Duration
	TTL                int
	HTTPTimeout        int
}

// NewDefaultConfig returns a default configuration for the DNSProvider.
func NewDefaultConfig() *Config {
	return &Config{
		DNSView:     env.GetOrDefaultString(EnvDNSView, "External"),
		WapiVersion: env.GetOrDefaultString(EnvWApiVersion, "2.11"),
		Port:        env.GetOrDefaultString(EnvPort, "443"),
		SSLVerify:   env.GetOrDefaultBool(EnvSSLVerify, true),

		TTL:                env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, dns01.DefaultPropagationTimeout),
		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
		HTTPTimeout:        env.GetOrDefaultInt(EnvHTTPTimeout, 30),
	}
}

// DNSProvider implements the challenge.Provider interface.
type DNSProvider struct {
	config          *Config
	transportConfig infoblox.TransportConfig
	ibConfig        infoblox.HostConfig

	recordRefs   map[string]string
	recordRefsMu sync.Mutex
}

// NewDNSProvider returns a DNSProvider instance configured for Infoblox.
// Credentials must be passed in the environment variables:
// INFOBLOX_USERNAME, INFOBLOX_PASSWORD
// INFOBLOX_HOST, INFOBLOX_PORT
// INFOBLOX_DNS_VIEW, INFOBLOX_WAPI_VERSION
// INFOBLOX_SSL_VERIFY.
func NewDNSProvider() (*DNSProvider, error) {
	values, err := env.Get(EnvHost, EnvUsername, EnvPassword)
	if err != nil {
		return nil, fmt.Errorf("infoblox: %w", err)
	}

	config := NewDefaultConfig()
	config.Host = values[EnvHost]
	config.Username = values[EnvUsername]
	config.Password = values[EnvPassword]

	return NewDNSProviderConfig(config)
}

// NewDNSProviderConfig return a DNSProvider instance configured for HyperOne.
func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
	if config == nil {
		return nil, errors.New("infoblox: the configuration of the DNS provider is nil")
	}

	if config.Host == "" {
		return nil, errors.New("infoblox: missing host")
	}

	if config.Username == "" || config.Password == "" {
		return nil, errors.New("infoblox: missing credentials")
	}

	return &DNSProvider{
		config:          config,
		transportConfig: infoblox.NewTransportConfig(strconv.FormatBool(config.SSLVerify), config.HTTPTimeout, defaultPoolConnections),
		ibConfig: infoblox.HostConfig{
			Host:     config.Host,
			Version:  config.WapiVersion,
			Port:     config.Port,
			Username: config.Username,
			Password: config.Password,
		},
		recordRefs: make(map[string]string),
	}, nil
}

// Timeout returns the timeout and interval to use when checking for DNS propagation.
func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
	return d.config.PropagationTimeout, d.config.PollingInterval
}

// Present creates a TXT record to fulfill the dns-01 challenge.
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
	info := dns01.GetChallengeInfo(domain, keyAuth)

	connector, err := infoblox.NewConnector(d.ibConfig, d.transportConfig, &infoblox.WapiRequestBuilder{}, &infoblox.WapiHttpRequestor{})
	if err != nil {
		return fmt.Errorf("infoblox: %w", err)
	}

	defer func() { _ = connector.Logout() }()

	objectManager := infoblox.NewObjectManager(connector, defaultUserAgent, "")

	record, err := objectManager.CreateTXTRecord(dns01.UnFqdn(info.EffectiveFQDN), info.Value, uint(d.config.TTL), d.config.DNSView)
	if err != nil {
		return fmt.Errorf("infoblox: could not create TXT record for %s: %w", domain, err)
	}

	d.recordRefsMu.Lock()
	d.recordRefs[token] = record.Ref
	d.recordRefsMu.Unlock()

	return nil
}

// CleanUp removes the TXT record matching the specified parameters.
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
	info := dns01.GetChallengeInfo(domain, keyAuth)

	connector, err := infoblox.NewConnector(d.ibConfig, d.transportConfig, &infoblox.WapiRequestBuilder{}, &infoblox.WapiHttpRequestor{})
	if err != nil {
		return fmt.Errorf("infoblox: %w", err)
	}

	defer func() { _ = connector.Logout() }()

	objectManager := infoblox.NewObjectManager(connector, defaultUserAgent, "")

	// gets the record's unique ref from when we created it
	d.recordRefsMu.Lock()
	recordRef, ok := d.recordRefs[token]
	d.recordRefsMu.Unlock()
	if !ok {
		return fmt.Errorf("infoblox: unknown record ID for '%s' '%s'", info.EffectiveFQDN, token)
	}

	_, err = objectManager.DeleteTXTRecord(recordRef)
	if err != nil {
		return fmt.Errorf("infoblox: could not delete TXT record for %s: %w", domain, err)
	}

	// Delete record ref from map
	d.recordRefsMu.Lock()
	delete(d.recordRefs, token)
	d.recordRefsMu.Unlock()

	return nil
}