package object

import (
	"context"

	"github.com/nspcc-dev/neofs-api-go/service"
	crypto "github.com/nspcc-dev/neofs-crypto"
	"github.com/nspcc-dev/neofs-node/lib/implementations"
	"github.com/pkg/errors"
)

type bearerTokenVerifier interface {
	verifyBearerToken(context.Context, CID, service.BearerToken) error
}

type complexBearerVerifier struct {
	items []bearerTokenVerifier
}

type bearerActualityVerifier struct {
	epochRecv EpochReceiver
}

type bearerOwnershipVerifier struct {
	cnrOwnerChecker implementations.ContainerOwnerChecker
}

type bearerSignatureVerifier struct{}

var errWrongBearerOwner = errors.New("bearer author is not a container owner")

func (s complexBearerVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
	for i := range s.items {
		if err := s.items[i].verifyBearerToken(ctx, cid, token); err != nil {
			return err
		}
	}

	return nil
}

func (s bearerActualityVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
	local := s.epochRecv.Epoch()
	validUntil := token.ExpirationEpoch()

	if local > validUntil {
		return errors.Errorf("bearer token is expired (local %d, valid until %d)",
			local,
			validUntil,
		)
	}

	return nil
}

func (s bearerOwnershipVerifier) verifyBearerToken(ctx context.Context, cid CID, token service.BearerToken) error {
	isOwner, err := s.cnrOwnerChecker.IsContainerOwner(ctx, cid, token.GetOwnerID())
	if err != nil {
		return err
	} else if !isOwner {
		return errWrongBearerOwner
	}

	return nil
}

func (s bearerSignatureVerifier) verifyBearerToken(_ context.Context, _ CID, token service.BearerToken) error {
	return service.VerifySignatureWithKey(
		crypto.UnmarshalPublicKey(token.GetOwnerKey()),
		service.NewVerifiedBearerToken(token),
	)
}