package control

import (
	"bytes"
	"crypto/ecdsa"
	"errors"

	control "github.com/nspcc-dev/neofs-node/pkg/services/control/ir"
	"github.com/nspcc-dev/neofs-sdk-go/util/signature"
)

// SignedMessage is an interface of Control service message.
type SignedMessage interface {
	signature.DataSource
	GetSignature() *control.Signature
	SetSignature(*control.Signature)
}

var errDisallowedKey = errors.New("key is not in the allowed list")

func (s *Server) isValidRequest(req SignedMessage) error {
	var (
		sign    = req.GetSignature()
		key     = sign.GetKey()
		allowed = false
	)

	// check if key is allowed
	for i := range s.allowedKeys {
		if allowed = bytes.Equal(s.allowedKeys[i], key); allowed {
			break
		}
	}

	if !allowed {
		return errDisallowedKey
	}

	// verify signature
	return signature.VerifyDataWithSource(req, func() ([]byte, []byte) {
		return key, sign.GetSign()
	})
}

// SignMessage signs Control service message with private key.
func SignMessage(key *ecdsa.PrivateKey, msg SignedMessage) error {
	return signature.SignDataWithHandler(key, msg, func(key []byte, sig []byte) {
		s := new(control.Signature)
		s.SetKey(key)
		s.SetSign(sig)

		msg.SetSignature(s)
	})
}