package grpcapi

import (
	"context"
	"errors"

	"galaxy/gateway/internal/authn"
	gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"
)

// signatureVerifyingService applies client-signature verification after
// payload integrity checks and before later auth or routing steps run.
type signatureVerifyingService struct {
	gatewayv1.UnimplementedEdgeGatewayServer

	delegate gatewayv1.EdgeGatewayServer
}

// ExecuteCommand verifies req client signature before delegating to the
// configured service implementation.
func (s signatureVerifyingService) ExecuteCommand(ctx context.Context, req *gatewayv1.ExecuteCommandRequest) (*gatewayv1.ExecuteCommandResponse, error) {
	if err := verifyRequestSignature(ctx); err != nil {
		return nil, err
	}

	return s.delegate.ExecuteCommand(ctx, req)
}

// SubscribeEvents verifies req client signature before delegating to the
// configured service implementation.
func (s signatureVerifyingService) SubscribeEvents(req *gatewayv1.SubscribeEventsRequest, stream grpc.ServerStreamingServer[gatewayv1.GatewayEvent]) error {
	if err := verifyRequestSignature(stream.Context()); err != nil {
		return err
	}

	return s.delegate.SubscribeEvents(req, stream)
}

// newSignatureVerifyingService wraps delegate with the client-signature
// verification gate.
func newSignatureVerifyingService(delegate gatewayv1.EdgeGatewayServer) gatewayv1.EdgeGatewayServer {
	return signatureVerifyingService{delegate: delegate}
}

func verifyRequestSignature(ctx context.Context) error {
	envelope, ok := parsedEnvelopeFromContext(ctx)
	if !ok {
		return status.Error(codes.Internal, "authenticated request context is incomplete")
	}

	record, ok := resolvedSessionFromContext(ctx)
	if !ok {
		return status.Error(codes.Internal, "authenticated request context is incomplete")
	}

	err := authn.VerifyRequestSignature(record.ClientPublicKey, envelope.Signature, authn.RequestSigningFields{
		ProtocolVersion: envelope.ProtocolVersion,
		DeviceSessionID: envelope.DeviceSessionID,
		MessageType:     envelope.MessageType,
		TimestampMS:     envelope.TimestampMS,
		RequestID:       envelope.RequestID,
		PayloadHash:     envelope.PayloadHash,
	})
	switch {
	case err == nil:
		return nil
	case errors.Is(err, authn.ErrInvalidClientPublicKey):
		return status.Error(codes.Unavailable, "session cache is unavailable")
	case errors.Is(err, authn.ErrInvalidRequestSignature):
		return status.Error(codes.Unauthenticated, "invalid request signature")
	default:
		return status.Error(codes.Internal, "request signature verification failed")
	}
}

var _ gatewayv1.EdgeGatewayServer = signatureVerifyingService{}