# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

import codecs
import hmac
import json
import logging
import os
from typing import cast

import boto3
from chalice import BadRequestError, Chalice, ForbiddenError
from chalice.app import Request

app = Chalice(app_name='scale_out_runner')
app.log.setLevel(logging.INFO)

ASG_GROUP_NAME = os.getenv('ASG_NAME', 'AshbRunnerASG')
ASG_REGION_NAME = os.getenv('ASG_REGION_NAME', None)
TABLE_NAME = os.getenv('COUNTER_TABLE', 'GithubRunnerQueue')
_commiters = set()
GH_WEBHOOK_TOKEN = None

REPOS = os.getenv('REPOS')
if REPOS:
    REPO_CONFIGURATION = json.loads(REPOS)
else:
    REPO_CONFIGURATION = {
        # <repo>: [list-of-branches-to-use-self-hosted-on]
        'apache/airflow': {'main', 'master'},
    }
del REPOS


@app.route('/', methods=['POST'])
def index():
    validate_gh_sig(app.current_request)

    if app.current_request.headers.get('X-GitHub-Event', None) != "check_run":
        # Ignore things about installs/permissions etc
        return {'ignored': 'not about check_runs'}

    body = app.current_request.json_body

    repo = body['repository']['full_name']

    sender = body['sender']['login']

    # Other repos configured with this app, but we don't do anything with them
    # yet.
    if repo not in REPO_CONFIGURATION:
        app.log.info("Ignoring event for %r", repo)
        return {'ignored': 'Other repo'}

    interested_branches = REPO_CONFIGURATION[repo]

    branch = body['check_run']['check_suite']['head_branch']

    use_self_hosted = sender in commiters() or branch in interested_branches
    payload = {'sender': sender, 'use_self_hosted': use_self_hosted}

    if body['action'] == 'completed' and body['check_run']['conclusion'] == 'cancelled':
        if use_self_hosted:
            # The only time we get a "cancelled" job is when it wasn't yet running.
            queue_length = increment_dynamodb_counter(-1)
            # Don't scale in the ASG -- let the CloudWatch alarm do that.
            payload['new_queue'] = queue_length
        else:
            payload = {'ignored': 'unknown sender'}

    elif body['action'] != 'created':
        payload = {'ignored': "action is not 'created'"}

    elif body['check_run']['status'] != 'queued':
        # Skipped runs are "created", but are instantly completed. Ignore anything that is not queued
        payload = {'ignored': "check_run.status is not 'queued'"}
    else:
        if use_self_hosted:
            # Increment counter in DynamoDB
            queue_length = increment_dynamodb_counter()
            payload.update(**scale_asg_if_needed(queue_length))
    app.log.info(
        "delivery=%s branch=%s: %r",
        app.current_request.headers.get('X-GitHub-Delivery', None),
        branch,
        payload,
    )
    return payload


def commiters(ssm_repo_name: str = os.getenv('SSM_REPO_NAME', 'apache/airflow')):
    global _commiters

    if not _commiters:
        client = boto3.client('ssm')
        param_path = os.path.join('/runners/', ssm_repo_name, 'configOverlay')
        app.log.info("Loading config overlay from %s", param_path)

        try:

            resp = client.get_parameter(Name=param_path, WithDecryption=True)
        except client.exceptions.ParameterNotFound:
            app.log.debug("Failed to load config overlay", exc_info=True)
            return set()

        try:
            overlay = json.loads(resp['Parameter']['Value'])
        except ValueError:
            app.log.debug("Failed to parse config overlay", exc_info=True)
            return set()

        _commiters = set(overlay['pullRequestSecurity']['allowedAuthors'])

    return _commiters


def validate_gh_sig(request: Request):
    sig = request.headers.get('X-Hub-Signature-256', None)
    if not sig or not sig.startswith('sha256='):
        raise BadRequestError('X-Hub-Signature-256 not of expected format')

    sig = sig[len('sha256=') :]
    calculated_sig = sign_request_body(request)

    app.log.debug('Checksum verification - expected %s got %s', calculated_sig, sig)

    if not hmac.compare_digest(sig, calculated_sig):
        raise ForbiddenError('Spoofed request')


def sign_request_body(request: Request) -> str:
    global GH_WEBHOOK_TOKEN
    if GH_WEBHOOK_TOKEN is None:
        if 'GH_WEBHOOK_TOKEN' in os.environ:
            # Local dev support:
            GH_WEBHOOK_TOKEN = os.environ['GH_WEBHOOK_TOKEN'].encode('utf-8')
        else:
            encrypted = os.environb[b'GH_WEBHOOK_TOKEN_ENCRYPTED']

            kms = boto3.client('kms')
            response = kms.decrypt(CiphertextBlob=codecs.decode(encrypted, 'base64'))
            GH_WEBHOOK_TOKEN = response['Plaintext']
    body = cast(bytes, request.raw_body)
    return hmac.new(GH_WEBHOOK_TOKEN, body, digestmod='SHA256').hexdigest()  # type: ignore


def increment_dynamodb_counter(delta: int = 1) -> int:
    dynamodb = boto3.client('dynamodb')
    args = dict(
        TableName=TABLE_NAME,
        Key={'id': {'S': 'queued_jobs'}},
        ExpressionAttributeValues={':delta': {'N': str(delta)}},
        UpdateExpression='ADD queued :delta',
        ReturnValues='UPDATED_NEW',
    )

    if delta < 0:
        # Make sure it never goes below zero!
        args['ExpressionAttributeValues'][':limit'] = {'N': str(-delta)}
        args['ConditionExpression'] = 'queued >= :limit'

    resp = dynamodb.update_item(**args)
    return int(resp['Attributes']['queued']['N'])


def scale_asg_if_needed(num_queued_jobs: int) -> dict:
    asg = boto3.client('autoscaling', region_name=ASG_REGION_NAME)

    resp = asg.describe_auto_scaling_groups(
        AutoScalingGroupNames=[ASG_GROUP_NAME],
    )

    asg_info = resp['AutoScalingGroups'][0]

    current = asg_info['DesiredCapacity']
    max_size = asg_info['MaxSize']

    busy = 0
    for instance in asg_info['Instances']:
        if instance['LifecycleState'] == 'InService' and instance['ProtectedFromScaleIn']:
            busy += 1
    app.log.info("Busy instances: %d, num_queued_jobs: %d, current_size: %d", busy, num_queued_jobs, current)

    new_size = num_queued_jobs + busy
    if new_size > current:
        if new_size <= max_size or current < max_size:
            try:
                new_size = min(new_size, max_size)
                asg.set_desired_capacity(AutoScalingGroupName=ASG_GROUP_NAME, DesiredCapacity=new_size)
                return {'new_capcity': new_size}
            except asg.exceptions.ScalingActivityInProgressFault as e:
                return {'error': str(e)}
        else:
            return {'capacity_at_max': True}
    else:
        return {'idle_instances': True}