# frozen_string_literal: true

module GDK
  # ConfigRedactor provides functionality to securely redact sensitive
  # information from configuration data.  It processes YAML-compatible Hash
  # structures and masks values based on key patterns and value content.
  #
  # The redactor identifies sensitive data through:
  # 1. Key pattern matching (e.g. keys ending in _secret, _token) case-insensitive
  # 2. Value pattern matching (e.g. GitLab/GitHub tokens, UUIDs)
  # 3. Explicit allowlist exceptions
  #
  # @example Basic usage with a hash
  #   config = {
  #     'api_token' => 'secret123',
  #     'public_url' => 'http://example.com'
  #   }
  #   redacted = GDK::ConfigRedactor.redact(config)
  #   redacted['api_token'] # => "[redacted]"
  #   redacted['public_url'] # => "http://example.com"
  #
  # @example Handling nested structures
  #   nested_config = {
  #     'credentials' => {
  #       'gitlab_token' => 'glpat-abc123',
  #       'github_key' => 'gh_xyz789'
  #     }
  #   }
  #   redacted = GDK::ConfigRedactor.redact(nested_config)
  #   # Results in:
  #   # {
  #   #   'credentials' => {
  #   #     'gitlab_token' => '[redacted]',
  #   #     'github_key' => '[redacted]'
  #   #   }
  #   # }
  class ConfigRedactor
    # Block the config keys. String or Regexp.
    BLOCK_KEYS = [
      # Inspired by Rails' filter_parameters
      /_key$/i,
      /_pass(?:word)?$/i,
      /_secret$/i,
      /token$/i
    ].freeze

    # Explicitly allow the config keys. String or Regexp.
    ALLOW_KEYS = %w[
      cookie_key
      version
    ].freeze

    # Block the config values. String or Regexp.
    BLOCK_VALUES = [
      # https://docs.gitlab.com/security/tokens/#token-prefixes
      /^gl\w+-/,
      # https://github.blog/engineering/platform-security/behind-githubs-new-authentication-token-formats/#identifiable-prefixes
      /^gh\w_/,
      # Hex hashes
      /^\h{8,}+$/,
      # UUIDs
      /^\h+-([\h-]+)$/
    ].freeze

    REDACT_WITH = '[redacted]'
    HOME_REDACT_WITH = '$HOME'

    def self.redact(yaml)
      new.redact(yaml)
    end

    def redact(yaml, redacted = {})
      yaml.each do |key, value|
        redact_kv!(key, value, redacted)
      end

      redacted
    end

    def redact_logfile(content)
      content.gsub(Dir.home, '$HOME')
    end

    private

    def redact_kv!(key, value, redacted)
      new_value =
        case value
        when Hash
          value.each { |k, v| redact_kv!(k, v, value) }
        when Array
          value.each.with_index { |v, i| redact_kv!(i, v, value) }
        else
          redact_single!(key, value)
        end

      redacted[key] = new_value
    end

    def redact_single!(key, value)
      if value.is_a?(String)
        return REDACT_WITH if redact?(key, value)

        value.gsub(Dir.home, HOME_REDACT_WITH)
      else
        value
      end
    end

    def redact?(key, value)
      return false if value.empty?

      key = key.to_s

      (ALLOW_KEYS.none? { |allow| allow === key } &&
        BLOCK_KEYS.any? { |block| block === key }) ||
        BLOCK_VALUES.any? { |block| block === value }
    end
  end
end