package core

import (
	"context"
	"fmt"
	"net/http"
	"os"

	"github.com/KimMachineGun/automemlimit/memlimit"
	"github.com/dustin/go-humanize"
	"github.com/wundergraph/cosmo/router/pkg/authentication"
	"github.com/wundergraph/cosmo/router/pkg/config"
	"github.com/wundergraph/cosmo/router/pkg/controlplane/selfregister"
	"github.com/wundergraph/cosmo/router/pkg/cors"
	"github.com/wundergraph/cosmo/router/pkg/logging"
	"go.uber.org/automaxprocs/maxprocs"
	"go.uber.org/zap"
)

// newRouter creates a new router instance.
//
// additionalOptions can be used to override default options or options provided in the config.
func newRouter(ctx context.Context, params RouterResources, additionalOptions ...Option) (*Router, error) {
	cfg := params.Config
	logger := params.Logger

	// Automatically set GOMAXPROCS to avoid CPU throttling on containerized environments
	_, err := maxprocs.Set(maxprocs.Logger(params.Logger.Sugar().Debugf))
	if err != nil {
		return nil, fmt.Errorf("could not set max GOMAXPROCS: %w", err)
	}

	if os.Getenv("GOMEMLIMIT") != "" {
		params.Logger.Info("GOMEMLIMIT set by user", zap.String("limit", os.Getenv("GOMEMLIMIT")))
	} else {
		// Automatically set GOMEMLIMIT to 90% of the available memory.
		// This is an effort to prevent the router from being killed by OOM (Out Of Memory)
		// when the system is under memory pressure e.g. when GC is not able to free memory fast enough.
		// More details: https://tip.golang.org/doc/gc-guide#Memory_limit
		mLimit, err := memlimit.SetGoMemLimitWithOpts(
			memlimit.WithRatio(0.9),
			memlimit.WithProvider(memlimit.FromCgroupHybrid),
		)
		if err == nil {
			params.Logger.Info("GOMEMLIMIT set automatically", zap.String("limit", humanize.Bytes(uint64(mLimit))))
		} else if !params.Config.DevelopmentMode {
			params.Logger.Warn("GOMEMLIMIT was not set. Please set it manually to around 90% of the available memory to prevent OOM kills", zap.Error(err))
		}
	}

	options := optionsFromResources(logger, cfg)
	options = append(options, additionalOptions...)

	authenticators, err := setupAuthenticators(ctx, logger, cfg)
	if err != nil {
		return nil, fmt.Errorf("could not setup authenticators: %w", err)
	}

	if len(authenticators) > 0 {
		options = append(options, WithAccessController(NewAccessController(authenticators, cfg.Authorization.RequireAuthentication)))
	}

	// HTTP_PROXY, HTTPS_PROXY and NO_PROXY
	if hasProxyConfigured() {
		options = append(options, WithProxy(http.ProxyFromEnvironment))
	}

	if cfg.AccessLogs.Enabled {
		c := &AccessLogsConfig{
			Attributes:         cfg.AccessLogs.Router.Fields,
			SubgraphEnabled:    cfg.AccessLogs.Subgraphs.Enabled,
			SubgraphAttributes: cfg.AccessLogs.Subgraphs.Fields,
		}

		if cfg.AccessLogs.Output.File.Enabled {
			f, err := logging.NewLogFile(cfg.AccessLogs.Output.File.Path)
			if err != nil {
				return nil, fmt.Errorf("could not create log file: %w", err)
			}
			if cfg.AccessLogs.Buffer.Enabled {
				bl, err := logging.NewJSONZapBufferedLogger(logging.BufferedLoggerOptions{
					WS:            f,
					BufferSize:    int(cfg.AccessLogs.Buffer.Size.Uint64()),
					FlushInterval: cfg.AccessLogs.Buffer.FlushInterval,
					Development:   cfg.DevelopmentMode,
					Level:         zap.InfoLevel,
					Pretty:        !cfg.JSONLog,
				})
				if err != nil {
					return nil, fmt.Errorf("could not create buffered logger: %w", err)
				}
				c.Logger = bl.Logger
			} else {
				c.Logger = logging.NewZapAccessLogger(f, cfg.DevelopmentMode, !cfg.JSONLog)
			}
		} else if cfg.AccessLogs.Output.Stdout.Enabled {
			if cfg.AccessLogs.Buffer.Enabled {
				bl, err := logging.NewJSONZapBufferedLogger(logging.BufferedLoggerOptions{
					WS:            os.Stdout,
					BufferSize:    int(cfg.AccessLogs.Buffer.Size.Uint64()),
					FlushInterval: cfg.AccessLogs.Buffer.FlushInterval,
					Development:   cfg.DevelopmentMode,
					Level:         zap.InfoLevel,
					Pretty:        !cfg.JSONLog,
				})
				if err != nil {
					return nil, fmt.Errorf("could not create buffered logger: %w", err)
				}
				c.Logger = bl.Logger
			} else {
				c.Logger = logging.NewZapAccessLogger(os.Stdout, cfg.DevelopmentMode, !cfg.JSONLog)
			}
		}

		options = append(options, WithAccessLogs(c))
	}

	if cfg.RouterRegistration && cfg.Graph.Token != "" {
		selfRegister, err := selfregister.New(cfg.ControlplaneURL, cfg.Graph.Token,
			selfregister.WithLogger(logger),
		)
		if err != nil {
			return nil, fmt.Errorf("could not create self register: %w", err)
		}
		options = append(options, WithSelfRegistration(selfRegister))
	}

	executionConfigPath := cfg.ExecutionConfig.File.Path
	if executionConfigPath == "" {
		executionConfigPath = cfg.RouterConfigPath
	}

	if executionConfigPath != "" {
		options = append(options, WithExecutionConfig(&ExecutionConfig{
			Watch:         cfg.ExecutionConfig.File.Watch,
			WatchInterval: cfg.ExecutionConfig.File.WatchInterval,
			Path:          executionConfigPath,
		}))
	} else {
		options = append(options, WithConfigPollerConfig(&RouterConfigPollerConfig{
			GraphSignKey:    cfg.Graph.SignKey,
			PollInterval:    cfg.PollInterval,
			PollJitter:      cfg.PollJitter,
			ExecutionConfig: cfg.ExecutionConfig,
		}))
	}

	return NewRouter(options...)
}

func optionsFromResources(logger *zap.Logger, config *config.Config) []Option {
	options := []Option{
		WithListenerAddr(config.ListenAddr),
		WithOverrideRoutingURL(config.OverrideRoutingURL),
		WithOverrides(config.Overrides),
		WithLogger(logger),
		WithIntrospection(config.IntrospectionEnabled),
		WithQueryPlans(config.QueryPlansEnabled),
		WithPlayground(config.PlaygroundEnabled),
		WithGraphApiToken(config.Graph.Token),
		WithPersistedOperationsConfig(config.PersistedOperationsConfig),
		WithAutomatedPersistedQueriesConfig(config.AutomaticPersistedQueries),
		WithApolloCompatibilityFlagsConfig(config.ApolloCompatibilityFlags),
		WithApolloRouterCompatibilityFlags(config.ApolloRouterCompatibilityFlags),
		WithStorageProviders(config.StorageProviders),
		WithGraphQLPath(config.GraphQLPath),
		WithModulesConfig(config.Modules),
		WithGracePeriod(config.GracePeriod),
		WithPlaygroundConfig(config.PlaygroundConfig),
		WithPlaygroundPath(config.PlaygroundPath),
		WithHealthCheckPath(config.HealthCheckPath),
		WithLivenessCheckPath(config.LivenessCheckPath),
		WithGraphQLMetrics(&GraphQLMetricsConfig{
			Enabled:           config.GraphqlMetrics.Enabled,
			CollectorEndpoint: config.GraphqlMetrics.CollectorEndpoint,
		}),
		WithAnonymization(&IPAnonymizationConfig{
			Enabled: config.Compliance.AnonymizeIP.Enabled,
			Method:  IPAnonymizationMethod(config.Compliance.AnonymizeIP.Method),
		}),
		WithBatching(&BatchingConfig{
			Enabled:               config.Batching.Enabled,
			MaxConcurrentRoutines: config.Batching.MaxConcurrency,
			MaxEntriesPerBatch:    config.Batching.MaxEntriesPerBatch,
			OmitExtensions:        config.Batching.OmitExtensions,
		}),
		WithClusterName(config.Cluster.Name),
		WithInstanceID(config.InstanceID),
		WithReadinessCheckPath(config.ReadinessCheckPath),
		WithHeaderRules(config.Headers),
		WithRouterTrafficConfig(&config.TrafficShaping.Router),
		WithFileUploadConfig(&config.FileUpload),
		WithSubgraphTransportOptions(NewSubgraphTransportOptions(config.TrafficShaping)),
		WithSubgraphCircuitBreakerOptions(NewSubgraphCircuitBreakerOptions(config.TrafficShaping)),
		WithSubgraphRetryOptions(
			config.TrafficShaping.All.BackoffJitterRetry.Enabled,
			config.TrafficShaping.All.BackoffJitterRetry.MaxAttempts,
			config.TrafficShaping.All.BackoffJitterRetry.MaxDuration,
			config.TrafficShaping.All.BackoffJitterRetry.Interval,
		),
		WithCors(&cors.Config{
			Enabled:          config.CORS.Enabled,
			AllowOrigins:     config.CORS.AllowOrigins,
			AllowMethods:     config.CORS.AllowMethods,
			AllowCredentials: config.CORS.AllowCredentials,
			AllowHeaders:     config.CORS.AllowHeaders,
			MaxAge:           config.CORS.MaxAge,
		}),
		WithTLSConfig(&TlsConfig{
			Enabled:  config.TLS.Server.Enabled,
			CertFile: config.TLS.Server.CertFile,
			KeyFile:  config.TLS.Server.KeyFile,
			ClientAuth: &TlsClientAuthConfig{
				CertFile: config.TLS.Server.ClientAuth.CertFile,
				Required: config.TLS.Server.ClientAuth.Required,
			},
		}),
		WithDevelopmentMode(config.DevelopmentMode),
		WithTracing(TraceConfigFromTelemetry(&config.Telemetry)),
		WithMetrics(MetricConfigFromTelemetry(&config.Telemetry)),
		WithTelemetryAttributes(config.Telemetry.Attributes),
		WithTracingAttributes(config.Telemetry.Tracing.Attributes),
		WithEngineExecutionConfig(config.EngineExecutionConfiguration),
		WithCacheControlPolicy(config.CacheControl),
		WithSecurityConfig(config.SecurityConfiguration),
		WithAuthorizationConfig(&config.Authorization),
		WithWebSocketConfiguration(&config.WebSocket),
		WithSubgraphErrorPropagation(config.SubgraphErrorPropagation),
		WithLocalhostFallbackInsideDocker(config.LocalhostFallbackInsideDocker),
		WithCDN(config.CDN),
		WithEvents(config.Events),
		WithRateLimitConfig(&config.RateLimit),
		WithClientHeader(config.ClientHeader),
		WithCacheWarmupConfig(&config.CacheWarmup),
		WithMCP(config.MCP),
		WithPlugins(config.Plugins),
		WithDemoMode(config.DemoMode),
	}

	return options
}

func setupAuthenticators(ctx context.Context, logger *zap.Logger, cfg *config.Config) ([]authentication.Authenticator, error) {
	jwtConf := cfg.Authentication.JWT
	if len(jwtConf.JWKS) == 0 {
		// No JWT authenticators configured
		return nil, nil
	}

	var authenticators []authentication.Authenticator
	configs := make([]authentication.JWKSConfig, 0, len(jwtConf.JWKS))

	for _, jwks := range cfg.Authentication.JWT.JWKS {
		configs = append(configs, authentication.JWKSConfig{
			URL:               jwks.URL,
			RefreshInterval:   jwks.RefreshInterval,
			AllowedAlgorithms: jwks.Algorithms,

			Secret:    jwks.Secret,
			Algorithm: jwks.Algorithm,
			KeyId:     jwks.KeyId,
		})
	}

	tokenDecoder, err := authentication.NewJwksTokenDecoder(ctx, logger, configs)
	if err != nil {
		return nil, err
	}

	// create a map for the `httpHeaderAuthenticator`
	headerSourceMap := map[string][]string{
		jwtConf.HeaderName: {jwtConf.HeaderValuePrefix},
	}

	// The `websocketInitialPayloadAuthenticator` has one key and uses a flat list of prefixes
	prefixSet := make(map[string]struct{})

	for _, s := range jwtConf.HeaderSources {
		if s.Type != "header" {
			continue
		}

		for _, prefix := range s.ValuePrefixes {
			headerSourceMap[s.Name] = append(headerSourceMap[s.Name], prefix)
			prefixSet[prefix] = struct{}{}
		}

	}

	opts := authentication.HttpHeaderAuthenticatorOptions{
		Name:                 "jwks",
		HeaderSourcePrefixes: headerSourceMap,
		TokenDecoder:         tokenDecoder,
	}

	authenticator, err := authentication.NewHttpHeaderAuthenticator(opts)
	if err != nil {
		logger.Error("Could not create HttpHeader authenticator", zap.Error(err))
		return nil, err
	}

	authenticators = append(authenticators, authenticator)

	if cfg.WebSocket.Authentication.FromInitialPayload.Enabled {
		headerPrefixes := make([]string, 0, len(prefixSet))
		for prefix := range prefixSet {
			headerPrefixes = append(headerPrefixes, prefix)
		}

		opts := authentication.WebsocketInitialPayloadAuthenticatorOptions{
			TokenDecoder:        tokenDecoder,
			Key:                 cfg.WebSocket.Authentication.FromInitialPayload.Key,
			HeaderValuePrefixes: headerPrefixes,
		}
		authenticator, err = authentication.NewWebsocketInitialPayloadAuthenticator(opts)
		if err != nil {
			logger.Error("Could not create WebsocketInitialPayload authenticator", zap.Error(err))
			return nil, err
		}
		authenticators = append(authenticators, authenticator)
	}

	return authenticators, nil
}

func hasProxyConfigured() bool {
	_, httpProxy := os.LookupEnv("HTTP_PROXY")
	_, httpsProxy := os.LookupEnv("HTTPS_PROXY")
	_, noProxy := os.LookupEnv("NO_PROXY")
	return httpProxy || httpsProxy || noProxy
}