// Copyright (c) EZSCALE.
// SPDX-License-Identifier: MPL-2.0

package provider

import (
	"context"
	"encoding/json"
	"fmt"
	"time"

	"terraform-provider-virtfusion/internal/client"

	"github.com/hashicorp/terraform-plugin-framework/path"
	"github.com/hashicorp/terraform-plugin-framework/resource"
	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
	"github.com/hashicorp/terraform-plugin-framework/resource/schema/mapplanmodifier"
	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
	"github.com/hashicorp/terraform-plugin-framework/types"
)

// Ensure provider-defined types fully satisfy framework interfaces.
var (
	_ resource.Resource              = &ServerPasswordResetResource{}
	_ resource.ResourceWithConfigure = &ServerPasswordResetResource{}
)

// NewServerPasswordResetResource creates a new server password reset resource.
func NewServerPasswordResetResource() resource.Resource {
	return &ServerPasswordResetResource{}
}

// ServerPasswordResetResource defines the resource implementation.
type ServerPasswordResetResource struct {
	client *client.Client
}

// ServerPasswordResetResourceModel describes the resource data model.
type ServerPasswordResetResourceModel struct {
	ID       types.String `tfsdk:"id"`
	ServerID types.Int64  `tfsdk:"server_id"`
	User     types.String `tfsdk:"user"`
	Password types.String `tfsdk:"password"`
	Triggers types.Map    `tfsdk:"triggers"`
}

func (r *ServerPasswordResetResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
	resp.TypeName = req.ProviderTypeName + "_server_password_reset"
}

func (r *ServerPasswordResetResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
	resp.Schema = schema.Schema{
		MarkdownDescription: "Resets the password for a VirtFusion server. This is a trigger-style resource — the reset is executed on create and can be re-triggered by changing the `triggers` attribute.",
		Attributes: map[string]schema.Attribute{
			"id": schema.StringAttribute{
				MarkdownDescription: "The identifier for this password reset.",
				Computed:            true,
				PlanModifiers: []planmodifier.String{
					stringplanmodifier.UseStateForUnknown(),
				},
			},
			"server_id": schema.Int64Attribute{
				MarkdownDescription: "The ID of the server to reset the password for.",
				Required:            true,
			},
			"user": schema.StringAttribute{
				MarkdownDescription: "The user to reset the password for. Must be `root` (Linux) or `Administrator` (Windows).",
				Required:            true,
			},
			"password": schema.StringAttribute{
				MarkdownDescription: "The new password generated by the reset operation.",
				Computed:            true,
				Sensitive:           true,
				PlanModifiers: []planmodifier.String{
					stringplanmodifier.UseStateForUnknown(),
				},
			},
			"triggers": schema.MapAttribute{
				MarkdownDescription: "A map of arbitrary strings that, when changed, will cause the password reset to be re-executed. Works like `triggers` in `terraform_data`.",
				ElementType:         types.StringType,
				Optional:            true,
				PlanModifiers: []planmodifier.Map{
					mapplanmodifier.RequiresReplace(),
				},
			},
		},
	}
}

func (r *ServerPasswordResetResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
	if req.ProviderData == nil {
		return
	}

	c, ok := req.ProviderData.(*client.Client)
	if !ok {
		resp.Diagnostics.AddError(
			"Unexpected Resource Configure Type",
			fmt.Sprintf("Expected *client.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData),
		)
		return
	}

	r.client = c
}

func (r *ServerPasswordResetResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
	var data ServerPasswordResetResourceModel
	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
	if resp.Diagnostics.HasError() {
		return
	}

	body := map[string]string{
		"user": data.User.ValueString(),
	}

	apiPath := fmt.Sprintf("/servers/%d/resetPassword", data.ServerID.ValueInt64())
	rawResp, err := r.client.Post(ctx, apiPath, body)
	if err != nil {
		resp.Diagnostics.AddError(
			"Error Resetting Server Password",
			fmt.Sprintf("Could not reset password for server %d: %s", data.ServerID.ValueInt64(), err),
		)
		return
	}

	// Parse the response for the new password.
	if rawResp != nil {
		var passResp client.PasswordResetResponse
		if jsonErr := json.Unmarshal(rawResp, &passResp); jsonErr == nil && passResp.Data.Password != "" {
			data.Password = types.StringValue(passResp.Data.Password)
		} else {
			data.Password = types.StringValue("")
		}
	} else {
		data.Password = types.StringValue("")
	}

	data.ID = types.StringValue(fmt.Sprintf("%d-%d", data.ServerID.ValueInt64(), time.Now().UnixNano()))

	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
}

func (r *ServerPasswordResetResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
	var data ServerPasswordResetResourceModel
	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
	if resp.Diagnostics.HasError() {
		return
	}

	// Return stored state as-is for trigger-style resources.
	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
}

func (r *ServerPasswordResetResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
	var data ServerPasswordResetResourceModel
	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
	if resp.Diagnostics.HasError() {
		return
	}

	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
}

func (r *ServerPasswordResetResource) Delete(_ context.Context, _ resource.DeleteRequest, _ *resource.DeleteResponse) {
	// No-op: password resets are not reversible. Removing from state only.
}

// ValidateConfig validates the resource configuration.
func (r *ServerPasswordResetResource) ValidateConfig(ctx context.Context, req resource.ValidateConfigRequest, resp *resource.ValidateConfigResponse) {
	var data ServerPasswordResetResourceModel
	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
	if resp.Diagnostics.HasError() {
		return
	}

	// Validate server_id is positive.
	if !data.ServerID.IsNull() && !data.ServerID.IsUnknown() && data.ServerID.ValueInt64() <= 0 {
		resp.Diagnostics.AddAttributeError(
			path.Root("server_id"),
			"Invalid Server ID",
			"server_id must be a positive integer.",
		)
	}

	// Validate user is one of the allowed values.
	if !data.User.IsNull() && !data.User.IsUnknown() {
		user := data.User.ValueString()
		if user != "root" && user != "Administrator" {
			resp.Diagnostics.AddAttributeError(
				path.Root("user"),
				"Invalid User",
				fmt.Sprintf("user must be either \"root\" or \"Administrator\". Got: %q", user),
			)
		}
	}
}