package storage

import (
	"context"
	"errors"
	"strings"

	"github.com/google/uuid"
	"github.com/jackc/pgx/v5"
	"github.com/jackc/pgx/v5/pgconn"
	"github.com/jackc/pgx/v5/pgxpool"

	"github.com/alchemistkay/guestguard/internal/domain"
)

// AllowlistRepo manages the per-event CIDR bypass list. Lookups happen
// before each fraud-engine call so they need to be cheap — the index on
// event_id keeps that O(log n) even on very busy events.
type AllowlistRepo struct {
	pool *pgxpool.Pool
}

func NewAllowlistRepo(db *DB) *AllowlistRepo {
	return &AllowlistRepo{pool: db.Pool}
}

// List returns every CIDR allowlisted for the event, newest first.
func (r *AllowlistRepo) List(ctx context.Context, eventID uuid.UUID) ([]domain.Allowlist, error) {
	rows, err := r.pool.Query(ctx, `
        SELECT event_id, ip_cidr::text, COALESCE(label, ''), created_by, created_at
        FROM event_allowlists
        WHERE event_id = $1
        ORDER BY created_at DESC
    `, eventID)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	out := []domain.Allowlist{}
	for rows.Next() {
		var a domain.Allowlist
		if err := rows.Scan(&a.EventID, &a.CIDR, &a.Label, &a.CreatedBy, &a.CreatedAt); err != nil {
			return nil, err
		}
		out = append(out, a)
	}
	return out, rows.Err()
}

type AddAllowlistParams struct {
	EventID   uuid.UUID
	CIDR      string // pre-validated; ParseAllowlistCIDR canonicalised it
	Label     string
	CreatedBy uuid.UUID
}

// Add inserts a row. A pre-existing (event_id, ip_cidr) returns
// ErrAllowlistExists so the API can render a friendly 409 instead of the
// raw Postgres unique-violation.
func (r *AllowlistRepo) Add(ctx context.Context, p AddAllowlistParams) (*domain.Allowlist, error) {
	const q = `
        INSERT INTO event_allowlists (event_id, ip_cidr, label, created_by)
        VALUES ($1, $2::inet, NULLIF($3, ''), $4)
        RETURNING event_id, ip_cidr::text, COALESCE(label, ''), created_by, created_at
    `
	var a domain.Allowlist
	err := r.pool.QueryRow(ctx, q, p.EventID, p.CIDR, p.Label, p.CreatedBy).Scan(
		&a.EventID, &a.CIDR, &a.Label, &a.CreatedBy, &a.CreatedAt,
	)
	if err != nil {
		var pgErr *pgconn.PgError
		if errors.As(err, &pgErr) && pgErr.Code == "23505" {
			return nil, ErrAllowlistExists
		}
		return nil, err
	}
	return &a, nil
}

// Remove deletes an allowlist entry. Returns ErrAllowlistNotFound if the
// (event, cidr) tuple doesn't exist.
func (r *AllowlistRepo) Remove(ctx context.Context, eventID uuid.UUID, cidr string) error {
	tag, err := r.pool.Exec(ctx,
		`DELETE FROM event_allowlists WHERE event_id = $1 AND ip_cidr = $2::inet`,
		eventID, strings.TrimSpace(cidr))
	if err != nil {
		return err
	}
	if tag.RowsAffected() == 0 {
		return domain.ErrAllowlistNotFound
	}
	return nil
}

// Matches reports whether the given IP falls inside any allowlisted CIDR
// for the event. Returns the matching label (if any) so the API can log
// "bypassed allowlist=Office Wi-Fi" instead of a bare boolean.
//
// We push the CIDR containment into Postgres via the inet `>>=` operator
// — much faster than streaming every row back to Go and matching there.
// One DB round-trip per access, indexed by event_id.
func (r *AllowlistRepo) Matches(ctx context.Context, eventID uuid.UUID, ip string) (bool, string, error) {
	if ip == "" {
		return false, "", nil
	}
	var label string
	err := r.pool.QueryRow(ctx, `
        SELECT COALESCE(label, '')
        FROM event_allowlists
        WHERE event_id = $1
          AND ip_cidr >>= $2::inet
        LIMIT 1
    `, eventID, ip).Scan(&label)
	if err != nil {
		if errors.Is(err, pgx.ErrNoRows) {
			return false, "", nil
		}
		// Invalid IP gets a Postgres error — treat as "doesn't match" so a
		// malformed forwarded IP doesn't blow up the access path.
		return false, "", nil
	}
	return true, label, nil
}

// --- thresholds ---

// GetThresholds returns the per-event fraud thresholds. Missing event
// surfaces as the global defaults — the caller normally has the event
// loaded already and doesn't need this method, but the fraud engine /
// access path can use it as a cheap lookup without re-loading the row.
func (r *EventRepo) GetThresholds(ctx context.Context, eventID uuid.UUID) (domain.FraudThresholds, error) {
	var th domain.FraudThresholds
	err := r.pool.QueryRow(ctx, `
        SELECT fraud_medium_threshold, fraud_high_threshold, fraud_block_threshold
        FROM events WHERE id = $1
    `, eventID).Scan(&th.Medium, &th.High, &th.Block)
	if err != nil {
		if errors.Is(err, pgx.ErrNoRows) {
			return domain.DefaultThresholds(), domain.ErrEventNotFound
		}
		return domain.DefaultThresholds(), err
	}
	return th, nil
}

// UpdateThresholds patches the trio. Validation lives in the handler
// (host-facing error messages), but we keep the SQL guard rail with the
// ordering check duplicated at the DB level — a misbehaving client should
// never be able to write nonsense.
func (r *EventRepo) UpdateThresholds(ctx context.Context, eventID uuid.UUID, th domain.FraudThresholds) error {
	if err := th.Valid(); err != nil {
		return err
	}
	tag, err := r.pool.Exec(ctx, `
        UPDATE events SET
            fraud_medium_threshold = $2,
            fraud_high_threshold   = $3,
            fraud_block_threshold  = $4,
            updated_at             = now()
        WHERE id = $1
    `, eventID, th.Medium, th.High, th.Block)
	if err != nil {
		return err
	}
	if tag.RowsAffected() == 0 {
		return domain.ErrEventNotFound
	}
	return nil
}

// --- feedback ---

type FeedbackRepo struct {
	pool *pgxpool.Pool
}

func NewFeedbackRepo(db *DB) *FeedbackRepo {
	return &FeedbackRepo{pool: db.Pool}
}

type RecordFeedbackParams struct {
	AccessLogID uuid.UUID
	Verdict     string // "legitimate" | "suspicious"
	MarkedBy    uuid.UUID
	Note        string
}

// Record upserts the verdict. Hosts sometimes change their mind ("oh,
// that was Aunty after all"); ON CONFLICT lets the second click win
// rather than 409-ing them.
func (r *FeedbackRepo) Record(ctx context.Context, p RecordFeedbackParams) (*domain.FraudFeedback, error) {
	const q = `
        INSERT INTO fraud_feedback (access_log_id, verdict, marked_by, note)
        VALUES ($1, $2, $3, NULLIF($4, ''))
        ON CONFLICT (access_log_id) DO UPDATE SET
            verdict   = EXCLUDED.verdict,
            marked_by = EXCLUDED.marked_by,
            note      = EXCLUDED.note,
            created_at = now()
        RETURNING access_log_id, verdict, marked_by, COALESCE(note, ''), created_at
    `
	var f domain.FraudFeedback
	err := r.pool.QueryRow(ctx, q, p.AccessLogID, p.Verdict, p.MarkedBy, p.Note).Scan(
		&f.AccessLogID, &f.Verdict, &f.MarkedBy, &f.Note, &f.CreatedAt,
	)
	if err != nil {
		return nil, err
	}
	return &f, nil
}

// ListForEvent returns every feedback row for access logs on the event,
// newest first. Powers the host's "I've reviewed these" filter on the
// Security tab and the future ML training pipeline.
func (r *FeedbackRepo) ListForEvent(ctx context.Context, eventID uuid.UUID) ([]domain.FraudFeedback, error) {
	rows, err := r.pool.Query(ctx, `
        SELECT f.access_log_id, f.verdict, f.marked_by, COALESCE(f.note, ''), f.created_at
        FROM fraud_feedback f
        JOIN access_logs a ON a.id = f.access_log_id
        JOIN guests g ON g.id = a.guest_id
        WHERE g.event_id = $1
        ORDER BY f.created_at DESC
    `, eventID)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	out := []domain.FraudFeedback{}
	for rows.Next() {
		var f domain.FraudFeedback
		if err := rows.Scan(&f.AccessLogID, &f.Verdict, &f.MarkedBy, &f.Note, &f.CreatedAt); err != nil {
			return nil, err
		}
		out = append(out, f)
	}
	return out, rows.Err()
}

// ErrAllowlistExists is the storage-layer signal for a duplicate insert.
// Exposed here (not in domain) because the API layer is what cares about
// the 409 mapping — domain just sees "already exists".
var ErrAllowlistExists = errors.New("allowlist entry already exists")