package policyreport

import (
	"encoding/json"
	"fmt"
	"reflect"
	"time"

	"github.com/go-logr/logr"
	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
	"github.com/kyverno/kyverno/pkg/config"
	"github.com/kyverno/kyverno/pkg/engine"
	"github.com/kyverno/kyverno/pkg/engine/response"
	"github.com/kyverno/kyverno/pkg/toggle"
	"github.com/kyverno/kyverno/pkg/version"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apimachinery/pkg/types"
)

const (
	// appVersion represents which version of Kyverno manages rcr / crcr
	appVersion string = "app.kubernetes.io/version"

	// the following labels are used to list rcr / crcr
	ResourceLabelNamespace string = "kyverno.io/resource.namespace"
	policyLabel            string = "kyverno.io/policy-name"
	deletedLabelPolicy     string = "kyverno.io/delete.policy"
	deletedLabelRule       string = "kyverno.io/delete.rule"

	// the following annotations are used to remove entries from polr / cpolr
	// there would be a problem if use labels as the value could exceed 63 chars
	deletedAnnotationResourceName string = "kyverno.io/delete.resource.name"
	deletedAnnotationResourceKind string = "kyverno.io/delete.resource.kind"

	inactiveLabelKey string = "kyverno.io/report.status"
	inactiveLabelVal string = "inactive"

	// SourceValue is the static value for PolicyReportResult.Source
	SourceValue = "Kyverno"
)

func GeneratePolicyReportName(ns, policyName string) string {
	if ns == "" {
		if toggle.SplitPolicyReport() {
			return TrimmedName(clusterpolicyreport + "-" + policyName)
		}
		return clusterpolicyreport
	}

	var name string
	if toggle.SplitPolicyReport() {
		name = fmt.Sprintf("polr-ns-%s-%s", ns, policyName)
	} else {
		name = fmt.Sprintf("polr-ns-%s", ns)
	}
	if len(name) > 63 {
		return name[:63]
	}

	return name
}

func TrimmedName(s string) string {
	if len(s) > 63 {
		return s[:63]
	}
	return s
}

// GeneratePRsFromEngineResponse generate Violations from engine responses
func GeneratePRsFromEngineResponse(ers []*response.EngineResponse, log logr.Logger) (pvInfos []Info) {
	for _, er := range ers {
		// ignore creation of PV for resources that are yet to be assigned a name
		if er.PolicyResponse.Resource.Name == "" {
			log.V(4).Info("skipping resource with no name", "resource", er.PolicyResponse.Resource)
			continue
		}

		if len(er.PolicyResponse.Rules) == 0 {
			continue
		}

		if er.Policy != nil && engine.ManagedPodResource(er.Policy, er.PatchedResource) {
			continue
		}

		// build policy violation info
		pvInfos = append(pvInfos, buildPVInfo(er))
	}

	return pvInfos
}

// Builder builds report change request struct
// this is base type of namespaced and cluster policy report
type Builder interface {
	build(info Info) (*unstructured.Unstructured, error)
}

type requestBuilder struct {
	cpolLister kyvernov1listers.ClusterPolicyLister
	polLister  kyvernov1listers.PolicyLister
}

// NewBuilder ...
func NewBuilder(cpolLister kyvernov1listers.ClusterPolicyLister, polLister kyvernov1listers.PolicyLister) Builder {
	return &requestBuilder{cpolLister: cpolLister, polLister: polLister}
}

func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured, err error) {
	results := []policyreportv1alpha2.PolicyReportResult{}
	req = new(unstructured.Unstructured)
	for _, infoResult := range info.Results {
		for _, rule := range infoResult.Rules {
			if rule.Type != string(response.Validation) && rule.Type != string(response.ImageVerify) {
				continue
			}

			result := builder.buildRCRResult(info.PolicyName, infoResult.Resource, rule)
			results = append(results, result)
		}
	}

	if info.Namespace != "" {
		rr := &kyvernov1alpha2.ReportChangeRequest{
			Summary: calculateSummary(results),
			Results: results,
		}

		gv := policyreportv1alpha2.SchemeGroupVersion
		rr.SetGroupVersionKind(schema.GroupVersionKind{Group: gv.Group, Version: gv.Version, Kind: "ReportChangeRequest"})

		rawRcr, err := json.Marshal(rr)
		if err != nil {
			return nil, err
		}

		err = json.Unmarshal(rawRcr, req)
		if err != nil {
			return nil, err
		}

		set(req, info)
	} else {
		rr := &kyvernov1alpha2.ClusterReportChangeRequest{
			Summary: calculateSummary(results),
			Results: results,
		}

		gv := policyreportv1alpha2.SchemeGroupVersion
		rr.SetGroupVersionKind(schema.GroupVersionKind{Group: gv.Group, Version: gv.Version, Kind: "ClusterReportChangeRequest"})

		rawRcr, err := json.Marshal(rr)
		if err != nil {
			return nil, err
		}

		err = json.Unmarshal(rawRcr, req)
		if err != nil {
			return nil, err
		}

		set(req, info)
	}

	if !setRequestDeletionLabels(req, info) {
		if len(results) == 0 {
			// return nil on empty result without a deletion
			return nil, nil
		}
	}

	req.SetCreationTimestamp(metav1.Now())
	return req, nil
}

func (builder *requestBuilder) buildRCRResult(policy string, resource response.ResourceSpec, rule kyvernov1.ViolatedRule) policyreportv1alpha2.PolicyReportResult {
	av := builder.fetchAnnotationValues(policy, resource.Namespace)

	result := policyreportv1alpha2.PolicyReportResult{
		Policy: policy,
		Resources: []corev1.ObjectReference{
			{
				Kind:       resource.Kind,
				Namespace:  resource.Namespace,
				APIVersion: resource.APIVersion,
				Name:       resource.Name,
				UID:        types.UID(resource.UID),
			},
		},
		Scored:   av.scored,
		Category: av.category,
		Severity: av.severity,
	}

	result.Rule = rule.Name
	result.Message = rule.Message
	result.Result = policyreportv1alpha2.PolicyResult(rule.Status)
	if result.Result == "fail" && !av.scored {
		result.Result = "warn"
	}
	result.Source = SourceValue
	result.Timestamp = metav1.Timestamp{
		Seconds: time.Now().Unix(),
	}
	return result
}

func set(obj *unstructured.Unstructured, info Info) {
	obj.SetAPIVersion(kyvernov1alpha2.SchemeGroupVersion.Group + "/" + kyvernov1alpha2.SchemeGroupVersion.Version)

	if info.Namespace == "" {
		obj.SetGenerateName("crcr-")
		obj.SetKind("ClusterReportChangeRequest")
	} else {
		obj.SetGenerateName("rcr-")
		obj.SetKind("ReportChangeRequest")
		obj.SetNamespace(config.KyvernoNamespace())
	}

	obj.SetLabels(map[string]string{
		ResourceLabelNamespace: info.Namespace,
		policyLabel:            TrimmedName(info.PolicyName),
		appVersion:             version.BuildVersion,
	})
}

func setRequestDeletionLabels(req *unstructured.Unstructured, info Info) bool {
	switch {
	case isResourceDeletion(info):
		req.SetAnnotations(map[string]string{
			deletedAnnotationResourceName: info.Results[0].Resource.Name,
			deletedAnnotationResourceKind: info.Results[0].Resource.Kind,
		})

		labels := req.GetLabels()
		labels[ResourceLabelNamespace] = info.Results[0].Resource.Namespace
		req.SetLabels(labels)
		return true

	case isPolicyDeletion(info):
		req.SetKind("ReportChangeRequest")
		req.SetGenerateName("rcr-")

		labels := req.GetLabels()
		labels[deletedLabelPolicy] = info.PolicyName
		req.SetLabels(labels)
		return true

	case isRuleDeletion(info):
		req.SetKind("ReportChangeRequest")
		req.SetGenerateName("rcr-")

		labels := req.GetLabels()
		labels[deletedLabelPolicy] = info.PolicyName
		labels[deletedLabelRule] = info.Results[0].Rules[0].Name
		req.SetLabels(labels)
		return true
	}

	return false
}

func calculateSummary(results []policyreportv1alpha2.PolicyReportResult) (summary policyreportv1alpha2.PolicyReportSummary) {
	for _, res := range results {
		switch string(res.Result) {
		case policyreportv1alpha2.StatusPass:
			summary.Pass++
		case policyreportv1alpha2.StatusFail:
			summary.Fail++
		case policyreportv1alpha2.StatusWarn:
			summary.Warn++
		case policyreportv1alpha2.StatusError:
			summary.Error++
		case policyreportv1alpha2.StatusSkip:
			summary.Skip++
		}
	}
	return
}

func buildPVInfo(er *response.EngineResponse) Info {
	info := Info{
		PolicyName: er.PolicyResponse.Policy.Name,
		Namespace:  er.PatchedResource.GetNamespace(),
		Results: []EngineResponseResult{
			{
				Resource: er.GetResourceSpec(),
				Rules:    buildViolatedRules(er),
			},
		},
	}
	return info
}

func buildViolatedRules(er *response.EngineResponse) []kyvernov1.ViolatedRule {
	var violatedRules []kyvernov1.ViolatedRule
	for _, rule := range er.PolicyResponse.Rules {
		vrule := kyvernov1.ViolatedRule{
			Name:    rule.Name,
			Type:    string(rule.Type),
			Message: rule.Message,
		}

		vrule.Status = toPolicyResult(rule.Status)
		violatedRules = append(violatedRules, vrule)
	}

	return violatedRules
}

func toPolicyResult(status response.RuleStatus) string {
	switch status {
	case response.RuleStatusPass:
		return policyreportv1alpha2.StatusPass
	case response.RuleStatusFail:
		return policyreportv1alpha2.StatusFail
	case response.RuleStatusError:
		return policyreportv1alpha2.StatusError
	case response.RuleStatusWarn:
		return policyreportv1alpha2.StatusWarn
	case response.RuleStatusSkip:
		return policyreportv1alpha2.StatusSkip
	}

	return ""
}

const (
	categoryLabel string = "policies.kyverno.io/category"
	severityLabel string = "policies.kyverno.io/severity"
	ScoredLabel   string = "policies.kyverno.io/scored"
)

type annotationValues struct {
	category string
	severity policyreportv1alpha2.PolicySeverity
	scored   bool
}

func (av *annotationValues) setSeverityFromString(severity string) {
	switch severity {
	case policyreportv1alpha2.SeverityHigh:
		av.severity = policyreportv1alpha2.SeverityHigh
	case policyreportv1alpha2.SeverityMedium:
		av.severity = policyreportv1alpha2.SeverityMedium
	case policyreportv1alpha2.SeverityLow:
		av.severity = policyreportv1alpha2.SeverityLow
	}
}

func (builder *requestBuilder) fetchAnnotationValues(policy, ns string) annotationValues {
	av := annotationValues{}
	ann := builder.fetchAnnotations(policy, ns)

	if category, ok := ann[categoryLabel]; ok {
		av.category = category
	}
	if severity, ok := ann[severityLabel]; ok {
		av.setSeverityFromString(severity)
	}
	if scored, ok := ann[ScoredLabel]; ok {
		if scored == "false" {
			av.scored = false
		} else {
			av.scored = true
		}
	} else {
		av.scored = true
	}

	return av
}

func (builder *requestBuilder) fetchAnnotations(policy, ns string) map[string]string {
	cpol, err := builder.cpolLister.Get(policy)
	if err == nil {
		if ann := cpol.GetAnnotations(); ann != nil {
			return ann
		}
	}

	pol, err := builder.polLister.Policies(ns).Get(policy)
	if err == nil {
		if ann := pol.GetAnnotations(); ann != nil {
			return ann
		}
	}

	return make(map[string]string)
}

func isResourceDeletion(info Info) bool {
	return info.PolicyName == "" && len(info.Results) == 1 && info.GetRuleLength() == 0
}

func isPolicyDeletion(info Info) bool {
	return info.PolicyName != "" && len(info.Results) == 0
}

func isRuleDeletion(info Info) bool {
	if info.PolicyName != "" && len(info.Results) == 1 {
		result := info.Results[0]
		if len(result.Rules) == 1 && reflect.DeepEqual(result.Resource, response.ResourceSpec{}) {
			return true
		}
	}
	return false
}