// migrate-encrypt is a standalone CLI tool that encrypts existing uploaded files at rest.
//
// It walks the uploads directory, encrypts each unencrypted file, updates the
// corresponding database record, and removes the original plaintext file.
//
// Usage:
//
//	go run ./cmd/migrate-encrypt --dry-run    # Preview changes
//	go run ./cmd/migrate-encrypt              # Apply changes
package main

import (
	"flag"
	"os"
	"path/filepath"
	"time"

	"github.com/rs/zerolog"
	"github.com/rs/zerolog/log"
	"gorm.io/driver/postgres"
	"gorm.io/gorm"
	"gorm.io/gorm/logger"

	"github.com/treytartt/honeydue-api/internal/config"
	"github.com/treytartt/honeydue-api/internal/services"
)

// dbTable represents a table with a URL column that may reference uploaded files.
type dbTable struct {
	table  string
	column string
}

// tables lists all database tables and columns that store file URLs.
var tables = []dbTable{
	{table: "task_document", column: "file_url"},
	{table: "task_documentimage", column: "image_url"},
	{table: "task_taskcompletionimage", column: "image_url"},
}

func main() {
	dryRun := flag.Bool("dry-run", false, "Preview changes without modifying files or database")
	flag.Parse()

	log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339})

	cfg, err := config.Load()
	if err != nil {
		log.Fatal().Err(err).Msg("Failed to load config")
	}

	if cfg.Storage.EncryptionKey == "" {
		log.Fatal().Msg("STORAGE_ENCRYPTION_KEY is not set — cannot encrypt files")
	}

	encSvc, err := services.NewEncryptionService(cfg.Storage.EncryptionKey)
	if err != nil {
		log.Fatal().Err(err).Msg("Failed to create encryption service")
	}

	dsn := cfg.Database.DSN()
	db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{
		Logger: logger.Default.LogMode(logger.Silent),
	})
	if err != nil {
		log.Fatal().Err(err).Msg("Failed to connect to database")
	}

	uploadDir := cfg.Storage.UploadDir
	absUploadDir, err := filepath.Abs(uploadDir)
	if err != nil {
		log.Fatal().Err(err).Str("upload_dir", uploadDir).Msg("Failed to resolve upload directory")
	}

	log.Info().
		Bool("dry_run", *dryRun).
		Str("upload_dir", absUploadDir).
		Msg("Starting file encryption migration")

	var totalFiles, encrypted, skipped, errCount int

	// Walk the uploads directory
	err = filepath.Walk(absUploadDir, func(path string, info os.FileInfo, walkErr error) error {
		if walkErr != nil {
			log.Warn().Err(walkErr).Str("path", path).Msg("Error accessing path")
			return nil
		}

		action := ClassifyFile(info.IsDir(), path, *dryRun)
		switch action {
		case ActionSkipDir:
			return nil
		case ActionSkipEncrypted:
			skipped++
			return nil
		}

		totalFiles++

		// Compute the relative path from upload dir
		relPath, err := ComputeRelPath(absUploadDir, path)
		if err != nil {
			log.Warn().Err(err).Str("path", path).Msg("Failed to compute relative path")
			errCount++
			return nil
		}

		if action == ActionDryRun {
			log.Info().Str("file", relPath).Msg("[DRY RUN] Would encrypt")
			return nil
		}

		// Process within a transaction
		txErr := db.Transaction(func(tx *gorm.DB) error {
			// Read plaintext file
			plaintext, readErr := os.ReadFile(path)
			if readErr != nil {
				return readErr
			}

			// Encrypt
			ciphertext, encErr := encSvc.Encrypt(plaintext)
			if encErr != nil {
				return encErr
			}

			// Write encrypted file
			encPath := path + ".enc"
			if writeErr := os.WriteFile(encPath, ciphertext, 0644); writeErr != nil {
				return writeErr
			}

			// Update database records that reference this file
			// The stored URL uses the BaseURL prefix + relative path
			// We need to match against the relative path portion
			for _, t := range tables {
				// Match URLs ending with the relative path (handles both /uploads/... and bare paths)
				result := tx.Table(t.table).
					Where(t.column+" LIKE ?", "%"+relPath).
					Where(t.column+" NOT LIKE ?", "%.enc").
					Update(t.column, gorm.Expr(t.column+" || '.enc'"))
				if result.Error != nil {
					// Roll back: remove the encrypted file
					os.Remove(encPath)
					return result.Error
				}
				if result.RowsAffected > 0 {
					log.Info().
						Str("table", t.table).
						Str("column", t.column).
						Int64("rows", result.RowsAffected).
						Str("file", relPath).
						Msg("Updated database records")
				}
			}

			// Remove the original plaintext file
			if removeErr := os.Remove(path); removeErr != nil {
				log.Warn().Err(removeErr).Str("path", path).Msg("Failed to remove original file (encrypted copy exists)")
			}

			return nil
		})

		if txErr != nil {
			log.Error().Err(txErr).Str("file", relPath).Msg("Failed to encrypt file")
			errCount++
		} else {
			encrypted++
			log.Info().Str("file", relPath).Msg("Encrypted successfully")
		}

		return nil
	})

	if err != nil {
		log.Fatal().Err(err).Msg("Failed to walk upload directory")
	}

	log.Info().
		Bool("dry_run", *dryRun).
		Int("total_files", totalFiles).
		Int("encrypted", encrypted).
		Int("skipped_already_enc", skipped).
		Int("errors", errCount).
		Msg("Encryption migration complete")
}