<?php

namespace App\Services\Integration;

use App\Models\AdminSite;
use App\Models\AdminRole;
use App\Models\AdminUser;
use App\Support\AdminPermissionInheritance;
use Illuminate\Support\Str;
use Illuminate\Validation\ValidationException;
use Illuminate\Support\Facades\DB;

final class IntegrationSiteService
{
    /** @var list<string> */
    private const SITE_ADMIN_PERMISSION_SLUGS = [
        'prd.agent.manage',
        'prd.agent.profile.manage',
        'prd.agent.user.manage',
        'prd.agent.role.manage',
        'prd.users.manage',
        'prd.tickets.view',
        'prd.report.view',
        'prd.settlement.agent.view',
        'prd.settlement.agent.manage',
    ];

    public function __construct(
        private readonly PartnerSiteConfigResolver $configResolver,
    ) {}

    /**
     * @param  array<string, mixed>  $data
     * @return array{site: AdminSite, secrets: array{sso_jwt_secret: string, wallet_api_key: string}, admin_user: AdminUser}
     */
    public function create(array $data): array
    {
        $secrets = $this->generateSecrets();

        ['site' => $site, 'admin_user' => $adminUser] = DB::transaction(function () use ($data, $secrets): array {
            /** @var array{username: string, nickname: string, password: string, email?: string|null} $adminAccount */
            $adminAccount = $data['admin_account'];

            $site = AdminSite::query()->create([
                'code' => (string) $data['code'],
                'name' => (string) $data['name'],
                'currency_code' => (string) ($data['currency_code'] ?? 'NPR'),
                'status' => (int) ($data['status'] ?? 1),
                'is_default' => false,
                'wallet_api_url' => $this->nullableTrim($data['wallet_api_url'] ?? null),
                'wallet_debit_path' => (string) ($data['wallet_debit_path'] ?? '/wallet/debit-for-lottery'),
                'wallet_credit_path' => (string) ($data['wallet_credit_path'] ?? '/wallet/credit-from-lottery'),
                'wallet_balance_path' => (string) ($data['wallet_balance_path'] ?? '/wallet/balance'),
                'wallet_timeout_seconds' => max(1, (int) ($data['wallet_timeout_seconds'] ?? 10)),
                'iframe_allowed_origins' => $data['iframe_allowed_origins'] ?? null,
                'lottery_h5_base_url' => $this->nullableTrim($data['lottery_h5_base_url'] ?? null),
                'notes' => $this->nullableTrim($data['notes'] ?? null),
                'sso_jwt_secret_encrypted' => encrypt($secrets['sso_jwt_secret']),
                'wallet_api_key_encrypted' => encrypt($secrets['wallet_api_key']),
            ]);

            $role = $this->createSiteAdminRole($site);
            $adminUser = $this->createSiteAdminUser($site, $role, $adminAccount);

            return [
                'site' => $site,
                'admin_user' => $adminUser,
            ];
        });

        $this->configResolver->forgetCache((string) $site->code);

        return [
            'site' => $site->fresh(),
            'secrets' => $secrets,
            'admin_user' => $adminUser->fresh(),
        ];
    }

    /**
     * @param  array<string, mixed>  $data
     */
    public function update(AdminSite $site, array $data): AdminSite
    {
        $site->fill([
            'name' => (string) $data['name'],
            'currency_code' => (string) ($data['currency_code'] ?? $site->currency_code),
            'status' => (int) ($data['status'] ?? $site->status),
            'wallet_api_url' => array_key_exists('wallet_api_url', $data)
                ? $this->nullableTrim($data['wallet_api_url'])
                : $site->wallet_api_url,
            'wallet_debit_path' => (string) ($data['wallet_debit_path'] ?? $site->wallet_debit_path),
            'wallet_credit_path' => (string) ($data['wallet_credit_path'] ?? $site->wallet_credit_path),
            'wallet_balance_path' => (string) ($data['wallet_balance_path'] ?? $site->wallet_balance_path),
            'wallet_timeout_seconds' => max(1, (int) ($data['wallet_timeout_seconds'] ?? $site->wallet_timeout_seconds)),
            'iframe_allowed_origins' => $data['iframe_allowed_origins'] ?? $site->iframe_allowed_origins,
            'lottery_h5_base_url' => array_key_exists('lottery_h5_base_url', $data)
                ? $this->nullableTrim($data['lottery_h5_base_url'])
                : $site->lottery_h5_base_url,
            'notes' => array_key_exists('notes', $data)
                ? $this->nullableTrim($data['notes'])
                : $site->notes,
        ]);
        $site->save();

        $this->configResolver->forgetCache((string) $site->code);

        return $site->fresh();
    }

    /**
     * @return array{site: AdminSite, secrets: array{sso_jwt_secret: string, wallet_api_key: string}}
     */
    public function rotateSecrets(AdminSite $site): array
    {
        $secrets = $this->generateSecrets();

        $site->forceFill([
            'sso_jwt_secret_encrypted' => encrypt($secrets['sso_jwt_secret']),
            'wallet_api_key_encrypted' => encrypt($secrets['wallet_api_key']),
        ])->save();

        $this->configResolver->forgetCache((string) $site->code);

        return ['site' => $site->fresh(), 'secrets' => $secrets];
    }

    /**
     * @return array{sso_jwt_secret: string, wallet_api_key: string}
     */
    private function generateSecrets(): array
    {
        return [
            'sso_jwt_secret' => Str::random(48),
            'wallet_api_key' => Str::random(40),
        ];
    }

    private function nullableTrim(mixed $value): ?string
    {
        if (! is_string($value)) {
            return null;
        }

        $trimmed = trim($value);

        return $trimmed === '' ? null : $trimmed;
    }

    private function createSiteAdminRole(AdminSite $site): AdminRole
    {
        $slug = sprintf('site_admin_%s', (string) $site->code);
        $role = AdminRole::query()->create([
            'slug' => $slug,
            'name' => sprintf('%s 站点后台管理员', (string) $site->name),
            'description' => sprintf('自动创建：站点 %s (%s) 后台管理账号专用角色', (string) $site->name, (string) $site->code),
            'status' => 1,
            'is_system' => true,
            'sort_order' => 900,
            'scope_type' => AdminRole::SCOPE_SYSTEM,
        ]);

        $role->syncLegacyPermissionSlugs(
            AdminPermissionInheritance::expand(self::SITE_ADMIN_PERMISSION_SLUGS),
        );

        return $role;
    }

    /**
     * @param  array{username: string, nickname: string, password: string, email?: string|null}  $adminAccount
     */
    private function createSiteAdminUser(AdminSite $site, AdminRole $role, array $adminAccount): AdminUser
    {
        $username = trim((string) ($adminAccount['username'] ?? ''));
        $nickname = trim((string) ($adminAccount['nickname'] ?? ''));
        $password = (string) ($adminAccount['password'] ?? '');
        $email = $this->nullableTrim($adminAccount['email'] ?? null);

        if ($username === '' || $nickname === '' || $password === '') {
            throw ValidationException::withMessages([
                'admin_account' => ['站点后台管理账号信息不完整。'],
            ]);
        }

        $user = AdminUser::query()->create([
            'username' => $username,
            'name' => $nickname,
            'email' => $email,
            'password' => $password,
            'status' => 0,
        ]);

        $user->syncSystemRoleSlugsForSite((int) $site->id, [(string) $role->slug]);

        return $user;
    }
}