package internal

import (
	"context"
	"crypto"
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"crypto/x509"
	"encoding/base64"
	"encoding/pem"
	"fmt"
	"gitea.cdlsxd.cn/sdk/plugin/proto"
	"gitea.cdlsxd.cn/sdk/plugin/utils"
	"net/http"
	"net/url"
	"plugins/alipay_cpn/internal/po"
	"plugins/utils/request"
	"strings"
)

func req(config *Config, req *po.Param) (url.Values, error) {
	var strToBeSigned strings.Builder
	uv := url.Values{}
	kvRows := utils.SortStructJsonTag(req)
	for _, kv := range kvRows {
		if kv.Key == "sign" {
			continue
		}
		if kv.Value == "" {
			continue
		}
		uv.Set(kv.Key, kv.Value)
		strToBeSigned.WriteString(fmt.Sprintf("%s=%s&", kv.Key, kv.Value))
	}
	s := strings.TrimRight(strToBeSigned.String(), "&")
	sign, err := Sign(s, []byte(utils.NewPrivate().Build(config.Prk)))
	if err != nil {
		return nil, proto.ErrorSignFail(err.Error())
	}
	uv.Set("sign", sign)

	return uv, nil
}

func Post(ctx context.Context, uv url.Values) ([]byte, http.Header, error) {
	headers := map[string]string{
		"Content-Type": "application/x-www-form-urlencoded",
	}
	respBody, respHeader, err := request.Post(ctx, baseUri+"?"+uv.Encode(), nil, request.WithHeaders(headers))
	if err != nil {
		return nil, nil, proto.ErrorRequestFail(err.Error())
	}
	return respBody, respHeader, nil
}

func Sign(data string, privateKeyPEM []byte) (string, error) {
	block, _ := pem.Decode(privateKeyPEM)
	if block == nil {
		return "", proto.ErrorSignFail("failed to parse PEM block containing the private key")
	}

	privyKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
	if err != nil {
		return "", proto.ErrorSignFail(fmt.Sprintf("failed to parse DER encoded private key: %v", err))
	}

	hashed := sha256.Sum256([]byte(data))
	signature, err := rsa.SignPKCS1v15(rand.Reader, privyKey.(*rsa.PrivateKey), crypto.SHA256, hashed[:])
	if err != nil {
		return "", proto.ErrorSignFail(fmt.Sprintf("failed to sign:%v", err))
	}

	return base64.StdEncoding.EncodeToString(signature), nil
}

func Verify(n *po.Notify, publicKeyPEM string) (bool, error) {
	var strToBeSigned strings.Builder
	uv := url.Values{}
	kvRows := utils.SortStructJsonTag(n)
	for _, kv := range kvRows {
		if kv.Key == "sign" {
			continue
		}
		if kv.Key == "sign_type" {
			continue
		}
		if kv.Value == "" {
			continue
		}
		uv.Set(kv.Key, kv.Value)
		strToBeSigned.WriteString(fmt.Sprintf("%s=%s&", kv.Key, kv.Value))
	}
	s := strings.TrimRight(strToBeSigned.String(), "&")
	b, err := check(s, n.Sign, []byte(utils.NewPublic().Build(publicKeyPEM)))
	if err != nil {
		return false, proto.ErrorSignFail(err.Error())
	}

	return b, nil
}

func check(data, signature string, publicKeyPEM []byte) (bool, error) {
	block, _ := pem.Decode(publicKeyPEM)
	if block == nil {
		return false, fmt.Errorf("failed to parse DER encoded public key")
	}

	pubKey, err := x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil {
		return false, fmt.Errorf("failed to parse DER encoded public key: %v", err)
	}

	rsaPubKey, ok := pubKey.(*rsa.PublicKey)
	if !ok {
		return false, fmt.Errorf("failed to parse DER encoded public key: %v", err)
	}

	hashed := sha256.Sum256([]byte(data))
	sig, err := base64.StdEncoding.DecodeString(signature)
	if err != nil {
		return false, fmt.Errorf("failed to decode signature: %v", err)
	}

	err = rsa.VerifyPKCS1v15(rsaPubKey, crypto.SHA256, hashed[:], sig)
	if err != nil {
		fmt.Println("signature verification error:", err)
		return false, nil
	}

	return true, nil
}