using System;
using System.Collections.Generic;
using System.Linq;
using Opc.Ua;
using Serilog;

namespace ZB.MOM.WW.OtOpcUa.Host.OpcUa
{
    /// <summary>
    ///     Maps configured security profile names to OPC UA <see cref="ServerSecurityPolicy" /> instances.
    /// </summary>
    public static class SecurityProfileResolver
    {
        private static readonly ILogger Log = Serilog.Log.ForContext(typeof(SecurityProfileResolver));

        private static readonly Dictionary<string, ServerSecurityPolicy> KnownProfiles =
            new(StringComparer.OrdinalIgnoreCase)
            {
                ["None"] = new ServerSecurityPolicy
                {
                    SecurityMode = MessageSecurityMode.None,
                    SecurityPolicyUri = SecurityPolicies.None
                },
                ["Basic256Sha256-Sign"] = new ServerSecurityPolicy
                {
                    SecurityMode = MessageSecurityMode.Sign,
                    SecurityPolicyUri = SecurityPolicies.Basic256Sha256
                },
                ["Basic256Sha256-SignAndEncrypt"] = new ServerSecurityPolicy
                {
                    SecurityMode = MessageSecurityMode.SignAndEncrypt,
                    SecurityPolicyUri = SecurityPolicies.Basic256Sha256
                },
                ["Aes128_Sha256_RsaOaep-Sign"] = new ServerSecurityPolicy
                {
                    SecurityMode = MessageSecurityMode.Sign,
                    SecurityPolicyUri = SecurityPolicies.Aes128_Sha256_RsaOaep
                },
                ["Aes128_Sha256_RsaOaep-SignAndEncrypt"] = new ServerSecurityPolicy
                {
                    SecurityMode = MessageSecurityMode.SignAndEncrypt,
                    SecurityPolicyUri = SecurityPolicies.Aes128_Sha256_RsaOaep
                },
                ["Aes256_Sha256_RsaPss-Sign"] = new ServerSecurityPolicy
                {
                    SecurityMode = MessageSecurityMode.Sign,
                    SecurityPolicyUri = SecurityPolicies.Aes256_Sha256_RsaPss
                },
                ["Aes256_Sha256_RsaPss-SignAndEncrypt"] = new ServerSecurityPolicy
                {
                    SecurityMode = MessageSecurityMode.SignAndEncrypt,
                    SecurityPolicyUri = SecurityPolicies.Aes256_Sha256_RsaPss
                }
            };

        /// <summary>
        ///     Gets the list of valid profile names for validation and documentation.
        /// </summary>
        public static IReadOnlyCollection<string> ValidProfileNames => KnownProfiles.Keys.ToList().AsReadOnly();

        /// <summary>
        ///     Resolves the configured profile names to <see cref="ServerSecurityPolicy" /> entries.
        ///     Unknown names are skipped with a warning. An empty or fully-invalid list falls back to <c>None</c>.
        /// </summary>
        /// <param name="profileNames">The profile names from configuration.</param>
        /// <returns>A deduplicated list of server security policies.</returns>
        public static List<ServerSecurityPolicy> Resolve(IReadOnlyCollection<string> profileNames)
        {
            var resolved = new List<ServerSecurityPolicy>();
            var seen = new HashSet<string>(StringComparer.OrdinalIgnoreCase);

            foreach (var name in profileNames ?? Array.Empty<string>())
            {
                if (string.IsNullOrWhiteSpace(name))
                    continue;

                var trimmed = name.Trim();

                if (!seen.Add(trimmed))
                {
                    Log.Debug("Skipping duplicate security profile: {Profile}", trimmed);
                    continue;
                }

                if (KnownProfiles.TryGetValue(trimmed, out var policy))
                    resolved.Add(policy);
                else
                    Log.Warning("Unknown security profile '{Profile}' — skipping. Valid profiles: {ValidProfiles}",
                        trimmed, string.Join(", ", KnownProfiles.Keys));
            }

            if (resolved.Count == 0)
            {
                Log.Warning("No valid security profiles configured — falling back to None");
                resolved.Add(KnownProfiles["None"]);
            }

            return resolved;
        }
    }
}