// Copyright 2012-2026 The NATS Authors
// Licensed under the Apache License, Version 2.0 (the "License");

using System.Collections.Concurrent;
using System.Net.Security;
using System.Runtime.CompilerServices;
using System.Security.Authentication;
using System.Text;
using System.Linq;
using ZB.MOM.NatsNet.Server.Auth;
using ZB.MOM.NatsNet.Server.Internal;
using ZB.MOM.NatsNet.Server.Internal.DataStructures;

namespace ZB.MOM.NatsNet.Server;

public sealed partial class ClientConnection
{
    private static readonly TimeSpan FirstPingInterval = TimeSpan.FromSeconds(15);
    private static readonly TimeSpan FirstClientPingInterval = TimeSpan.FromSeconds(2);
    private const int MaxPerAccountCacheSize = 8192;
    private const string StaleErrProtoFormat = "-ERR '{0}'\r\n";
    private static readonly ConditionalWeakTable<object, ConcurrentDictionary<string, DateTime>> RateLimitCacheByServer = new();

    internal void WatchForStaleConnection(TimeSpan pingInterval, int pingMax)
    {
        if (pingInterval <= TimeSpan.Zero || pingMax < 0)
            return;

        var staleAfter = TimeSpan.FromTicks(pingInterval.Ticks * (pingMax + 1L));
        if (pingMax == 0 && staleAfter > TimeSpan.Zero)
            staleAfter = TimeSpan.FromTicks(Math.Max(1, pingInterval.Ticks / 2));
        if (staleAfter <= TimeSpan.Zero)
            return;

        ClearPingTimer();
        _pingTimer = new Timer(_ =>
        {
            lock (_mu)
            {
                if (IsClosed())
                    return;

                Debugf("Stale Client Connection - Closing");
                EnqueueProto(Encoding.ASCII.GetBytes(string.Format(StaleErrProtoFormat, "Stale Connection")));
            }
            CloseConnection(ClosedState.StaleConnection);
        }, null, staleAfter, Timeout.InfiniteTimeSpan);
    }

    internal void SwapAccountAfterReload()
    {
        string accountName;
        lock (_mu)
        {
            if (_account is null || Server is null)
                return;
            accountName = _account.Name;
        }

        if (Server is not NatsServer server)
            return;

        var (updated, _) = server.LookupAccount(accountName);
        if (updated is null)
            return;

        lock (_mu)
        {
            if (!ReferenceEquals(_account, updated))
                _account = updated;
        }
    }

    internal void ProcessSubsOnConfigReload(ISet<string>? accountsWithChangedStreamImports)
    {
        INatsAccount? acc;
        var checkPerms = false;
        var checkAcc = false;
        var retained = new List<Subscription>();
        var removed = new List<Subscription>();

        lock (_mu)
        {
            checkPerms = Perms is not null;
            checkAcc = _account is not null;
            acc = _account;
            if (!checkPerms && !checkAcc)
                return;

            if (checkAcc && acc is not null && accountsWithChangedStreamImports is not null &&
                !accountsWithChangedStreamImports.Contains(acc.Name))
            {
                checkAcc = false;
            }

            MPerms = null;
            foreach (var sub in Subs.Values)
            {
                var subject = Encoding.ASCII.GetString(sub.Subject);
                var canSub = CanSubscribe(subject);
                var canQSub = sub.Queue is { Length: > 0 } q && CanSubscribe(subject, Encoding.ASCII.GetString(q));

                if (!canSub && !canQSub)
                {
                    removed.Add(sub);
                }
                else if (checkAcc)
                {
                    retained.Add(sub);
                }
            }
        }

        if (checkAcc && acc is not null)
        {
            foreach (var sub in retained)
            {
                AddShadowSubscriptions(acc, sub);
            }
        }

        foreach (var sub in removed)
        {
            Unsubscribe(acc, sub, force: true, remove: true);
            var sid = sub.Sid is { Length: > 0 } s ? Encoding.ASCII.GetString(s) : string.Empty;
            SendErr($"Permissions Violation for Subscription to \"{Encoding.ASCII.GetString(sub.Subject)}\" (sid \"{sid}\")");
            Noticef("Removed sub \"{0}\" (sid \"{1}\") for \"{2}\" - not authorized",
                Encoding.ASCII.GetString(sub.Subject), sid, GetAuthUser());
        }
    }

    internal void Reconnect()
    {
        lock (_mu)
        {
            if (Flags.IsSet(ClientFlags.NoReconnect) || Server is null)
                return;
        }

        // Route/gateway/leaf reconnect orchestration is owned by server sessions.
    }

    internal (INatsAccount? Account, SubscriptionIndexResult? Result) GetAccAndResultFromCache()
    {
        var pa = ParseCtx.Pa;
        if (pa.Subject is null || pa.Subject.Length == 0)
            return (null, null);

        _in.PaCache ??= new Dictionary<string, PerAccountCache>(StringComparer.Ordinal);
        var cacheKeyBytes = pa.PaCache is { Length: > 0 } k ? k : pa.Subject;
        var cacheKey = Encoding.ASCII.GetString(cacheKeyBytes);

        if (_in.PaCache.TryGetValue(cacheKey, out var cached) &&
            cached.Acc is Account cachedAcc &&
            cached.Results is not null &&
            cachedAcc.Sublist is not null &&
            cached.GenId == (ulong)cachedAcc.Sublist.GenId())
        {
            return (cached.Acc, cached.Results);
        }

        INatsAccount? acc = null;
        if (Kind == ClientKind.Router && pa.Account is { Length: > 0 } && _account is not null)
        {
            acc = _account;
        }
        else if (Server is NatsServer server && pa.Account is { Length: > 0 } accountNameBytes)
        {
            var accountName = Encoding.ASCII.GetString(accountNameBytes);
            (acc, _) = server.LookupAccount(accountName);
        }

        if (acc is not Account concreteAcc || concreteAcc.Sublist is null)
            return (null, null);

        var result = concreteAcc.Sublist.MatchBytes(pa.Subject);
        if (_in.PaCache.Count >= MaxPerAccountCacheSize)
        {
            foreach (var key in _in.PaCache.Keys.ToArray())
            {
                _in.PaCache.Remove(key);
                if (_in.PaCache.Count < MaxPerAccountCacheSize)
                    break;
            }
        }

        _in.PaCache[cacheKey] = new PerAccountCache
        {
            Acc = concreteAcc,
            Results = result,
            GenId = (ulong)concreteAcc.Sublist.GenId(),
        };
        return (concreteAcc, result);
    }

    internal void PruneClosedSubFromPerAccountCache()
    {
        if (_in.PaCache is null || _in.PaCache.Count == 0)
            return;

        foreach (var key in _in.PaCache.Keys.ToArray())
        {
            var entry = _in.PaCache[key];
            var result = entry.Results;
            if (result is null)
            {
                _in.PaCache.Remove(key);
                continue;
            }

            var remove = result.PSubs.Any(static s => s.IsClosed());
            if (!remove)
            {
                foreach (var qsub in result.QSubs)
                {
                    if (qsub.Any(static s => s.IsClosed()))
                    {
                        remove = true;
                        break;
                    }
                }
            }

            if (remove)
                _in.PaCache.Remove(key);
        }
    }

    internal void AddServerAndClusterInfo(ClientInfo? ci)
    {
        if (ci is null)
            return;

        if (Server is NatsServer server)
        {
            ci.Server = Kind == ClientKind.Leaf ? ci.Server : server.Name();
            var cluster = server.CachedClusterName();
            if (!string.IsNullOrWhiteSpace(cluster))
                ci.Cluster = [cluster];
        }
    }

    internal ClientInfo? GetClientInfo(bool detailed)
    {
        if (Kind is not (ClientKind.Client or ClientKind.Leaf or ClientKind.JetStream or ClientKind.Account))
            return null;

        var ci = new ClientInfo();
        if (detailed)
            AddServerAndClusterInfo(ci);

        lock (_mu)
        {
            ci.Account = _account?.Name ?? string.Empty;
            ci.Rtt = Rtt;
            if (!detailed)
                return ci;

            ci.Start = Start == default ? string.Empty : Start.ToString("O");
            ci.Host = Host;
            ci.Id = Cid;
            ci.Name = Opts.Name;
            ci.User = GetRawAuthUser();
            ci.Lang = Opts.Lang;
            ci.Version = Opts.Version;
            ci.Jwt = Opts.Jwt;
            ci.NameTag = NameTag;
            ci.Kind = KindString();
            ci.ClientType = ClientTypeString();
        }

        return ci;
    }

    internal Exception? DoTLSServerHandshake(
        string typ,
        SslServerAuthenticationOptions tlsConfig,
        double timeout,
        PinnedCertSet? pinnedCerts)
    {
        var (_, err) = DoTLSHandshake(typ, solicit: false, null, tlsConfig, null, string.Empty, timeout, pinnedCerts);
        return err;
    }

    internal (bool resetTlsName, Exception? err) DoTLSClientHandshake(
        string typ,
        Uri? url,
        SslClientAuthenticationOptions tlsConfig,
        string tlsName,
        double timeout,
        PinnedCertSet? pinnedCerts)
    {
        return DoTLSHandshake(typ, solicit: true, url, null, tlsConfig, tlsName, timeout, pinnedCerts);
    }

    internal (bool resetTlsName, Exception? err) DoTLSHandshake(
        string typ,
        bool solicit,
        Uri? url,
        SslServerAuthenticationOptions? serverTlsConfig,
        SslClientAuthenticationOptions? clientTlsConfig,
        string tlsName,
        double timeout,
        PinnedCertSet? pinnedCerts)
    {
        if (_nc is null)
            return (false, ServerErrors.ErrConnectionClosed);

        var kind = Kind;
        var resetTlsName = false;
        Exception? err = null;
        SslStream? ssl = null;

        try
        {
            var baseStream = _nc;
            if (solicit)
            {
                Debugf("Starting TLS {0} client handshake", typ);
                var options = clientTlsConfig ?? new SslClientAuthenticationOptions();
                if (string.IsNullOrWhiteSpace(options.TargetHost))
                {
                    var host = url?.Host ?? string.Empty;
                    options.TargetHost = !string.IsNullOrWhiteSpace(tlsName) ? tlsName : host;
                }

                ssl = new SslStream(baseStream, leaveInnerStreamOpen: false);
                _nc = ssl;

                using var cts = timeout > 0
                    ? new CancellationTokenSource(TimeSpan.FromSeconds(timeout))
                    : new CancellationTokenSource();
                ssl.AuthenticateAsClientAsync(options, cts.Token).GetAwaiter().GetResult();
            }
            else
            {
                Debugf(kind == ClientKind.Client
                    ? "Starting TLS client connection handshake"
                    : "Starting TLS {0} server handshake", typ);
                ssl = new SslStream(baseStream, leaveInnerStreamOpen: false);
                _nc = ssl;

                using var cts = timeout > 0
                    ? new CancellationTokenSource(TimeSpan.FromSeconds(timeout))
                    : new CancellationTokenSource();
                ssl.AuthenticateAsServerAsync(serverTlsConfig ?? new SslServerAuthenticationOptions(), cts.Token)
                    .GetAwaiter()
                    .GetResult();
            }

            if (pinnedCerts is { Count: > 0 } && !MatchesPinnedCert(pinnedCerts))
                err = new InvalidOperationException("certificate not pinned");
        }
        catch (AuthenticationException authEx)
        {
            if (solicit && !string.IsNullOrWhiteSpace(tlsName) && url is not null &&
                string.Equals(url.Host, tlsName, StringComparison.OrdinalIgnoreCase))
            {
                resetTlsName = true;
            }
            err = authEx;
        }
        catch (OperationCanceledException)
        {
            err = new TimeoutException("TLS handshake timeout");
        }
        catch (Exception ex)
        {
            err = ex;
        }

        if (err is null)
        {
            lock (_mu)
            {
                Flags = Flags.Set(ClientFlags.HandshakeComplete);
                if (IsClosed())
                    return (false, ServerErrors.ErrConnectionClosed);
            }
            return (false, null);
        }

        if (kind == ClientKind.Client)
            Errorf("TLS handshake error: {0}", err.Message);
        else
            Errorf("TLS {0} handshake error: {1}", typ, err.Message);

        CloseConnection(ClosedState.TlsHandshakeError);
        return (resetTlsName, ServerErrors.ErrConnectionClosed);
    }

    internal static (HashSet<string> Allowed, Exception? Error) ConvertAllowedConnectionTypes(IEnumerable<string> cts)
    {
        var unknown = new List<string>();
        var allowed = new HashSet<string>(StringComparer.Ordinal);

        foreach (var value in cts)
        {
            var upper = value.ToUpperInvariant();
            if (AuthHandler.ConnectionTypes.IsKnown(upper))
            {
                allowed.Add(upper);
            }
            else
            {
                unknown.Add(upper);
            }
        }

        return unknown.Count == 0
            ? (allowed, null)
            : (allowed, new ArgumentException($"invalid connection types \"{string.Join(",", unknown)}\""));
    }

    internal void RateLimitErrorf(string format, params object?[] args)
    {
        if (Server is null)
            return;

        var statement = string.Format(format, args);
        if (!TryMarkRateLimited("ERR:" + statement))
            return;

        var suffix = FormatClientSuffix();
        if (!string.IsNullOrWhiteSpace(String()))
            Errorf("{0} - {1}{2}", String(), statement, suffix);
        else
            Errorf("{0}{1}", statement, suffix);
    }

    internal void RateLimitFormatWarnf(string format, params object?[] args)
    {
        if (Server is null)
            return;

        if (!TryMarkRateLimited("WARN_FMT:" + format))
            return;

        var statement = string.Format(format, args);
        var suffix = FormatClientSuffix();
        if (!string.IsNullOrWhiteSpace(String()))
            Warnf("{0} - {1}{2}", String(), statement, suffix);
        else
            Warnf("{0}{1}", statement, suffix);
    }

    internal void RateLimitWarnf(string format, params object?[] args)
    {
        if (Server is null)
            return;

        var statement = string.Format(format, args);
        if (!TryMarkRateLimited("WARN:" + statement))
            return;

        var suffix = FormatClientSuffix();
        if (!string.IsNullOrWhiteSpace(String()))
            Warnf("{0} - {1}{2}", String(), statement, suffix);
        else
            Warnf("{0}{1}", statement, suffix);
    }

    internal void RateLimitDebugf(string format, params object?[] args)
    {
        if (Server is null)
            return;

        var statement = string.Format(format, args);
        if (!TryMarkRateLimited("DBG:" + statement))
            return;

        var suffix = FormatClientSuffix();
        if (!string.IsNullOrWhiteSpace(String()))
            Debugf("{0} - {1}{2}", String(), statement, suffix);
        else
            Debugf("{0}{1}", statement, suffix);
    }

    internal void SetFirstPingTimer()
    {
        var opts = Server?.Options;
        if (opts is null)
            return;

        var d = opts.PingInterval;
        if (Kind == ClientKind.Router && opts.Cluster.PingInterval > TimeSpan.Zero)
            d = opts.Cluster.PingInterval;
        if (IsWebSocket() && opts.Websocket.PingInterval > TimeSpan.Zero)
            d = opts.Websocket.PingInterval;

        if (!opts.DisableShortFirstPing)
        {
            if (Kind != ClientKind.Client)
            {
                if (d > FirstPingInterval)
                    d = FirstPingInterval;
                d = AdjustPingInterval(Kind, d);
            }
            else if (d > FirstClientPingInterval)
            {
                d = FirstClientPingInterval;
            }
        }

        var addTicks = d.Ticks > 0 ? Random.Shared.NextInt64(Math.Max(1, d.Ticks / 5)) : 0L;
        d = d.Add(TimeSpan.FromTicks(addTicks));

        ClearPingTimer();
        _pingTimer = new Timer(_ => ProcessPingTimer(), null, d, Timeout.InfiniteTimeSpan);
    }

    private bool TryMarkRateLimited(string key)
    {
        var serverKey = (object?)Server ?? this;
        var cache = RateLimitCacheByServer.GetOrCreateValue(serverKey);
        return cache.TryAdd(key, DateTime.UtcNow);
    }
}