// Copyright 2019 Drone IO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package secret

import (
	"context"
	"crypto/aes"
	"crypto/cipher"
	"encoding/base64"
	"errors"

	"github.com/drone/drone-yaml/yaml"
	"github.com/drone/drone/core"
	"github.com/drone/drone/logger"
)

// Encrypted returns a new encrypted Secret controller.
func Encrypted() core.SecretService {
	return new(encrypted)
}

type encrypted struct {
}

func (c *encrypted) Find(ctx context.Context, in *core.SecretArgs) (*core.Secret, error) {
	logger := logger.FromContext(ctx).
		WithField("name", in.Name).
		WithField("kind", "secret")

	// lookup the named secret in the manifest. If the
	// secret does not exist, return a nil variable,
	// allowing the next secret controller in the chain
	// to be invoked.
	data, ok := getEncrypted(in.Conf, in.Name)
	if !ok {
		logger.Trace("secret: encrypted: no matching secret")
		return nil, nil
	}

	// if the build event is a pull request and the source
	// repository is a fork, the secret is not exposed to
	// the pipeline, for security reasons.
	if in.Repo.Private == false &&
		in.Build.Event == core.EventPullRequest &&
		in.Build.Fork != "" {
		logger.Trace("secret: encrypted: restricted from forks")
		return nil, nil
	}

	decoded, err := base64.StdEncoding.DecodeString(string(data))
	if err != nil {
		logger.WithError(err).Trace("secret: encrypted: cannot decode")
		return nil, err
	}

	decrypted, err := decrypt(decoded, []byte(in.Repo.Secret))
	if err != nil {
		logger.WithError(err).Trace("secret: encrypted: cannot decrypt")
		return nil, err
	}

	logger.Trace("secret: encrypted: found matching secret")

	return &core.Secret{
		Name: in.Name,
		Data: string(decrypted),
	}, nil
}

func getEncrypted(manifest *yaml.Manifest, match string) (data string, ok bool) {
	for _, resource := range manifest.Resources {
		secret, ok := resource.(*yaml.Secret)
		if !ok {
			continue
		}
		if secret.Name != match {
			continue
		}
		if secret.Data == "" {
			continue
		}
		return secret.Data, true
	}
	return
}

func decrypt(ciphertext []byte, key []byte) (plaintext []byte, err error) {
	block, err := aes.NewCipher(key[:])
	if err != nil {
		return nil, err
	}

	gcm, err := cipher.NewGCM(block)
	if err != nil {
		return nil, err
	}

	if len(ciphertext) < gcm.NonceSize() {
		return nil, errors.New("malformed ciphertext")
	}

	return gcm.Open(nil,
		ciphertext[:gcm.NonceSize()],
		ciphertext[gcm.NonceSize():],
		nil,
	)
}