use crate::app_config::AppConfig;
use crate::constants;
use crate::crypto::pki;
use crate::energy::energy_actor::EnergyActorAddr;
use crate::server::auth_middleware::AuthChecker;
use crate::server::devices_api::{mgmt_controller, utils_controller};
use crate::server::unsecure_server::*;
use crate::server::web_api::*;
use actix_cors::Cors;
use actix_identity::config::LogoutBehaviour;
use actix_identity::IdentityMiddleware;
use actix_remote_ip::RemoteIPConfig;
use actix_session::storage::CookieSessionStore;
use actix_session::SessionMiddleware;
use actix_web::cookie::{Key, SameSite};
use actix_web::middleware::Logger;
use actix_web::{web, App, HttpServer};
use openssl::ssl::{SslAcceptor, SslMethod};
use std::time::Duration;

/// Start unsecure (HTTP) server
pub async fn unsecure_server() -> anyhow::Result<()> {
    log::info!(
        "Unsecure server starting to listen on {} for {}",
        AppConfig::get().unsecure_listen_address,
        AppConfig::get().unsecure_origin()
    );
    HttpServer::new(|| {
        App::new()
            .wrap(Logger::default())
            .route(
                "/",
                web::get().to(unsecure_server_controller::unsecure_home),
            )
            .route(
                "/secure_origin",
                web::get().to(unsecure_server_controller::secure_origin),
            )
            .route(
                "/pki/{file}",
                web::get().to(unsecure_pki_controller::serve_pki_file),
            )
    })
    .bind(&AppConfig::get().unsecure_listen_address)?
    .run()
    .await?;

    Ok(())
}

/// Start secure (HTTPS) server
pub async fn secure_server(energy_actor: EnergyActorAddr) -> anyhow::Result<()> {
    let web_ca = pki::CertData::load_web_ca()?;
    let server_cert = pki::CertData::load_server()?;

    let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
    builder.set_private_key(&server_cert.key)?;
    builder.set_certificate(&server_cert.cert)?;
    builder.add_extra_chain_cert(web_ca.cert)?;

    log::info!(
        "Secure server starting to listen on {} for {}",
        AppConfig::get().listen_address,
        AppConfig::get().secure_origin()
    );
    HttpServer::new(move || {
        let session_mw = SessionMiddleware::builder(
            CookieSessionStore::default(),
            Key::from(AppConfig::get().secret().as_bytes()),
        )
        .cookie_name(constants::SESSION_COOKIE_NAME.to_string())
        .cookie_secure(AppConfig::get().cookie_secure)
        .cookie_same_site(SameSite::Strict)
        .cookie_domain(AppConfig::get().cookie_domain())
        .cookie_http_only(true)
        .build();

        let identity_middleware = IdentityMiddleware::builder()
            .logout_behaviour(LogoutBehaviour::PurgeSession)
            .visit_deadline(Some(Duration::from_secs(
                constants::MAX_INACTIVITY_DURATION,
            )))
            .login_deadline(Some(Duration::from_secs(constants::MAX_SESSION_DURATION)))
            .build();

        let mut cors = Cors::default()
            .allowed_origin(&AppConfig::get().secure_origin())
            .allowed_methods(vec!["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"])
            .allowed_header("X-Auth-Token")
            .allow_any_header()
            .supports_credentials()
            .max_age(3600);

        if cfg!(debug_assertions) {
            cors = cors.allow_any_origin();
        }

        App::new()
            .app_data(web::Data::new(energy_actor.clone()))
            .wrap(Logger::default())
            .wrap(AuthChecker)
            .wrap(identity_middleware)
            .wrap(session_mw)
            .wrap(cors)
            .app_data(web::Data::new(RemoteIPConfig {
                proxy: AppConfig::get().proxy_ip.clone(),
            }))
            .route("/", web::get().to(server_controller::secure_home))
            // Web API
            .route(
                "/web_api/server/config",
                web::get().to(server_controller::config),
            )
            .route(
                "/web_api/auth/password_auth",
                web::post().to(auth_controller::password_auth),
            )
            .route(
                "/web_api/auth/info",
                web::get().to(auth_controller::auth_info),
            )
            .route(
                "/web_api/auth/sign_out",
                web::get().to(auth_controller::sign_out),
            )
            .route(
                "/web_api/energy/curr_consumption",
                web::get().to(energy_controller::curr_consumption),
            )
            .route(
                "/web_api/energy/cached_consumption",
                web::get().to(energy_controller::cached_consumption),
            )
            .route(
                "/web_api/devices/list_pending",
                web::get().to(devices_controller::list_pending),
            )
            .route(
                "/web_api/devices/list_validated",
                web::get().to(devices_controller::list_validated),
            )
            .route(
                "/web_api/device/{id}",
                web::delete().to(devices_controller::delete_device),
            )
            // Devices API
            .route(
                "/devices_api/utils/time",
                web::get().to(utils_controller::curr_time),
            )
            .route(
                "/devices_api/mgmt/enroll",
                web::post().to(mgmt_controller::enroll),
            )
    })
    .bind_openssl(&AppConfig::get().listen_address, builder)?
    .run()
    .await?;

    Ok(())
}