const { promisify } = require('util')
const crypto = require('crypto')

const ALGORITHM = 'aes-256-ctr'

const cryptoHkdf = promisify(crypto.hkdf)
const cryptoRandomBytes = promisify(crypto.randomBytes)

class AbstractAccessTokenScheme {
  constructor(cipherLabel, cipherPassword) {
    this.cipherLabel = cipherLabel
    this.cipherPassword = cipherPassword
  }

  /**
   * @param {Object} json
   * @return {Promise<string>}
   */
  async encryptJson(json) {
    throw new Error('encryptJson is not implemented')
  }

  /**
   * @param {string} encryptedJson
   * @return {Promise<Object>}
   */
  async decryptToJson(encryptedJson) {
    throw new Error('decryptToJson is not implemented')
  }
}

class AccessTokenSchemeWithGenericKeyFn extends AbstractAccessTokenScheme {
  /**
   * @param {Buffer} salt
   * @return {Promise<Buffer>}
   */
  async keyFn(salt) {
    throw new Error('keyFn is not implemented')
  }

  async encryptJson(json) {
    const plainText = JSON.stringify(json)

    const bytes = await cryptoRandomBytes(32)
    const salt = bytes.slice(0, 16)
    const iv = bytes.slice(16, 32)
    const key = await this.keyFn(salt)

    const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
    const cipherText =
      cipher.update(plainText, 'utf8', 'base64') + cipher.final('base64')

    return [
      this.cipherLabel,
      salt.toString('hex'),
      cipherText,
      iv.toString('hex'),
    ].join(':')
  }

  async decryptToJson(encryptedJson) {
    const [, salt, cipherText, iv] = encryptedJson.split(':', 4)
    const key = await this.keyFn(Buffer.from(salt, 'hex'))

    const decipher = crypto.createDecipheriv(
      ALGORITHM,
      key,
      Buffer.from(iv, 'hex')
    )
    const plainText =
      decipher.update(cipherText, 'base64', 'utf8') + decipher.final('utf8')
    try {
      return JSON.parse(plainText)
    } catch (e) {
      throw new Error('error decrypting token')
    }
  }
}

class AccessTokenSchemeV3 extends AccessTokenSchemeWithGenericKeyFn {
  async keyFn(salt) {
    const optionalInfo = ''
    return cryptoHkdf('sha512', this.cipherPassword, salt, optionalInfo, 32)
  }
}

class AccessTokenEncryptor {
  constructor(settings) {
    this.schemeByCipherLabel = new Map()
    for (const cipherLabel of Object.keys(settings.cipherPasswords)) {
      if (!cipherLabel) {
        throw new Error('cipherLabel cannot be empty')
      }
      if (cipherLabel.match(/:/)) {
        throw new Error(
          `cipherLabel must not contain a colon (:), got ${cipherLabel}`
        )
      }
      const [, version] = cipherLabel.split('-')
      if (!version) {
        throw new Error(
          `cipherLabel must contain version suffix (e.g. 2042.1-v42), got ${cipherLabel}`
        )
      }

      const cipherPassword = settings.cipherPasswords[cipherLabel]
      if (!cipherPassword) {
        throw new Error(`cipherPasswords['${cipherLabel}'] is missing`)
      }
      if (cipherPassword.length < 16) {
        throw new Error(`cipherPasswords['${cipherLabel}'] is too short`)
      }

      let scheme
      switch (version) {
        case 'v3':
          scheme = new AccessTokenSchemeV3(cipherLabel, cipherPassword)
          break
        default:
          throw new Error(`unknown version '${version}' for ${cipherLabel}`)
      }
      this.schemeByCipherLabel.set(cipherLabel, scheme)
    }

    this.defaultScheme = this.schemeByCipherLabel.get(settings.cipherLabel)
    if (!this.defaultScheme) {
      throw new Error(`unknown default cipherLabel ${settings.cipherLabel}`)
    }
  }

  encryptJson(json, callback) {
    this.defaultScheme.encryptJson(json).then(s => callback(null, s), callback)
  }

  decryptToJson(encryptedJson, callback) {
    const [label] = encryptedJson.split(':', 1)
    const scheme = this.schemeByCipherLabel.get(label)
    if (!scheme) {
      return callback(
        new Error('unknown access-token-encryptor label ' + label)
      )
    }
    scheme.decryptToJson(encryptedJson).then(o => callback(null, o), callback)
  }
}

module.exports = AccessTokenEncryptor