<?php

namespace Aws\DSQL;

use Aws\Credentials\CredentialsInterface;
use Aws\Credentials\Credentials;
use Aws\Signature\SignatureV4;
use GuzzleHttp\Psr7\Request;
use GuzzleHttp\Psr7\Uri;
use GuzzleHttp\Promise;
use Aws;

/**
 * Generates auth tokens to connect to DSQL database clusters.
 */
class AuthTokenGenerator
{
    private const DB_CONNECT = 'DbConnect';
    private const DB_CONNECT_ADMIN = 'DbConnectAdmin';
    private const SIGNING_NAME = 'dsql';
    private const DEFAULT_EXPIRATION_TIME_SECONDS = 900;

    /**
     * @var Credentials|callable
     */
    private $credentialProvider;

    /**
     * The constructor takes an instance of Credentials or a CredentialProvider
     *
     * @param Credentials|callable $creds
     */
    public function __construct(Credentials | callable $creds)
    {
        if ($creds instanceof CredentialsInterface) {
            $promise = new Promise\FulfilledPromise($creds);
            $this->credentialProvider = Aws\constantly($promise);
        } else {
            $this->credentialProvider = $creds;
        }
    }

    /**
     * @param string $endpoint
     * @param string $region
     * @param int $expiration
     *
     * @return string
     */
    public function generateDbConnectAuthToken(
        string $endpoint,
        string $region,
        int $expiration = self::DEFAULT_EXPIRATION_TIME_SECONDS
    ): string
    {
        return $this->createToken($endpoint, $region, self::DB_CONNECT, $expiration);
    }

    /**
     * @param string $endpoint
     * @param string $region
     * @param int $expiration
     *
     * @return string
     */
    public function generateDbConnectAdminAuthToken(
        string $endpoint,
        string $region,
        int $expiration = self::DEFAULT_EXPIRATION_TIME_SECONDS
    ): string
    {
        return $this->createToken($endpoint, $region, self::DB_CONNECT_ADMIN, $expiration);
    }

    /**
     * Creates token for database connection
     *
     * @param string $endpoint The database hostname
     * @param string $region The region where the database is located
     * @param string $action Db action to perform
     * @param int $expiration The expiration of the token in seconds
     *
     * @return string Generated token
     */
    private function createToken(
        string $endpoint,
        string $region,
        string $action,
        int $expiration
    ): string
    {
        if ($expiration <= 0) {
            throw new \InvalidArgumentException(
                "Lifetime must be a positive number, was {$expiration}"
            );
        }

        if (empty($region)) {
            throw new \InvalidArgumentException('Region must be a non-empty string.');
        }

        if (empty($endpoint)) {
            throw new \InvalidArgumentException('Endpoint must be a non-empty string.');
        }

        $uri = new Uri($endpoint);
        if (empty($uri->getHost())) {
            $uri = $uri->withHost($endpoint);
        }
        $uri = $uri->withPath('/')->withQuery('Action=' . $action);

        $request = new Request('GET', $uri);
        $signer = new SignatureV4(self::SIGNING_NAME, $region);
        $provider = $this->credentialProvider;

        $url = (string) $signer->presign(
            $request,
            $provider()->wait(),
            '+' . $expiration . ' seconds'
        )->getUri();

        // Remove 2 extra slash from the presigned url result
        return substr($url, 2);
    }
}