import hashlib
import hmac
import json
from typing import Any

from fastapi import APIRouter, Depends, HTTPException, Request
from sqlalchemy import select
from sqlalchemy.orm import Session

from app.config import get_settings
from app.db.base import SessionLocal, get_db
from app.db.models import ChatSession, Message, ProjectBinding
from app.projects.service import ProjectService

router = APIRouter()


def _verify_gitea_signature(body: bytes, signature: str | None, secret: str) -> bool:
    if not secret:
        return True
    if not signature:
        return False
    if signature.startswith("sha256="):
        signature = signature[7:]
    expected = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, signature)


def _post_close_notice(results: list[dict[str, Any]], owner: str, repo: str) -> None:
    if not results:
        return
    db = SessionLocal()
    try:
        session = db.scalar(
            select(ChatSession).order_by(ChatSession.updated_at.desc()).limit(1)
        )
        if not session:
            session = ChatSession(title="Git")
            db.add(session)
            db.commit()
            db.refresh(session)

        lines = [f"🔀 **Push** `{owner}/{repo}`"]
        for item in results:
            if "closed" in item:
                lines.append(f"- `{item.get('commit', '?')}`: закрыто {item['closed']}")
            elif "error" in item:
                lines.append(f"- ошибка: {item['error']}")

        db.add(Message(session_id=session.id, role="notice", content="\n".join(lines)))
        db.commit()
    finally:
        db.close()


@router.post("/webhooks/gitea")
async def gitea_webhook(request: Request, db: Session = Depends(get_db)) -> dict[str, Any]:
    body = await request.body()
    settings = get_settings()
    signature = request.headers.get("X-Gitea-Signature")

    if not _verify_gitea_signature(body, signature, settings.gitea_webhook_secret):
        raise HTTPException(status_code=401, detail="Invalid webhook signature")

    payload = json.loads(body)
    if payload.get("secret") and settings.gitea_webhook_secret:
        if payload.get("secret") != settings.gitea_webhook_secret:
            raise HTTPException(status_code=401, detail="Invalid webhook secret")

    event = request.headers.get("X-Gitea-Event", "")
    if event != "push":
        return {"ok": True, "skipped": event}

    repo = payload.get("repository", {})
    owner = repo.get("owner", {}).get("login", "")
    repo_name = repo.get("name", "")
    if not owner or not repo_name:
        raise HTTPException(status_code=400, detail="Missing repository info")

    binding = db.scalar(
        select(ProjectBinding).where(
            ProjectBinding.gitea_owner == owner,
            ProjectBinding.gitea_repo == repo_name,
        )
    )
    if not binding:
        return {"ok": True, "skipped": "unknown repo"}

    commits = payload.get("commits") or []
    service = ProjectService(db)
    results = service.process_push(owner, repo_name, commits)
    _post_close_notice(results, owner, repo_name)

    return {"ok": True, "results": results}