// Copyright 2016 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package logadmin

import (
	"context"
	"errors"
	"fmt"

	vkit "cloud.google.com/go/logging/apiv2"
	"google.golang.org/api/iterator"
	logpb "google.golang.org/genproto/googleapis/logging/v2"
	maskpb "google.golang.org/genproto/protobuf/field_mask"
)

// Sink describes a sink used to export log entries outside Cloud
// Logging. Incoming log entries matching a filter are exported to a
// destination (a Cloud Storage bucket, BigQuery dataset or Cloud Pub/Sub
// topic).
//
// For more information, see https://cloud.google.com/logging/docs/export/using_exported_logs.
// (The Sinks in this package are what the documentation refers to as "project sinks".)
type Sink struct {
	// ID is a client-assigned sink identifier. Example:
	// "my-severe-errors-to-pubsub".
	// Sink identifiers are limited to 1000 characters
	// and can include only the following characters: A-Z, a-z,
	// 0-9, and the special characters "_-.".
	ID string

	// Destination is the export destination. See
	// https://cloud.google.com/logging/docs/api/tasks/exporting-logs.
	// Examples: "storage.googleapis.com/a-bucket",
	// "bigquery.googleapis.com/projects/a-project-id/datasets/a-dataset".
	Destination string

	// Filter optionally specifies an advanced logs filter (see
	// https://cloud.google.com/logging/docs/view/advanced_filters) that
	// defines the log entries to be exported. Example: "logName:syslog AND
	// severity>=ERROR". If omitted, all entries are returned.
	Filter string

	// WriterIdentity must be a service account name. When exporting logs, Logging
	// adopts this identity for authorization. The export destination's owner must
	// give this service account permission to write to the export destination.
	WriterIdentity string

	// IncludeChildren, when set to true, allows the sink to export log entries from
	// the organization or folder, plus (recursively) from any contained folders, billing
	// accounts, or projects. IncludeChildren is false by default. You can use the sink's
	// filter to choose log entries from specific projects, specific resource types, or
	// specific named logs.
	//
	// Caution: If you enable this feature, your aggregated export sink might export
	// a very large number of log entries. To avoid exporting too many log entries,
	// design your aggregated export sink filter carefully, as described on
	// https://cloud.google.com/logging/docs/export/aggregated_exports.
	IncludeChildren bool
}

// CreateSink creates a Sink. It returns an error if the Sink already exists.
// Requires AdminScope.
func (c *Client) CreateSink(ctx context.Context, sink *Sink) (*Sink, error) {
	return c.CreateSinkOpt(ctx, sink, SinkOptions{})
}

// CreateSinkOpt creates a Sink using the provided options. It returns an
// error if the Sink already exists. Requires AdminScope.
func (c *Client) CreateSinkOpt(ctx context.Context, sink *Sink, opts SinkOptions) (*Sink, error) {
	ls, err := c.sClient.CreateSink(ctx, &logpb.CreateSinkRequest{
		Parent:               c.parent,
		Sink:                 toLogSink(sink),
		UniqueWriterIdentity: opts.UniqueWriterIdentity,
	})
	if err != nil {
		return nil, err
	}
	return fromLogSink(ls), nil
}

// SinkOptions define options to be used when creating or updating a sink.
type SinkOptions struct {
	// Determines the kind of IAM identity returned as WriterIdentity in the new
	// sink. If this value is omitted or set to false, and if the sink's parent is a
	// project, then the value returned as WriterIdentity is the same group or
	// service account used by Cloud Logging before the addition of writer
	// identities to the API. The sink's destination must be in the same project as
	// the sink itself.
	//
	// If this field is set to true, or if the sink is owned by a non-project
	// resource such as an organization, then the value of WriterIdentity will
	// be a unique service account used only for exports from the new sink.
	UniqueWriterIdentity bool

	// These fields apply only to UpdateSinkOpt calls. The corresponding sink field
	// is updated if and only if the Update field is true.
	UpdateDestination     bool
	UpdateFilter          bool
	UpdateIncludeChildren bool
}

// DeleteSink deletes a sink. The provided sinkID is the sink's identifier, such as
// "my-severe-errors-to-pubsub".
// Requires AdminScope.
func (c *Client) DeleteSink(ctx context.Context, sinkID string) error {
	return c.sClient.DeleteSink(ctx, &logpb.DeleteSinkRequest{
		SinkName: c.sinkPath(sinkID),
	})
}

// Sink gets a sink. The provided sinkID is the sink's identifier, such as
// "my-severe-errors-to-pubsub".
// Requires ReadScope or AdminScope.
func (c *Client) Sink(ctx context.Context, sinkID string) (*Sink, error) {
	ls, err := c.sClient.GetSink(ctx, &logpb.GetSinkRequest{
		SinkName: c.sinkPath(sinkID),
	})
	if err != nil {
		return nil, err
	}
	return fromLogSink(ls), nil
}

// UpdateSink updates an existing Sink. Requires AdminScope.
//
// WARNING: UpdateSink will always update the Destination, Filter and IncludeChildren
// fields of the sink, even if they have their zero values. Use UpdateSinkOpt
// for more control over which fields to update.
func (c *Client) UpdateSink(ctx context.Context, sink *Sink) (*Sink, error) {
	return c.UpdateSinkOpt(ctx, sink, SinkOptions{
		UpdateDestination:     true,
		UpdateFilter:          true,
		UpdateIncludeChildren: true,
	})
}

// UpdateSinkOpt updates an existing Sink, using the provided options. Requires AdminScope.
//
// To change a sink's writer identity to a service account unique to the sink, set
// opts.UniqueWriterIdentity to true. It is not possible to change a sink's writer identity
// from a unique service account to a non-unique writer identity.
func (c *Client) UpdateSinkOpt(ctx context.Context, sink *Sink, opts SinkOptions) (*Sink, error) {
	mask := &maskpb.FieldMask{}
	if opts.UpdateDestination {
		mask.Paths = append(mask.Paths, "destination")
	}
	if opts.UpdateFilter {
		mask.Paths = append(mask.Paths, "filter")
	}
	if opts.UpdateIncludeChildren {
		mask.Paths = append(mask.Paths, "include_children")
	}
	if opts.UniqueWriterIdentity && len(mask.Paths) == 0 {
		// Hack: specify a deprecated, unchangeable field so that we have a non-empty
		// field mask. (An empty field mask would cause the destination, filter and include_children
		// fields to be changed.)
		mask.Paths = append(mask.Paths, "output_version_format")
	}
	if len(mask.Paths) == 0 {
		return nil, errors.New("logadmin: UpdateSinkOpt: nothing to update")
	}
	ls, err := c.sClient.UpdateSink(ctx, &logpb.UpdateSinkRequest{
		SinkName:             c.sinkPath(sink.ID),
		Sink:                 toLogSink(sink),
		UniqueWriterIdentity: opts.UniqueWriterIdentity,
		UpdateMask:           mask,
	})
	if err != nil {
		return nil, err
	}
	return fromLogSink(ls), err
}

func (c *Client) sinkPath(sinkID string) string {
	return fmt.Sprintf("%s/sinks/%s", c.parent, sinkID)
}

// Sinks returns a SinkIterator for iterating over all Sinks in the Client's project.
// Requires ReadScope or AdminScope.
func (c *Client) Sinks(ctx context.Context) *SinkIterator {
	it := &SinkIterator{
		it: c.sClient.ListSinks(ctx, &logpb.ListSinksRequest{Parent: c.parent}),
	}
	it.pageInfo, it.nextFunc = iterator.NewPageInfo(
		it.fetch,
		func() int { return len(it.items) },
		func() interface{} { b := it.items; it.items = nil; return b })
	return it
}

// A SinkIterator iterates over Sinks.
type SinkIterator struct {
	it       *vkit.LogSinkIterator
	pageInfo *iterator.PageInfo
	nextFunc func() error
	items    []*Sink
}

// PageInfo supports pagination. See the google.golang.org/api/iterator package for details.
func (it *SinkIterator) PageInfo() *iterator.PageInfo { return it.pageInfo }

// Next returns the next result. Its second return value is Done if there are
// no more results. Once Next returns Done, all subsequent calls will return
// Done.
func (it *SinkIterator) Next() (*Sink, error) {
	if err := it.nextFunc(); err != nil {
		return nil, err
	}
	item := it.items[0]
	it.items = it.items[1:]
	return item, nil
}

func (it *SinkIterator) fetch(pageSize int, pageToken string) (string, error) {
	return iterFetch(pageSize, pageToken, it.it.PageInfo(), func() error {
		item, err := it.it.Next()
		if err != nil {
			return err
		}
		it.items = append(it.items, fromLogSink(item))
		return nil
	})
}

func toLogSink(s *Sink) *logpb.LogSink {
	return &logpb.LogSink{
		Name:                s.ID,
		Destination:         s.Destination,
		Filter:              s.Filter,
		IncludeChildren:     s.IncludeChildren,
		OutputVersionFormat: logpb.LogSink_V2,
		// omit WriterIdentity because it is output-only.
	}
}

func fromLogSink(ls *logpb.LogSink) *Sink {
	return &Sink{
		ID:              ls.Name,
		Destination:     ls.Destination,
		Filter:          ls.Filter,
		WriterIdentity:  ls.WriterIdentity,
		IncludeChildren: ls.IncludeChildren,
	}
}