// Copyright (c) 2019-2026 Alexander Medvednikov. All rights reserved.
// Use of this source code is governed by an MIT license
// that can be found in the LICENSE file.
module s3

import os

// Credentials carries the authentication material plus endpoint and addressing
// preferences. It is intentionally kept small; defaults (region, endpoint, etc.)
// are derived only when the request is signed, never stored implicitly, so the
// same Credentials value can be reused across regions/endpoints.
//
// Field naming matches V conventions (snake_case). The `from_env` helper
// recognises several provider conventions — see `from_env`.
pub struct Credentials {
pub:
	access_key_id        string
	secret_access_key    string
	session_token        string
	region               string
	bucket               string
	endpoint             string // 'https://s3.fr-par.scw.cloud' or 'host:port' — host part is what gets signed
	virtual_hosted_style bool   // when true, '<bucket>.<endpoint-host>' addressing
	insecure_http        bool   // permit `http://` endpoints (false by default — never silently downgrades)
}

// Credentials.from_env reads credentials from environment variables, trying several
// provider conventions in order so the same code works against many hosts
// without reconfiguration. Each field is resolved independently; the first
// non-empty value wins.
//
// Lookup order per field:
//   key id     : S3_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID,
//                CELLAR_ADDON_KEY_ID, SCW_ACCESS_KEY,
//                B2_APPLICATION_KEY_ID, R2_ACCESS_KEY_ID, SPACES_KEY
//   secret     : S3_SECRET_ACCESS_KEY, AWS_SECRET_ACCESS_KEY,
//                CELLAR_ADDON_KEY_SECRET, SCW_SECRET_KEY,
//                B2_APPLICATION_KEY, R2_SECRET_ACCESS_KEY, SPACES_SECRET
//   session    : S3_SESSION_TOKEN, AWS_SESSION_TOKEN
//   region     : S3_REGION, AWS_REGION, AWS_DEFAULT_REGION, SCW_DEFAULT_REGION
//   bucket     : S3_BUCKET
//   endpoint   : S3_ENDPOINT, AWS_ENDPOINT, AWS_ENDPOINT_URL,
//                CELLAR_ADDON_HOST, B2_ENDPOINT, R2_ENDPOINT, SPACES_ENDPOINT
pub fn Credentials.from_env() Credentials {
	endpoint := env_first('S3_ENDPOINT', 'AWS_ENDPOINT', 'AWS_ENDPOINT_URL', 'CELLAR_ADDON_HOST',
		'B2_ENDPOINT', 'R2_ENDPOINT', 'SPACES_ENDPOINT')
	insecure := endpoint.starts_with('http://')
	return Credentials{
		access_key_id:        env_first('S3_ACCESS_KEY_ID', 'AWS_ACCESS_KEY_ID',
			'CELLAR_ADDON_KEY_ID', 'SCW_ACCESS_KEY', 'B2_APPLICATION_KEY_ID', 'R2_ACCESS_KEY_ID',
			'SPACES_KEY')
		secret_access_key:    env_first('S3_SECRET_ACCESS_KEY', 'AWS_SECRET_ACCESS_KEY',
			'CELLAR_ADDON_KEY_SECRET', 'SCW_SECRET_KEY', 'B2_APPLICATION_KEY',
			'R2_SECRET_ACCESS_KEY', 'SPACES_SECRET')
		session_token:        env_first('S3_SESSION_TOKEN', 'AWS_SESSION_TOKEN')
		region:               env_first('S3_REGION', 'AWS_REGION', 'AWS_DEFAULT_REGION',
			'SCW_DEFAULT_REGION')
		bucket:               env_first('S3_BUCKET')
		endpoint:             endpoint
		virtual_hosted_style: false
		insecure_http:        insecure
	}
}

// merge produces a copy of `c` with non-empty fields from `other` overriding.
// Useful when callers pass per-call overrides while keeping a default Client.
pub fn (c Credentials) merge(other Credentials) Credentials {
	return Credentials{
		access_key_id:        if other.access_key_id != '' {
			other.access_key_id
		} else {
			c.access_key_id
		}
		secret_access_key:    if other.secret_access_key != '' {
			other.secret_access_key
		} else {
			c.secret_access_key
		}
		session_token:        if other.session_token != '' {
			other.session_token
		} else {
			c.session_token
		}
		region:               if other.region != '' { other.region } else { c.region }
		bucket:               if other.bucket != '' { other.bucket } else { c.bucket }
		endpoint:             if other.endpoint != '' { other.endpoint } else { c.endpoint }
		virtual_hosted_style: c.virtual_hosted_style || other.virtual_hosted_style
		insecure_http:        c.insecure_http || other.insecure_http
	}
}

// resolved_region returns the region to use for signing. Order:
//   1. explicit `c.region`
//   2. parsed from `c.endpoint` when it follows the `s3.<region>.amazonaws.com` pattern
//   3. `'auto'` for Cloudflare R2
//   4. `'us-east-1'` (S3 historical default) when no endpoint is set
pub fn (c Credentials) resolved_region() string {
	if c.region != '' {
		return c.region
	}
	return guess_region(c.endpoint)
}

// validate ensures the credentials carry the minimum needed to sign a
// request. Also rejects credentials / region / bucket / endpoint values that
// contain CR or LF — those would let an attacker who controls *any* config
// field smuggle headers into the Authorization line.
pub fn (c Credentials) validate() ! {
	if c.access_key_id == '' || c.secret_access_key == '' {
		return new_error('MissingCredentials',
			"Missing S3 credentials. 'access_key_id' and 'secret_access_key' are required.")
	}
	for name, value in {
		'access_key_id':     c.access_key_id
		'secret_access_key': c.secret_access_key
		'session_token':     c.session_token
		'region':            c.region
		'bucket':            c.bucket
		'endpoint':          c.endpoint
	} {
		if contains_crlf(value) {
			return new_error('InvalidCredentials',
				'Credential field "${name}" contains CR or LF — refused (header-injection guard)')
		}
	}
}

// host_only returns the bare host[:port] from `c.endpoint`, stripping any
// scheme and trailing path. Returned value is what gets signed in the
// `host` header for SigV4.
pub fn (c Credentials) host_only() string {
	mut ep := c.endpoint
	if i := ep.index('://') {
		ep = ep[i + 3..]
	}
	if j := ep.index('/') {
		ep = ep[..j]
	}
	return ep
}

// extra_path returns the path component of `c.endpoint`, including any
// leading '/'. Useful for proxies that mount S3 under a sub-path.
pub fn (c Credentials) extra_path() string {
	mut ep := c.endpoint
	if i := ep.index('://') {
		ep = ep[i + 3..]
	}
	if j := ep.index('/') {
		return ep[j..]
	}
	return ''
}

// scheme returns 'http' or 'https' based on the endpoint's explicit scheme
// when present, falling back to `insecure_http`. So all three of these work:
//   endpoint: 'https://s3.example.com'   → https
//   endpoint: 's3.example.com'           → https (default)
//   endpoint: 'http://localhost:9000'    → http  (auto-detected)
//   endpoint: 'localhost:9000', insecure_http: true → http
pub fn (c Credentials) scheme() string {
	if c.endpoint.starts_with('http://') {
		return 'http'
	}
	if c.endpoint.starts_with('https://') {
		return 'https'
	}
	return if c.insecure_http { 'http' } else { 'https' }
}

// guess_region derives the SigV4 region from an endpoint URL. Public so it
// can be reused by the higher-level Client for log / inspect output.
pub fn guess_region(endpoint string) string {
	if endpoint == '' {
		return 'us-east-1'
	}
	if endpoint.ends_with('.r2.cloudflarestorage.com') {
		return 'auto'
	}
	if amz_end := endpoint.index('.amazonaws.com') {
		if s3_pos := endpoint.index('s3.') {
			start := s3_pos + 3
			if start < amz_end {
				return endpoint[start..amz_end]
			}
		}
		// AWS global endpoint (`s3.amazonaws.com`) and legacy forms
		// (`s3-external-1.amazonaws.com`) sign with `us-east-1`. SigV4
		// rejects `auto` against AWS, so fall back here instead.
		return 'us-east-1'
	}
	return 'auto'
}

// env_first returns the first non-empty env var among the names provided.
fn env_first(names ...string) string {
	for n in names {
		v := os.getenv(n)
		if v != '' {
			return v
		}
	}
	return ''
}