# frozen_string_literal: true

module StatusPage
  class ProjectSetting < ApplicationRecord
    # AWS validations. See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25863#note_295772553
    AWS_BUCKET_NAME_REGEXP = /\A[a-z0-9][a-z0-9\-.]*\z/.freeze
    AWS_ACCESS_KEY_REGEXP  = /\A[A-Z0-9]{20}\z/.freeze
    AWS_SECRET_KEY_REGEXP  = /\A[A-Za-z0-9\/+=]{40}\z/.freeze

    self.table_name = 'status_page_settings'

    belongs_to :project

    attr_encrypted :aws_secret_key,
      mode:      :per_attribute_iv,
      algorithm: 'aes-256-gcm',
      key:       Settings.attr_encrypted_db_key_base_32

    before_validation :check_secret_changes

    validates :aws_s3_bucket_name,
              length: { minimum: 3, maximum: 63 },
              presence: true,
              format: { with: AWS_BUCKET_NAME_REGEXP }
    validates :aws_access_key,
              presence: true,
              format: { with: AWS_ACCESS_KEY_REGEXP }
    validates :aws_secret_key,
              presence: true,
              format: { with: AWS_SECRET_KEY_REGEXP }
    validates :project, :aws_region, :encrypted_aws_secret_key,
              presence: true
    validates :enabled, inclusion: { in: [true, false] }

    scope :enabled, -> { where(enabled: true) }

    def masked_aws_secret_key
      return if aws_secret_key.blank?

      '*' * 40
    end

    def enabled?
      super &&
        project&.feature_available?(:status_page) &&
        project&.beta_feature_available?(:status_page)
    end

    def storage_client
      return unless enabled?

      StatusPage::Storage::S3Client.new(
        region: aws_region,
        bucket_name: aws_s3_bucket_name,
        access_key_id: aws_access_key,
        secret_access_key: aws_secret_key
      )
    end

    private

    def check_secret_changes
      return unless masked_aws_secret_key == aws_secret_key

      restore_attributes [:aws_secret_key, :encrypted_aws_secret_key, :encrypted_aws_secret_key_iv]
    end
  end
end