namespace Intuto.WebhookSignatureClient
{
    using System;
    using System.Collections.Generic;
    using System.Security.Cryptography;
    using System.Text;

    public class WebhookSignatureClient
    {
        /// <summary>
        /// Key: tenantId
        /// Value: WebhookSigningKey
        /// </summary>
        private readonly IDictionary<int, Guid> _webhookSigningKeyDict;

        public WebhookSignatureClient(Dictionary<int, Guid> signingKeys)
        {
            _webhookSigningKeyDict = signingKeys;
        }

        /// <summary>
        /// Hash Request Body using SHA256
        /// </summary>
        /// <returns>Base64 encoded string</returns>
        private static string ComputeContentHash(string content)
        {
            using (var sha256 = SHA256.Create())
            {
                var hashedBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(content));
                return Convert.ToBase64String(hashedBytes);
            }
        }

        /// <summary>
        /// Sign a Base64 Array with a given key using HMACSHA256
        /// </summary>
        /// <returns>Base64 encoded signed string</returns>
        private static string ComputeSignature(string stringToSign, Guid webhookSigningKey)
        {
            using (var cryptographer = new HMACSHA256(Encoding.UTF8.GetBytes(webhookSigningKey.ToString())))
            {
                var hashedBytes = cryptographer.ComputeHash(Encoding.UTF8.GetBytes(stringToSign));
                return Convert.ToBase64String(hashedBytes);
            }
        }

        /// <summary>
        /// Generate signature based on the request inputs
        /// </summary>
        private string GenerateRequestSignature
        (
            string method, 
            string path, 
            string date, 
            string json, 
            Guid webhookSigningKey
        )
        {
            var contentHash = ComputeContentHash(json);
            var stringToSign = $"METHOD:{method};HOST:{path};DATE:{date};HASH:{contentHash};";
            return ComputeSignature(stringToSign, webhookSigningKey);
        }

        /// <summary>
        /// Validate Intuto Webhook Request
        /// </summary>
        /// <param name="method">Request method (is always POST)</param>
        /// <param name="path">Request Path</param>
        /// <param name="date">Date header on the request</param>
        /// <param name="tenantId">x-intuto-tenant header on the request (or TenantId from the request body)</param>
        /// <param name="signature">x-intuto-signature header on the request</param>
        /// <param name="json">Raw JSON Request Body</param>
        public bool ValidateSignature
        (
            string method,
            string path,
            string date,
            int tenantId,
            string signature,
            string json
        )
        {
            // lookup stored signing key from storage based on tenantId
            var webhookSigningKey = _webhookSigningKeyDict[tenantId];
            
            // compute our signature
            var computedSignature = GenerateRequestSignature
            (
                method,
                path,
                date,
                json,
                webhookSigningKey
            );

            // check signatures match
            return signature.Equals(computedSignature);
        }
    }
}