// PoC to demonstrate use of TDX iApps with the TDX testbed
// most of the logic is gathered in this module to limit impacts on the project
import Docker from 'dockerode';
import { IExec } from 'iexec';
import { pushDockerImage } from '../execDocker/docker.js';
import { AbstractSigner } from 'ethers';
import { JsonRpcProvider } from 'ethers';
import { useExperimentalNetworks } from './featureFlags.js';

// TODO move this constant
export const WORKERPOOL_TDX = 'tdx-labs.pools.iexec.eth';

// TODO move this constant
export const IEXEC_TDX_WORKER_HEAP_SIZE = 6 * 1024 * 1024 * 1024; // iExec TDX worker memory limit (6 GiB)

// TODO move this logic
export function getIExecTdx({
  signer,
  name,
  rpcHostUrl,
}: {
  signer: AbstractSigner;
  name: string;
  rpcHostUrl: string;
}): IExec {
  if (name !== 'bellecour') {
    throw Error(`TDX is not supported on chain ${name}`);
  }
  return new IExec(
    {
      ethProvider: signer.connect(new JsonRpcProvider(rpcHostUrl)),
    },
    {
      smsURL: 'https://sms.labs.iex.ec',
      allowExperimentalNetworks: useExperimentalNetworks,
    }
  );
}

const docker = new Docker();
// TODO move this logic to docker.ts
async function tagDockerImage({
  image,
  repo,
  tag,
}: {
  image: string;
  repo: string;
  tag: string;
}) {
  const dockerImage = docker.getImage(image);
  await dockerImage.tag({
    repo,
    tag,
  });
  return `${repo}:${tag}`;
}
// TODO move this logic to docker.ts
function inspectImage(image: string) {
  const img = docker.getImage(image);
  return img.inspect();
}

function parseImagePath(dockerImagePath: string) {
  const dockerUserName = dockerImagePath.split('/')[0];
  const nameWithTag = dockerImagePath.split('/')[1];
  const imageName = nameWithTag.split(':')[0];
  const imageTag = nameWithTag.split(':')[1] || 'latest';
  return { dockerUserName, imageName, imageTag };
}

export const deployTdxApp = async ({
  iexec,
  image,
  dockerhubUsername,
  dockerhubAccessToken,
}: {
  iexec: IExec;
  image: string;
  dockerhubUsername: string;
  dockerhubAccessToken: string;
}) => {
  const { dockerUserName, imageName, imageTag } = parseImagePath(image);
  const repo = `${dockerUserName}/${imageName}`;
  const inspectResult = await inspectImage(image);

  const appEntrypoint = Array.isArray(inspectResult.Config.Entrypoint)
    ? inspectResult.Config.Entrypoint.join(' ')
    : inspectResult.Config.Entrypoint;

  const tdxImageShortId = inspectResult.Id.substring(7, 7 + 12); // extract 12 first chars after the leading "sha256:"
  const tdxImageTag = `${imageTag}-tdx-${tdxImageShortId}`; // add digest in tag to avoid replacing previous build
  const taggedImage = await tagDockerImage({ image, repo, tag: tdxImageTag });
  await pushDockerImage({
    tag: taggedImage,
    dockerhubUsername,
    dockerhubAccessToken,
  });
  const { address } = await iexec.app.deployApp({
    owner: await iexec.wallet.getAddress(),
    name: `EXPERIMENTAL TDX ${imageName}-${imageTag}`,
    type: 'DOCKER',
    multiaddr: taggedImage,
    checksum: `0x${inspectResult.RepoDigests[0].split('@sha256:')[1]}`,
    mrenclave: {
      // TODO: TDX mrenclave is not yet defined, using quick and dirty SCONE v5 shaped mrenclave workaround for the PoC
      framework: 'SCONE', // TODO TBD should be TDX
      version: 'v5', // TODO TBD
      entrypoint: appEntrypoint,
      heapSize: 1073741824, // TODO not needed for TDX, set to pass scone mrenclave validation
      fingerprint:
        '0ce518e5df689f59ffae43c38746d087fab60f409b7c959bfe4fc6c67bc179be', // TODO not needed for TDX, used keccak256("TDX-POC") to pass scone mrenclave validation
    },
  });
  return { tdxImage: taggedImage, appContractAddress: address };
};