<?php

namespace App\Models;

use Illuminate\Database\Eloquent\Casts\Attribute;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Support\Facades\Crypt;

class BackupPolicy extends Model
{
    use HasFactory;

    protected $table = 'backup_policies';

    protected $fillable = [
        'name','enabled','schedule_cron',
        'include_db','include_maildirs','include_configs',
        'target_type','target_path',
        's3_bucket','s3_region','s3_endpoint','s3_key_enc','s3_secret_enc',
        'sftp_host','sftp_port','sftp_user','sftp_password_enc','sftp_privkey_enc','sftp_path',
        'webdav_url','webdav_user','webdav_password_enc',
        'retention_count','retention_days',
        'compression','encrypt','gpg_recipient','password_enc',
        'last_run_at','last_status','last_size_bytes','last_error',
    ];

    protected $casts = [
        'enabled'          => 'bool',
        'include_db'       => 'bool',
        'include_maildirs' => 'bool',
        'include_configs'  => 'bool',
        'encrypt'          => 'bool',
        'sftp_port'        => 'integer',
        'retention_count'  => 'integer',
        'retention_days'   => 'integer',
        'last_size_bytes'  => 'integer',
        'last_run_at'      => 'datetime',
    ];

    /* ---------- Beziehungen ---------- */
    public function jobs()
    {
        return $this->hasMany(BackupJob::class, 'policy_id');
    }

    public function excludes()
    {
        return $this->hasMany(BackupExclude::class, 'policy_id');
    }

    /* ---------- Scopes ---------- */
    public function scopeEnabled($q)   { return $q->where('enabled', true); }
    public function scopeLocal($q)     { return $q->where('target_type', 'local'); }
    public function scopeRemote($q)    { return $q->whereIn('target_type', ['s3','sftp','webdav']); }

    /* ---------- Secret-Accessors/Mutators (virtuelle Klartext-Attribute) ---------- */
    // S3 Access Key
    protected function s3Key(): Attribute
    {
        return Attribute::make(
            get: fn () => $this->decryptNullable($this->s3_key_enc),
            set: fn ($value) => ['s3_key_enc' => $this->encryptNullable($value)]
        );
    }

    // S3 Secret
    protected function s3Secret(): Attribute
    {
        return Attribute::make(
            get: fn () => $this->decryptNullable($this->s3_secret_enc),
            set: fn ($value) => ['s3_secret_enc' => $this->encryptNullable($value)]
        );
    }

    // SFTP Passwort
    protected function sftpPassword(): Attribute
    {
        return Attribute::make(
            get: fn () => $this->decryptNullable($this->sftp_password_enc),
            set: fn ($value) => ['sftp_password_enc' => $this->encryptNullable($value)]
        );
    }

    // SFTP Private Key (optional)
    protected function sftpPrivkey(): Attribute
    {
        return Attribute::make(
            get: fn () => $this->decryptNullable($this->sftp_privkey_enc),
            set: fn ($value) => ['sftp_privkey_enc' => $this->encryptNullable($value)]
        );
    }

    // WebDAV Passwort
    protected function webdavPassword(): Attribute
    {
        return Attribute::make(
            get: fn () => $this->decryptNullable($this->webdav_password_enc),
            set: fn ($value) => ['webdav_password_enc' => $this->encryptNullable($value)]
        );
    }

    // Generischer Archiv-Passphrase (falls ohne GPG)
    protected function password(): Attribute
    {
        return Attribute::make(
            get: fn () => $this->decryptNullable($this->password_enc),
            set: fn ($value) => ['password_enc' => $this->encryptNullable($value)]
        );
    }

    /* ---------- Helpers ---------- */
    protected function encryptNullable(?string $plain): ?string
    {
        if ($plain === null || $plain === '') return null;
        return Crypt::encryptString($plain);
    }

    protected function decryptNullable(?string $encrypted): ?string
    {
        if ($encrypted === null || $encrypted === '') return null;
        try { return Crypt::decryptString($encrypted); } catch (\Throwable) { return null; }
    }
}