vault.rs

use crate::commands::cesium::compute_g1v1_public_key;
use crate::entities::vault_account;
use crate::entities::vault_account::{AccountTreeNode, DbAccountId};
use crate::*;
use age::secrecy::Secret;
use comfy_table::{Cell, Table};
use sea_orm::ModelTrait;
use sea_orm::{ConnectionTrait, TransactionTrait};
use sp_core::crypto::AddressUri;
use std::cell::RefCell;
use std::io::{Read, Write};
use std::path::PathBuf;
use std::rc::Rc;

/// vault subcommands
#[derive(Clone, Debug, clap::Parser)]
pub enum Subcommand {
	/// List available SS58 Addresses in the vault
	#[clap(subcommand)]
	List(ListChoice),
	/// Use specific SS58 Address (changes the config Address)
	Use {
		#[clap(flatten)]
		address_or_vault_name: AddressOrVaultNameGroup,
	},
	/// Generate a mnemonic
	Generate,
	/// Import key from (substrate uri) or other format with interactive prompt
	#[clap(
		long_about = "Import key from (substrate uri) or other format with interactive prompt\n\
		\n\
		This will create a <Base> account in the vault for the provided/computed Substrate URI \n\
		and associated SS58 Address.\n\
		\n\
		If using default format (or specifically \"substrate\") a derivation path is supported\n\
		in the substrate uri value"
	)]
	Import {
		/// Secret key format (substrate, seed, cesium)
		#[clap(short = 'S', long, required = false, default_value = SecretFormat::Substrate)]
		secret_format: SecretFormat,
	},
	/// Add a derivation to an existing account
	#[clap(long_about = "Add a derivation to an existing account\n\
		\n\
		Only \"substrate\" and \"seed\" format are supported for derivations\n\
		\n\
		Use command `vault list base` to see available <Base> account and their format\n\
		And then use command 'vault list for' to find all accounts linked to that <Base> account")]
	#[clap(alias = "deriv")]
	#[clap(alias = "derivation")]
	Derive {
		#[clap(flatten)]
		address_or_vault_name: AddressOrVaultNameGroup,
	},
	/// Give a meaningful name to an SS58 Address in the vault
	Rename {
		/// SS58 Address
		address: AccountId,
	},
	/// Remove an SS58 Address from the vault together with it's linked derivations
	#[clap(long_about = "Remove an SS58 Address from the vault\n\
		\n\
		If a <Base> Address is given it will also remove the saved key")]
	Remove {
		#[clap(flatten)]
		address_or_vault_name: AddressOrVaultNameGroup,
	},
	/// (deprecated)List available key files (needs to be migrated with command `vault migrate` in order to use them)
	ListFiles,
	/// (deprecated)Migrate old key files into db (will have to provide password for each key)
	Migrate,
	/// Show where vault db (or old keys) is stored
	Where,
}

#[derive(Clone, Default, Debug, clap::Parser)]
pub enum ListChoice {
	/// List all <Base> accounts and their linked derivations SS58 Addresses in the vault
	#[default]
	All,
	/// List <Base> and Derivations SS58 Addresses linked to the selected one
	For {
		#[clap(flatten)]
		address_or_vault_name: AddressOrVaultNameGroup,
	},
	/// List all <Base> SS58 Addresses in the vault
	Base,
}

pub struct VaultDataToImport {
	secret_format: SecretFormat,
	secret_suri: String,
	key_pair: KeyPair,
}

// encrypt input with passphrase
pub fn encrypt(input: &[u8], passphrase: String) -> Result<Vec<u8>, age::EncryptError> {
	let encryptor = age::Encryptor::with_user_passphrase(Secret::new(passphrase));
	let mut encrypted = vec![];
	let mut writer = encryptor.wrap_output(age::armor::ArmoredWriter::wrap_output(
		&mut encrypted,
		age::armor::Format::AsciiArmor,
	)?)?;
	writer.write_all(input)?;
	writer.finish().and_then(|armor| armor.finish())?;
	Ok(encrypted)
}

// decrypt cypher with passphrase
pub fn decrypt(input: &[u8], passphrase: String) -> Result<Vec<u8>, age::DecryptError> {
	let age::Decryptor::Passphrase(decryptor) =
		age::Decryptor::new(age::armor::ArmoredReader::new(input))?
	else {
		unimplemented!()
	};
	let mut decrypted = vec![];
	let mut reader = decryptor.decrypt(&Secret::new(passphrase.to_owned()), None)?;
	reader.read_to_end(&mut decrypted)?;
	Ok(decrypted)
}

/// handle vault commands
pub async fn handle_command(data: Data, command: Subcommand) -> Result<(), GcliError> {
	let db = data.connect_db();

	// match subcommand
	match command {
		Subcommand::List(choice) => match choice {
			ListChoice::All => {
				let all_account_tree_node_hierarchies =
					vault_account::fetch_all_base_account_tree_node_hierarchies(db).await?;
				let table = compute_vault_accounts_table(&all_account_tree_node_hierarchies)?;

				println!("available SS58 Addresses:");
				println!("{table}");
			}
			ListChoice::Base => {
				let base_account_tree_nodes =
					vault_account::fetch_only_base_account_tree_nodes(db).await?;

				let table = compute_vault_accounts_table(&base_account_tree_nodes)?;

				println!("available <Base> SS58 Addresses:");
				println!("{table}");
			}
			ListChoice::For {
				address_or_vault_name,
			} => {
				let account = retrieve_vault_account(&data, address_or_vault_name).await?;

				let account_tree_node_hierarchy =
					vault_account::fetch_base_account_tree_node_hierarchy_unwrapped(
						db,
						&account.address.to_string(),
					)
					.await?;

				let table = compute_vault_accounts_table(&[account_tree_node_hierarchy])?;

				println!("available SS58 Addresses linked to {account}:");
				println!("{table}");
			}
		},
		Subcommand::ListFiles => {
			let vault_key_addresses = fetch_vault_key_addresses(&data).await?;

			let table = compute_vault_key_files_table(&vault_key_addresses).await?;

			println!("available key files (needs to be migrated with command `vault migrate` in order to use them):");
			println!("{table}");
		}
		Subcommand::Use {
			address_or_vault_name,
		} => {
			let account = retrieve_vault_account(&data, address_or_vault_name).await?;

			println!("Using: {}", account);

			let updated_cfg = conf::Config {
				address: Some(account.address.0),
				..data.cfg
			};

			//This updated configuration will be picked up with next GCli execution
			conf::save(&updated_cfg);
		}
		Subcommand::Generate => {
			// TODO allow custom word count
			let mnemonic = bip39::Mnemonic::generate(12).unwrap();
			println!("{mnemonic}");
		}
		Subcommand::Import { secret_format } => {
			let vault_data_for_import =
				prompt_secret_and_compute_vault_data_to_import(secret_format)?;

			//Extra check for SecretFormat::Cesium / G1v1Seed - showing the G1v1 cesium public key for confirmation
			if secret_format == SecretFormat::Cesium {
				println!(
					"The G1v1 public key for the provided secret is: '{}'",
					compute_g1v1_public_key(&vault_data_for_import.key_pair)?
				);
				let confirmed = inputs::confirm_action("Is it the correct one (if not, you should try again to input Cesium id/password) ?".to_string())?;
				if !confirmed {
					return Ok(());
				}
			}

			let address_to_import = vault_data_for_import.key_pair.address();

			println!("Trying to import for SS58 address :'{}'", address_to_import);

			if let Some(check_account) =
				vault_account::find_by_id(db, &DbAccountId::from(address_to_import)).await?
			{
				println!(
					"Vault entry already exists for that address: {}",
					check_account
				);

				let account_tree_node_hierarchy =
					vault_account::fetch_base_account_tree_node_hierarchy_unwrapped(
						db,
						&check_account.address.to_string(),
					)
					.await?;

				println!("Here are all the SS58 Addresses linked to it in the vault:");

				let table = compute_vault_accounts_table(&[account_tree_node_hierarchy])?;
				println!("{table}");

				return Ok(());
				//TODO For later, possibly allow to replace the entry
			}

			println!("Enter password to protect the key");
			let password = inputs::prompt_password_confirm()?;

			println!("(Optional) Enter a name for the vault entry");
			let name = inputs::prompt_vault_name()?;

			let txn = db.begin().await?;

			let _account = create_account_for_vault_data_to_import(
				&txn,
				&vault_data_for_import,
				&password,
				name.as_ref(),
			)
			.await?;

			txn.commit().await?;

			println!("Import done");
		}
		Subcommand::Derive {
			address_or_vault_name,
		} => {
			let account_tree_node_to_derive =
				retrieve_account_tree_node(&data, address_or_vault_name).await?;

			let account_to_derive = account_tree_node_to_derive.borrow().account.clone();

			let base_account_tree_node =
				vault_account::get_base_account_tree_node(&account_tree_node_to_derive);

			let base_account = &base_account_tree_node.borrow().account.clone();

			if base_account.crypto_scheme.is_none() {
				panic!("Crypto scheme is not set for the base account:{base_account} - should not happen");
			}

			if let Some(crypto_scheme) = base_account.crypto_scheme {
				if CryptoScheme::from(crypto_scheme) == CryptoScheme::Ed25519 {
					println!(
						"Only \"{}\" and \"{}\" format are supported for derivations",
						Into::<&str>::into(SecretFormat::Substrate),
						Into::<&str>::into(SecretFormat::Seed)
					);
					println!();
					println!(
                        "Use command `vault list base` to see available <Base> account and their format\n\
						And then use command 'vault list for' to find all accounts linked to that <Base> account"
                    );
					return Ok(());
				}
			}

			println!("Adding derivation to: {account_to_derive}");

			println!("Enter password to decrypt the <Base> account key");
			let password = inputs::prompt_password()?;

			let account_to_derive_secret_suri = vault_account::compute_suri_account_tree_node(
				&account_tree_node_to_derive,
				password,
			)?;

			let derivation_path = inputs::prompt_vault_derivation_path()?;

			let derivation_secret_suri =
				format!("{account_to_derive_secret_suri}{derivation_path}");

			let derivation_keypair =
				compute_keypair(CryptoScheme::Sr25519, &derivation_secret_suri)?;

			let derivation_address: String = derivation_keypair.address().to_string();

			let check_derivation =
				vault_account::find_by_id(db, &DbAccountId::from_str(&derivation_address)?).await?;

			//TODO For later, possibly allow to replace the entry
			if check_derivation.is_some() {
				println!("Derivation already exists for address:'{derivation_address}'");
				return Ok(());
			}

			println!("(Optional) Enter a name for the new derivation");
			let name = inputs::prompt_vault_name()?;

			let _derivation = vault_account::create_derivation_account(
				db,
				&derivation_address,
				name.as_ref(),
				&derivation_path,
				&account_to_derive.address.to_string(),
			)
			.await?;

			println!("Derive done");
		}
		Subcommand::Rename { address } => {
			let account =
				vault_account::find_by_id(db, &DbAccountId::from(address.clone())).await?;

			if account.is_none() {
				println!("No vault entry found for address:'{address}'");
				println!("You might want to import it first with 'vault import'");
				return Ok(());
			}

			let account = account.unwrap();

			println!(
				"Current name for address:'{address}' is {:?}",
				&account.name
			);

			println!("Enter new name for address (leave empty to remove the name)");
			let name = inputs::prompt_vault_name()?;

			let _account = vault_account::update_account_name(db, account, name.as_ref()).await?;

			println!("Rename done");
		}
		Subcommand::Remove {
			address_or_vault_name,
		} => {
			let account_tree_node_to_delete =
				retrieve_account_tree_node(&data, address_or_vault_name).await?;

			let txn = db.begin().await?;

			let account_to_delete = account_tree_node_to_delete.borrow().account.clone();
			let address_to_delete = account_tree_node_to_delete.borrow().account.address.clone();

			//If account to delete has children; also delete all linked derivations
			if !account_tree_node_to_delete.borrow().children.is_empty() {
				let table = compute_vault_accounts_table(&[account_tree_node_to_delete.clone()])?;

				println!("All addresses linked to: {account_to_delete}");
				println!("{table}");

				println!(
					"This {} account has {} addresses in total",
					account_to_delete.account_type(),
					vault_account::count_accounts_in_account_tree_node_and_children(
						&account_tree_node_to_delete
					)
				);

				let confirmation_message = if account_to_delete.is_base_account() {
					"Are you sure you want to delete it along with the saved key ?"
				} else {
					"Are you sure you want to delete it ?"
				};

				let confirmed = inputs::confirm_action(confirmation_message.to_string())?;

				if !confirmed {
					return Ok(());
				}

				for account_to_delete in
					vault_account::extract_accounts_depth_first_from_account_tree_node(
						&account_tree_node_to_delete,
					)? {
					let delete_result = account_to_delete.delete(&txn).await?;
					println!("Deleted {} address", delete_result.rows_affected);
				}
			} else {
				let delete_result = account_to_delete.delete(&txn).await?;
				println!("Deleted {} address", delete_result.rows_affected);
			}

			txn.commit().await?;

			println!("Done removing address:'{address_to_delete}'");
		}
		Subcommand::Migrate => {
			println!("Migrating existing key files to db");

			let vault_key_addresses = fetch_vault_key_addresses(&data).await?;

			let table = compute_vault_key_files_table(&vault_key_addresses).await?;
			println!("available key files to possibly migrate:");
			println!("{table}");

			for address in vault_key_addresses {
				//Check if we already have a vault_derivation for that address
				let existing_account =
					vault_account::find_by_id(db, &DbAccountId::from_str(&address)?).await?;

				if existing_account.is_some() {
					//Already migrated
					continue;
				}

				println!();
				println!("Trying to migrate key {address}");
				let vault_data_from_file = match try_fetch_vault_data_from_file(&data, &address) {
					Ok(Some(vault_data)) => vault_data,
					Ok(None) => {
						println!("No vault entry file found for address {address}");
						continue;
					}
					Err(e) => {
						println!("Error while fetching vault data for address {address}: {e}");
						println!("Continuing to next one");
						continue;
					}
				};

				let vault_data_to_import = VaultDataToImport {
					secret_format: vault_data_from_file.secret_format,
					secret_suri: vault_data_from_file.secret,
					key_pair: vault_data_from_file.key_pair,
				};

				let txn = db.begin().await?;

				let account = create_account_for_vault_data_to_import(
					&txn,
					&vault_data_to_import,
					&vault_data_from_file.password,
					None,
				)
				.await?;

				txn.commit().await?;
				println!("Import done: {}", account);
			}

			println!("Migration done");
		}
		Subcommand::Where => {
			println!("{}", data.project_dir.data_dir().to_str().unwrap());
		}
	};

	Ok(())
}

/// Method used to separate `name` part from optional `derivation` part in computed names
fn parse_prefix_and_derivation_path_from_string_for_vault_name(
	raw_string: String,
) -> Result<(String, Option<String>), GcliError> {
	if raw_string.contains("/") {
		raw_string
			.find("/")
			.map_or(Err(GcliError::Input("Invalid format".to_string())), |idx| {
				let (prefix, derivation_path) = raw_string.split_at(idx);
				Ok((prefix.to_string(), Some(derivation_path.to_string())))
			})
	} else {
		Ok((raw_string, None))
	}
}

/// Method that can be used to parse a Substrate URI (which can also be only a derivation path)
///
/// Does some internal verification (done by sp_core::address_uri::AddressUri)
///
/// It extracts the (optional) `phrase` and the (optional) recomposed full `derivation path`
///
/// It also checks if a derivation `password` was provided and returns an error if one was found
pub fn parse_prefix_and_derivation_path_from_suri(
	raw_string: String,
) -> Result<(Option<String>, Option<String>), GcliError> {
	let address_uri =
		AddressUri::parse(&raw_string).map_err(|e| GcliError::Input(e.to_string()))?;

	if let Some(pass) = address_uri.pass {
		return Err(GcliError::Input(format!(
			"Having a password in the derivation path is not supported (password:'{}')",
			pass
		)));
	}

	let full_path = if address_uri.paths.is_empty() {
		None
	} else {
		Some(
			address_uri
				.paths
				.iter()
				.map(|s| "/".to_string() + s)
				.collect::<Vec<_>>()
				.join(""),
		)
	};

	Ok((address_uri.phrase.map(|s| s.to_string()), full_path))
}

fn map_secret_format_to_crypto_scheme(secret_format: SecretFormat) -> CryptoScheme {
	match secret_format {
		SecretFormat::Seed => CryptoScheme::Sr25519,
		SecretFormat::Substrate => CryptoScheme::Sr25519,
		SecretFormat::Predefined => CryptoScheme::Sr25519,
		SecretFormat::Cesium => CryptoScheme::Ed25519,
	}
}

/// This method will scan files in the data directory and return the addresses of the vault keys found
async fn fetch_vault_key_addresses(data: &Data) -> Result<Vec<String>, GcliError> {
	let mut entries = std::fs::read_dir(data.project_dir.data_dir())?
		.map(|res| res.map(|e| e.path()))
		.collect::<Result<Vec<_>, std::io::Error>>()?;

	// To have consistent ordering
	entries.sort();

	let mut vault_key_addresses: Vec<String> = vec![];
	entries.iter().for_each(|dir_path| {
		let filename = dir_path.file_name().unwrap().to_str().unwrap();
		// To only keep the address part of the filename for names like "<ss58 address>-<secret_format>"
		let potential_address = filename.split("-").next().unwrap();
		// If potential_address is a valid AccountId
		if AccountId::from_str(potential_address).is_ok() {
			vault_key_addresses.push(potential_address.to_string());
		}
	});

	Ok(vault_key_addresses)
}

async fn compute_vault_key_files_table(vault_key_addresses: &[String]) -> Result<Table, GcliError> {
	let mut table = Table::new();
	table.load_preset(comfy_table::presets::UTF8_BORDERS_ONLY);
	table.set_header(vec!["Key file"]);

	vault_key_addresses.iter().for_each(|address| {
		table.add_row(vec![Cell::new(address)]);
	});

	Ok(table)
}

fn compute_vault_accounts_table(
	account_tree_nodes: &[Rc<RefCell<AccountTreeNode>>],
) -> Result<Table, GcliError> {
	let mut table = Table::new();
	table.load_preset(comfy_table::presets::UTF8_BORDERS_ONLY);
	table.set_header(vec!["SS58 Address", "Format", "Account/Path", "Name"]);

	for account_tree_node in account_tree_nodes {
		add_account_tree_node_to_table(&mut table, account_tree_node);
	}

	Ok(table)
}

fn add_account_tree_node_to_table(
	table: &mut Table,
	account_tree_node: &Rc<RefCell<AccountTreeNode>>,
) {
	let row = compute_vault_accounts_row(account_tree_node);
	table.add_row(row);

	for child in &account_tree_node.borrow().children {
		add_account_tree_node_to_table(table, child);
	}
}

pub fn compute_vault_accounts_row(account_tree_node: &Rc<RefCell<AccountTreeNode>>) -> Vec<Cell> {
	let empty_string = "".to_string();

	let depth_account_tree_node = vault_account::count_depth_account_tree_node(account_tree_node);

	let name = if let Some(name) = account_tree_node.borrow().account.name.clone() {
		name
	} else if let Some(computed_name) =
		vault_account::compute_name_account_tree_node(account_tree_node)
	{
		format!("<{}>", computed_name)
	} else {
		empty_string.clone()
	};

	let account_tree_node = account_tree_node.borrow();

	let address = if depth_account_tree_node > 0 {
		let ancestors = "│ ".repeat(depth_account_tree_node - 1);
		format!("{}├─{}", ancestors, account_tree_node.account.address)
	} else {
		account_tree_node.account.address.to_string()
	};

	let (path, format) = if let Some(path) = account_tree_node.account.path.clone() {
		(path, empty_string.clone())
	} else {
		let secret_format = match account_tree_node.account.crypto_scheme.unwrap().into() {
			CryptoScheme::Sr25519 => SecretFormat::Substrate,
			CryptoScheme::Ed25519 => SecretFormat::Cesium,
		};
		let secret_format_str: &str = secret_format.into();
		(
			format!("<{}>", account_tree_node.account.account_type()),
			secret_format_str.to_string(),
		)
	};

	vec![
		Cell::new(&address),
		Cell::new(format),
		Cell::new(&path),
		Cell::new(&name),
	]
}

pub async fn retrieve_address_string<T: AddressOrVaultName>(
	data: &Data,
	address_or_vault_name: T,
) -> Result<String, GcliError> {
	if let Some(address) = address_or_vault_name.address() {
		return Ok(address.to_string());
	}

	let account = retrieve_vault_account(data, address_or_vault_name).await?;

	Ok(account.address.to_string())
}

pub async fn retrieve_account_tree_node<T: AddressOrVaultName>(
	data: &Data,
	address_or_vault_name: T,
) -> Result<Rc<RefCell<AccountTreeNode>>, GcliError> {
	//FIXME Should do the inverse as we do potentially several times same operation
	let account = retrieve_vault_account(data, address_or_vault_name).await?;

	let account_tree_node = vault_account::fetch_base_account_tree_node_hierarchy_unwrapped(
		data.connect_db(),
		&account.address.to_string(),
	)
	.await?;

	Ok(vault_account::get_account_tree_node_for_address(
		&account_tree_node,
		&account.address.to_string(),
	))
}

pub async fn retrieve_vault_account<T: AddressOrVaultName>(
	data: &Data,
	address_or_vault_name: T,
) -> Result<vault_account::Model, GcliError> {
	let account = if let Some(name_input) = address_or_vault_name.name() {
		let (name, derivation_path_opt) =
			parse_prefix_and_derivation_path_from_string_for_vault_name(name_input.to_string())?;

		let account = vault_account::find_by_name(data.connect_db(), &name).await?;

		let account = account.ok_or(GcliError::Input(format!(
			"No account found with name:'{name}'"
		)))?;

		match derivation_path_opt {
			None => account,
			Some(path) => {
				let account_tree_node_hierarchy =
					vault_account::fetch_base_account_tree_node_hierarchy_unwrapped(
						data.connect_db(),
						&account.address.to_string(),
					)
					.await?;

				let account_tree_node_hierarchy = vault_account::get_account_tree_node_for_address(
					&account_tree_node_hierarchy,
					&account.address.to_string(),
				);

				let account_tree_node = vault_account::compute_name_map_for_account_tree_node(
					&account_tree_node_hierarchy,
				)?
				.get(name_input)
				.cloned()
				.ok_or(GcliError::Input(format!(
					"No account found with name:'{name}' and path:'{path}'"
				)))?;

				//Need this extra step to avoid borrowing issues
				let account = account_tree_node.borrow().account.clone();

				account
			}
		}
	} else if let Some(address) = address_or_vault_name.address() {
		let account =
			vault_account::find_by_id(data.connect_db(), &DbAccountId::from(address.clone()))
				.await?;

		account.ok_or(GcliError::Input(format!(
			"No vault entry found with Address:'{address}'"
		)))?
	} else {
		//Should never happen since clap enforces exactly one of the 2 options
		return Err(GcliError::Input("No address or name provided".to_string()));
	};
	Ok(account)
}

fn create_vault_data_to_import<F, P>(
	secret_format: SecretFormat,
	prompt_fn: F,
) -> Result<VaultDataToImport, GcliError>
where
	F: Fn() -> (String, P),
	P: Into<KeyPair>,
{
	let (secret, pair) = prompt_fn();
	let key_pair = pair.into();
	Ok(VaultDataToImport {
		secret_format,
		secret_suri: secret,
		key_pair,
	})
}

fn prompt_secret_and_compute_vault_data_to_import(
	secret_format: SecretFormat,
) -> Result<VaultDataToImport, GcliError> {
	match secret_format {
		SecretFormat::Substrate => {
			create_vault_data_to_import(secret_format, prompt_secret_substrate_and_compute_keypair)
		}
		SecretFormat::Seed => {
			create_vault_data_to_import(secret_format, prompt_seed_and_compute_keypair)
		}
		SecretFormat::Cesium => {
			create_vault_data_to_import(secret_format, prompt_secret_cesium_and_compute_keypair)
		}
		SecretFormat::Predefined => {
			create_vault_data_to_import(secret_format, prompt_predefined_and_compute_keypair)
		}
	}
}

/// Creates an account for the vault data to import
///
/// Does it all using "db" parameter that should better be a transaction since multiple operations can be done
pub async fn create_account_for_vault_data_to_import<C>(
	db: &C,
	vault_data: &VaultDataToImport,
	password: &str,
	name: Option<&String>,
) -> Result<vault_account::Model, GcliError>
where
	C: ConnectionTrait,
{
	let address_to_import = vault_data.key_pair.address().to_string();
	//To be safe
	if vault_account::find_by_id(db, &DbAccountId::from_str(&address_to_import)?)
		.await?
		.is_some()
	{
		//TODO Later possibly allow to replace the entry
		return Err(GcliError::Input(format!(
			"Vault entry already exists for address {}",
			&address_to_import
		)));
	}

	let secret_format = vault_data.secret_format;

	let encrypted_suri = encrypt(
		vault_data.secret_suri.clone().as_bytes(),
		password.to_string(),
	)
	.map_err(|e| anyhow!(e))?;

	let crypto_scheme = map_secret_format_to_crypto_scheme(secret_format);

	let base_account = vault_account::create_base_account(
		db,
		&address_to_import,
		name,
		crypto_scheme,
		encrypted_suri,
	)
	.await?;

	Ok(base_account)
}

fn get_vault_key_path(data: &Data, vault_filename: &str) -> PathBuf {
	data.project_dir.data_dir().join(vault_filename)
}

/// look for different possible paths for vault keys and return both format and path
fn find_substrate_vault_key_file(data: &Data, address: &str) -> Result<Option<PathBuf>, GcliError> {
	let path = get_vault_key_path(data, address);
	if path.exists() {
		return Ok(Some(path));
	}

	Ok(None)
}

/// try to get secret in keystore, prompt for the password and compute the keypair
pub async fn try_fetch_key_pair(
	data: &Data,
	address: AccountId,
) -> Result<Option<KeyPair>, GcliError> {
	if let Some(account_tree_node_hierarchy) =
		vault_account::fetch_base_account_tree_node_hierarchy(
			data.connect_db(),
			&address.to_string(),
		)
		.await?
	{
		let account_tree_node = vault_account::get_account_tree_node_for_address(
			&account_tree_node_hierarchy,
			&address.to_string(),
		);

		let password = inputs::prompt_password()?;
		let secret_suri =
			vault_account::compute_suri_account_tree_node(&account_tree_node, password)?;

		let base_account_tree_node = vault_account::get_base_account_tree_node(&account_tree_node);

		let base_account = &base_account_tree_node.borrow().account.clone();

		let key_pair = compute_keypair(base_account.crypto_scheme.unwrap().into(), &secret_suri)?;

		//To be safe
		if address != key_pair.address() {
			return Err(GcliError::Input(format!(
				"Computed address {} does not match the expected address {}",
				key_pair.address(),
				address
			)));
		}

		Ok(Some(key_pair))
	} else {
		Ok(None)
	}
}

pub fn compute_keypair(
	crypto_scheme: CryptoScheme,
	secret_suri: &str,
) -> Result<KeyPair, GcliError> {
	let key_pair = match crypto_scheme {
		CryptoScheme::Sr25519 => pair_from_sr25519_str(secret_suri)?.into(),
		CryptoScheme::Ed25519 => pair_from_ed25519_str(secret_suri)?.into(),
	};
	Ok(key_pair)
}

pub struct VaultDataFromFile {
	secret_format: SecretFormat,
	secret: String,
	#[allow(dead_code)]
	path: PathBuf,
	password: String,
	key_pair: KeyPair,
}

/// try to get secret in keystore, prompt for the password and compute the keypair
pub fn try_fetch_vault_data_from_file(
	data: &Data,
	address: &str,
) -> Result<Option<VaultDataFromFile>, GcliError> {
	if let Some(path) = find_substrate_vault_key_file(data, address)? {
		println!("Enter password to unlock account {address}");
		let password = inputs::prompt_password()?;
		let mut file = std::fs::OpenOptions::new().read(true).open(path.clone())?;
		let mut cypher = vec![];
		file.read_to_end(&mut cypher)?;
		let secret_vec =
			decrypt(&cypher, password.clone()).map_err(|e| GcliError::Input(e.to_string()))?;
		let secret = String::from_utf8(secret_vec).map_err(|e| anyhow!(e))?;

		let key_pair = pair_from_sr25519_str(&secret)?.into();

		Ok(Some(VaultDataFromFile {
			secret_format: SecretFormat::Substrate,
			secret,
			path,
			password,
			key_pair,
		}))
	} else {
		Ok(None)
	}
}

#[cfg(test)]
mod tests {
	use super::*;
	use rstest::rstest;

	/// test that armored encryption/decryption work as intended
	#[test]
	fn test_encrypt_decrypt() {
		let plaintext = b"Hello world!";
		let passphrase = "this is not a good passphrase".to_string();
		let encrypted = encrypt(plaintext, passphrase.clone()).unwrap();
		let decrypted = decrypt(&encrypted, passphrase).unwrap();
		assert_eq!(decrypted, plaintext);
	}

	#[rstest]
	#[case(
		String::from("bottom drive obey lake curtain smoke basket hold race lonely fit walk//0"),
		Some(String::from(
			"bottom drive obey lake curtain smoke basket hold race lonely fit walk"
		)),
		Some(String::from("//0"))
	)]
	#[case(
		String::from("0xfac7959dbfe72f052e5a0c3c8d6530f202b02fd8f9f5ca3580ec8deb7797479e//0"),
		Some(String::from("0xfac7959dbfe72f052e5a0c3c8d6530f202b02fd8f9f5ca3580ec8deb7797479e")),
		Some(String::from("//0"))
	)]
	#[case(
		String::from(
			"bottom drive obey lake curtain smoke basket hold race lonely fit walk//Alice"
		),
		Some(String::from(
			"bottom drive obey lake curtain smoke basket hold race lonely fit walk"
		)),
		Some(String::from("//Alice"))
	)]
	#[case(
        String::from(
            "bottom drive obey lake curtain smoke basket hold race lonely fit walk//Alice//Bob/soft1/soft2"
        ),
        Some(String::from("bottom drive obey lake curtain smoke basket hold race lonely fit walk")),
        Some(String::from("//Alice//Bob/soft1/soft2"))
    )]
	#[case(
		String::from("bottom drive obey lake curtain smoke basket hold race lonely fit walk"),
		Some(String::from(
			"bottom drive obey lake curtain smoke basket hold race lonely fit walk"
		)),
		None
	)]
	#[case(
		String::from("0xfac7959dbfe72f052e5a0c3c8d6530f202b02fd8f9f5ca3580ec8deb7797479e"),
		Some(String::from("0xfac7959dbfe72f052e5a0c3c8d6530f202b02fd8f9f5ca3580ec8deb7797479e")),
		None
	)]
	#[case(
		String::from("fac7959dbfe72f052e5a0c3c8d6530f202b02fd8f9f5ca3580ec8deb7797479e"),
		Some(String::from("fac7959dbfe72f052e5a0c3c8d6530f202b02fd8f9f5ca3580ec8deb7797479e")),
		None
	)]
	#[case(
		String::from("someVaultName//Alice"),
		Some(String::from("someVaultName")),
		Some(String::from("//Alice"))
	)]
	#[case(
		String::from("someVaultName"),
		Some(String::from("someVaultName")),
		None
	)]
	fn test_parse_prefix_and_derivation_path_from_suri(
		#[case] raw_string: String,
		#[case] expected_prefix: Option<String>,
		#[case] expected_derivation_path: Option<String>,
	) {
		let (root_secret, derivation_path) =
			parse_prefix_and_derivation_path_from_suri(raw_string).unwrap();
		assert_eq!(expected_prefix, root_secret);