package tlsutil

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"math/big"
	"net"
	"time"

	"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
)

// TLSConfig returns a *tls.Config and a flag indicating whether to use TLS.
// If cfg.TLSMode is "none", returns (nil, false, nil) for plain HTTP.
// If cfg.TLSMode is "selfsigned" or "provided", returns a TLS config and true.
func TLSConfig(cfg config.Config) (*tls.Config, bool, error) {
	if cfg.TLSMode == "none" {
		return nil, false, nil
	}

	var cert tls.Certificate
	var err error

	if cfg.TLSCert != "" && cfg.TLSKey != "" {
		cert, err = tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
	} else {
		cert, err = selfSigned()
	}
	if err != nil {
		return nil, false, err
	}

	return &tls.Config{
		Certificates: []tls.Certificate{cert},
		MinVersion:   tls.VersionTLS12,
	}, true, nil
}

// selfSigned generates an in-memory ECDSA P-256 self-signed certificate
// valid for 10 years. The certificate is never written to disk.
func selfSigned() (tls.Certificate, error) {
	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return tls.Certificate{}, err
	}

	serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
	if err != nil {
		return tls.Certificate{}, err
	}

	template := &x509.Certificate{
		SerialNumber: serial,
		Subject: pkix.Name{
			CommonName:   "zddc-server",
			Organization: []string{"ZDDC"},
		},
		NotBefore:             time.Now().Add(-time.Minute),
		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
		BasicConstraintsValid: true,
		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1"), net.IPv6loopback},
		DNSNames:              []string{"localhost"},
	}

	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
	if err != nil {
		return tls.Certificate{}, err
	}

	privDER, err := x509.MarshalECPrivateKey(priv)
	if err != nil {
		return tls.Certificate{}, err
	}

	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: privDER})

	return tls.X509KeyPair(certPEM, keyPEM)
}