package main

import (
	"context"
	"encoding/pem"
	"fmt"
	"time"

	"github.com/cloudflare/cfssl/config"
	"github.com/cloudflare/cfssl/csr"
	"github.com/cloudflare/cfssl/helpers"
	"github.com/cloudflare/cfssl/signer"
	"github.com/cloudflare/cfssl/signer/local"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
)

// crdbSigner returns a cfssl signer (CA) for a crdb cluster, by loading the CA
// cert/key from Kubernetes.
func (p *prodvider) crdbSigner(ctx context.Context, cluster string) (*local.Signer, error) {
	policy := &config.Signing{
		Profiles: map[string]*config.SigningProfile{
			"client": &config.SigningProfile{
				Usage:        []string{"signing", "key encipherment"},
				ExpiryString: "30d",
			},
		},
		Default: config.DefaultConfig(),
	}

	namespace := fmt.Sprintf("crdb-%s", cluster)

	secret, err := p.k8s.CoreV1().Secrets(namespace).Get(ctx, "cluster-ca", metav1.GetOptions{})
	if err != nil {
		return nil, fmt.Errorf("hspki secret get failed: %w", err)
	}

	parsedCa, err := helpers.ParseCertificatePEM(secret.Data["tls.crt"])
	if err != nil {
		return nil, fmt.Errorf("when parsing tls.crt: %w", err)
	}

	priv, err := helpers.ParsePrivateKeyPEMWithPassword(secret.Data["tls.key"], nil)
	if err != nil {
		return nil, fmt.Errorf("when parsing tls.key: %w", err)
	}

	return local.NewSigner(priv, parsedCa, signer.DefaultSigAlgo(priv), policy)
}

// crdbCreds returns a crdb certificate/key for an SSO useron a given cluster.
// The returned certificate is valid for connecting to crdb.
func (p *prodvider) crdbCreds(ctx context.Context, username, cluster string) (*pb.CockroachDBKeys_Cluster, error) {
	username = fmt.Sprintf("dev-%s", username)

	s, err := p.crdbSigner(ctx, cluster)
	if err != nil {
		return nil, fmt.Errorf("hspkiSigner: %w", err)
	}

	signerCert, _ := s.Certificate("", "")
	req := &csr.CertificateRequest{
		CN: username,
		KeyRequest: &csr.BasicKeyRequest{
			A: "rsa",
			S: 4096,
		},
		Names: []csr.Name{
			{
				O: "prodvider",
			},
		},
		Hosts: []string{username},
	}

	g := &csr.Generator{
		Validator: func(req *csr.CertificateRequest) error { return nil },
	}

	csrPEM, keyPEM, err := g.ProcessRequest(req)
	if err != nil {
		return nil, fmt.Errorf("when making CSR: %w", err)
	}

	signReq := signer.SignRequest{
		Hosts:    []string{username},
		Request:  string(csrPEM),
		Profile:  "client",
		NotAfter: time.Now().Add(9 * time.Hour),
	}

	certPEM, err := s.Sign(signReq)
	if err != nil {
		return nil, fmt.Errorf("when issuing certificate: %w", err)
	}

	caPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: signerCert.Raw})

	return &pb.CockroachDBKeys_Cluster{
		Name:     cluster,
		Ca:       caPEM,
		Cert:     certPEM,
		Key:      keyPEM,
		Username: username,
	}, nil
}