package main

import (
	"crypto/tls"
	"fmt"
	"time"

	"github.com/cloudflare/cfssl/csr"
	"github.com/cloudflare/cfssl/signer"
	"github.com/golang/glog"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
)

func (p *prodvider) selfCreds() grpc.ServerOption {
	glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)

	// Create a key and CSR.
	csrPEM, keyPEM, err := p.makeSelfCSR()
	if err != nil {
		glog.Exitf("Could not generate key and CSR for self: %v", err)
	}

	// Create a cert
	certPEM, err := p.makeSelfCertificate(csrPEM)
	if err != nil {
		glog.Exitf("Could not sign certificate for self: %v", err)
	}

	serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
	if err != nil {
		glog.Exitf("Could not use gRPC certificate: %v", err)
	}

	signerCert, _ := p.sign.Certificate("", "")
	serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)

	return grpc.Creds(credentials.NewTLS(&tls.Config{
		Certificates: []tls.Certificate{serverCert},
	}))
}

func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
	signerCert, _ := p.sign.Certificate("", "")
	req := &csr.CertificateRequest{
		CN: flagProdviderCN,
		KeyRequest: &csr.BasicKeyRequest{
			A: "rsa",
			S: 4096,
		},
		Names: []csr.Name{
			{
				C:  signerCert.Subject.Country[0],
				ST: signerCert.Subject.Province[0],
				L:  signerCert.Subject.Locality[0],
				O:  signerCert.Subject.Organization[0],
				OU: signerCert.Subject.OrganizationalUnit[0],
			},
		},
	}

	g := &csr.Generator{
		Validator: func(req *csr.CertificateRequest) error { return nil },
	}

	return g.ProcessRequest(req)
}

func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
	req := signer.SignRequest{
		Hosts:   []string{},
		Request: string(csr),
		Profile: "server",
	}
	return p.sign.Sign(req)
}

func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
	signerCert, _ := p.sign.Certificate("", "")
	req := &csr.CertificateRequest{
		CN: username,
		KeyRequest: &csr.BasicKeyRequest{
			A: "rsa",
			S: 4096,
		},
		Names: []csr.Name{
			{
				C:  signerCert.Subject.Country[0],
				ST: signerCert.Subject.Province[0],
				L:  signerCert.Subject.Locality[0],
				O:  o,
				OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
			},
		},
	}

	g := &csr.Generator{
		Validator: func(req *csr.CertificateRequest) error { return nil },
	}

	return g.ProcessRequest(req)
}

func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
	req := signer.SignRequest{
		Hosts:    []string{},
		Request:  string(csr),
		Profile:  "client",
		NotAfter: notAfter,
	}
	return p.sign.Sign(req)
}