// Package apitls provides TLS certificate management with automatic renewal support.
//
// This package handles TLS certificate provisioning and management for secure
// inter-service communication within the NTP Pool project infrastructure.
// It provides both server and client certificate management through the
// CertificateProvider interface and includes a trusted CA certificate pool
// for validating certificates.
//
// The package integrates with certman for automatic certificate renewal
// and includes embedded CA certificates for establishing trust relationships
// between services.
package apitls

import (
	"crypto/tls"
	"crypto/x509"
	_ "embed"
	"errors"

	"github.com/abh/certman"
	"go.ntppool.org/common/logger"
)

//go:embed ca.pem
var caBytes []byte

// CertificateProvider defines the interface for providing TLS certificates
// for both server and client connections. Implementations should handle
// certificate retrieval, caching, and renewal as needed.
//
// This interface supports both server-side certificate provisioning
// (via GetCertificate) and client-side certificate authentication
// (via GetClientCertificate).
type CertificateProvider interface {
	// GetCertificate retrieves a server certificate based on the client hello information.
	// This method is typically used in tls.Config.GetCertificate for server-side TLS.
	GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)

	// GetClientCertificate retrieves a client certificate for mutual TLS authentication.
	// This method is used in tls.Config.GetClientCertificate for client-side TLS.
	GetClientCertificate(certRequestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error)
}

// CAPool returns a certificate pool containing trusted CA certificates
// for validating TLS connections within the NTP Pool infrastructure.
//
// The CA certificates are embedded in the binary and include the trusted
// certificate authorities used for inter-service communication.
// This pool should be used in tls.Config.RootCAs for client connections
// or tls.Config.ClientCAs for server connections requiring client certificates.
//
// Returns an error if the embedded CA certificates cannot be parsed or loaded.
func CAPool() (*x509.CertPool, error) {
	capool := x509.NewCertPool()
	if !capool.AppendCertsFromPEM(caBytes) {
		return nil, errors.New("credentials: failed to append certificates")
	}

	return capool, nil
}

// GetCertman sets up certman for the specified cert / key pair. It is
// used in the monitor-api and (for now) in the client
func GetCertman(certFile, keyFile string) (*certman.CertMan, error) {
	cm, err := certman.New(certFile, keyFile)
	if err != nil {
		return nil, err
	}
	log := logger.NewStdLog("cm", false, nil)
	cm.Logger(log)
	err = cm.Watch()
	if err != nil {
		return nil, err
	}
	return cm, nil
}