package de.mlessmann.certassist.openssl;

import de.mlessmann.certassist.ExecutableResolver;
import de.mlessmann.certassist.except.CommandLineOperationException;
import de.mlessmann.certassist.except.UnresolvableCLIDependency;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.lang.Nullable;
import org.springframework.stereotype.Service;
import org.zeroturnaround.exec.ProcessExecutor;
import org.zeroturnaround.exec.StartedProcess;
import org.zeroturnaround.exec.stream.slf4j.Slf4jStream;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.ExecutionException;

import static org.slf4j.LoggerFactory.getLogger;

@Service
public class OpenSSLCertificateCreator {

    public static final String OPENSSL_CERT_SUBJECT_TEMPLATE = "/C=ISO-COUNTRY/ST=STATE/L=LOCALITY/O=ORGANIZATION/CN=COMMON-NAME";
    private static final Logger LOGGER = getLogger(OpenSSLCertificateCreator.class);
    private static final String CSR_EXT_TEMPLATE = """
            authorityKeyIdentifier=keyid,issuer
            basicConstraints=CA:FALSE
            keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
            subjectAltName = @alt_names
            
            [alt_names]
            """;

    private final ExecutableResolver executableResolver;

    @Autowired
    public OpenSSLCertificateCreator(ExecutableResolver executableResolver) {
        this.executableResolver = executableResolver;
    }

    private static String buildSubjectArg(CertificateRequest request) {
        String certSubject = OPENSSL_CERT_SUBJECT_TEMPLATE.replace("ISO-COUNTRY", request.getSubject().getCountry()).replace("STATE", request.getSubject().getState()).replace("LOCALITY", request.getSubject().getLocality()).replace("ORGANIZATION", request.getSubject().getOrganization()).replace("COMMON-NAME", request.getCommonName());

        if (StringUtils.isNotBlank(request.getSubject().getOrganizationalUnit())) {
            certSubject += "/OU=" + request.getSubject().getOrganizationalUnit();
        }

        if (StringUtils.isNotBlank(request.getSubject().getEmailAddress())) {
            certSubject += "/emailAddress=" + request.getSubject().getEmailAddress();
        }
        return certSubject;
    }

    @Nullable
    public OpenSSLCertificateResult createCertificate(CertificateRequest request) throws CommandLineOperationException, InterruptedException {
        Path tmpDir;
        try {
            tmpDir = Files.createTempDirectory("certassist");
        } catch (IOException e) {
            throw new CommandLineOperationException("Could not create temporary directory for certificate creation", e);
        }

        Path keyFile = createKeyfile(request, tmpDir.resolve("root.key"));
        Path rootCert = createCertificate(request, keyFile, tmpDir.resolve("root.crt"));

        Path childKey = createKeyfile(request, tmpDir.resolve("child.key"));
        Path unsignedCert = createCertificate(request, childKey, tmpDir.resolve("child.csr"));
        Path signedCert = signCertificate(request, rootCert, keyFile, unsignedCert);
        return new OpenSSLCertificateResult(tmpDir);
    }

    private Path createKeyfile(CertificateRequest request, Path outFile) throws CommandLineOperationException, InterruptedException {
        Path keyFile = outFile.toAbsolutePath();
        LOGGER.atDebug().log("Writing new certificate key to {}", keyFile);

        try {
            StartedProcess keygenProc = new ProcessExecutor().command(resolveOpenSSL(), "genrsa", "-out", keyFile.toString(), "-passout", "env:KEY_PASS", Integer.toString(request.getRequestedKeyLength())).environment("KEY_PASS", request.getOid()).redirectOutput(Slf4jStream.ofCaller().asDebug()).redirectError(Slf4jStream.ofCaller().asError()).start();
            keygenProc.getFuture().get();
        } catch (IOException e) {
            throw new CommandLineOperationException("Failure running OpenSSL keygen command.", e);
        } catch (ExecutionException e) {
            throw new RuntimeException(e);
        }
        return keyFile;
    }

    private Path createCertificate(CertificateRequest request, Path keyFile, Path outFile) throws CommandLineOperationException, InterruptedException {
        LOGGER.atDebug().log("Writing new certificate file {}", outFile);

        String certSubject = buildSubjectArg(request);
        try {
            StartedProcess certGenProc = new ProcessExecutor().command(resolveOpenSSL(), "req", "-new", "-passin", "env:KEY_PASS", "-key", keyFile.toString(), "-sha256", "-days", Integer.toString(request.getRequestedValidityDays()), "-out", outFile.toString(), "-passout", "env:KEY_PASS", "-utf8", "-subj", certSubject).environment("KEY_PASS", request.getOid()).redirectOutput(Slf4jStream.ofCaller().asDebug()).redirectError(Slf4jStream.ofCaller().asError()).start();
            certGenProc.getFuture().get();
        } catch (IOException e) {
            throw new CommandLineOperationException("Failure running OpenSSL req command.", e);
        } catch (ExecutionException e) {
            throw new RuntimeException(e);
        }
        return outFile;
    }

    private Path signCertificate(CertificateRequest request, Path caCert, Path caKey, Path csrFile) throws CommandLineOperationException, InterruptedException {
        Path outFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".crt"));
        LOGGER.atDebug().log("Writing new signed certificate file {}", outFile);
        Path extFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".ext"));

        try {
            String extContent = CSR_EXT_TEMPLATE;
            List<String> altNames = Optional.ofNullable(request.getExtension())
                    .map(CertificateRequestExtension::getAlternativeNames)
                    .orElse(List.of());
            if (!altNames.isEmpty()) {
                String altNamesContent = String.join("\n", altNames);
                extContent = extContent.replaceAll("\\[alt_names]\n?, ", "[alt_names]\n" + altNamesContent);
            } else {
                extContent = extContent.replaceAll("\\s*subjectAltName\\s+=\\s+@alt_names\n?", "");
                extContent = extContent.replaceAll("\\[alt_names]\n?, ", "");
            }

            LOGGER.debug("Writing extension file content: \n {}", extContent);
            Files.writeString(extFile, extContent, StandardCharsets.UTF_8, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }

        try {
            StartedProcess certGenProc = new ProcessExecutor().command(resolveOpenSSL(), "x509", "-req", "-days", Integer.toString(request.getRequestedValidityDays()), "-in", csrFile.toString(), "-CA", caCert.toString(), "-CAkey", caKey.toString(), "-CAcreateserial", "-out", outFile.toString(), "-extfile", extFile.toString()).redirectOutput(Slf4jStream.ofCaller().asDebug()).redirectError(Slf4jStream.ofCaller().asError()).start();
            certGenProc.getFuture().get();
        } catch (IOException e) {
            throw new CommandLineOperationException("Failure running OpenSSL x509 command.", e);
        } catch (ExecutionException e) {
            throw new RuntimeException(e);
        }
        return outFile;
    }

    private String resolveOpenSSL() throws CommandLineOperationException {
        try {
            return executableResolver.getOpenSSLPath();
        } catch (UnresolvableCLIDependency e) {
            throw new CommandLineOperationException(e);
        }
    }
}