//////////////////////////////////////////////////////////////////////////

package libvault

//////////////////////////////////////////////////////////////////////////

import (
	"crypto/tls"
	"crypto/x509"
	log "github.com/sirupsen/logrus"
	"time"
)

//////////////////////////////////////////////////////////////////////////

type TLSRequest struct {
	CommonName string        `json:"common_name"`
	AltNames   string        `json:"alt_names"`
	IPSANs     string        `json:"ip_sans"`
	URISANs    string        `json:"uri_sans"`
	OtherSANs  string        `json:"other_sans"`
	TTL        time.Duration `json:"ttl"`
}

//////////////////////////////////////////////////////////////////////////

func (req *TLSRequest) Renew(t *Token, config *tls.Config) (bool, error) {

	if len(config.Certificates) > 0 {
		cert, err := x509.ParseCertificate(config.Certificates[0].Certificate[0])
		if err != nil {
			log.WithFields(log.Fields{
				"error": err,
			}).Error("libvault: failed to parse existing tls certificate")
		}

		ttl := cert.NotAfter.Sub(time.Now())
		if ttl.Seconds() > VAULT_RENEW_PERIOD.Seconds() {
			// nothing to see here, move along
			log.WithFields(log.Fields{
				"CommonName": req.CommonName,
				"ttl":        ttl.String(),
			}).Info("libvault: TLS certificate renewal not required")
			return false, nil
		}
	}

	// default the TTL if it wasn't previously set
	if req.TTL == 0 {
		req.TTL = VAULT_TTL
	}

	// issue a new key pair
	log.WithFields(log.Fields{
		"CommonName": req.CommonName,
	}).Debug("libvault: renewing TLS certificate")

	response := &struct {
		Data struct {
			Certificate string   `json:"certificate"`
			IssuingCA   string   `json:"issuing_ca"`
			CAChain     []string `json:"ca_chain"`
			PrivateKey  string   `json:"private_key"`
		} `json:"data"`
	}{}

	if err := vault.POST(t, "/burble.dn42/pki/sites/issue/tls", req, response); err != nil {
		log.WithFields(log.Fields{
			"token":   t,
			"request": req,
			"error":   err,
		}).Error("libvault: vault failed to renew certificate")
		return false, err
	}

	// update the tls.Config structure
	config.ServerName = req.CommonName

	config.RootCAs = x509.NewCertPool()
	config.RootCAs.AppendCertsFromPEM([]byte(response.Data.IssuingCA))
	for _, ca := range response.Data.CAChain {
		config.RootCAs.AppendCertsFromPEM([]byte(ca))
	}

	cert, err := tls.X509KeyPair(
		[]byte(response.Data.Certificate),
		[]byte(response.Data.PrivateKey),
	)
	if err != nil {
		log.WithFields(log.Fields{
			"cert":  response.Data.Certificate,
			"key":   response.Data.PrivateKey,
			"error": err,
		}).Error("libvault: unable to load x509 cert pair")
		return false, err
	}
	config.Certificates = []tls.Certificate{cert}

	log.WithFields(log.Fields{
		"CommonName": req.CommonName,
	}).Debug("libvault: issued TLS certificate")

	return true, nil
}

//////////////////////////////////////////////////////////////////////////
// end of file