package server

import (
	"context"
	"crypto/x509"
	"net"
	"net/http"
	"strconv"

	"go.alanpearce.eu/website/internal/listenfd"

	"github.com/ardanlabs/conf/v3"
	"github.com/caddyserver/caddy/v2"
	"github.com/caddyserver/certmagic"
	certmagic_redis "github.com/pberkel/caddy-storage-redis"
	"gitlab.com/tozd/go/errors"
)

type redisConfig struct {
	Address       string `conf:"required"`
	Username      string `conf:"default:default"`
	Password      string `conf:"required"`
	EncryptionKey string `conf:"required"`
	KeyPrefix     string `conf:"default:certmagic"`
}

func (s *Server) serveTLS() (err error) {
	var issuer *certmagic.ACMEIssuer
	log := s.log.Named("tls")

	// setting cfg.Logger is too late somehow
	certmagic.Default.Logger = log.GetLogger().Named("certmagic")
	cfg := certmagic.NewDefault()
	cfg.DefaultServerName = s.config.Domains[0]

	issuer = &certmagic.DefaultACME
	certmagic.DefaultACME.Agreed = true
	certmagic.DefaultACME.Email = s.config.Email

	if s.runtimeConfig.Development {
		ca := s.runtimeConfig.ACMECA
		if ca == "" {
			return errors.New("can't enable tls in development without an ACME_CA")
		}

		cp, err := x509.SystemCertPool()
		if err != nil {
			log.Warn("could not get system certificate pool", "error", err)
			cp = x509.NewCertPool()
		}

		if cacert := s.runtimeConfig.ACMECACert; cacert != "" {
			cp.AppendCertsFromPEM([]byte(cacert))
		}

		// caddy's ACME server (step-ca) doesn't specify an OCSP server
		cfg.OCSP.DisableStapling = true

		listenAddress := s.runtimeConfig.ListenAddress
		if listenAddress[0] == '[' {
			listenAddress = listenAddress[1 : len(listenAddress)-1]
		}

		issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
			CA:                      s.runtimeConfig.ACMECA,
			TrustedRoots:            cp,
			DisableTLSALPNChallenge: true,
			ListenHost:              listenAddress,
			AltHTTPPort:             s.runtimeConfig.Port,
			AltTLSALPNPort:          s.runtimeConfig.TLSPort,
		})
		cfg.Issuers[0] = issuer
	} else {
		rc := &redisConfig{}
		_, err = conf.Parse("REDIS", rc)
		if err != nil {
			return errors.Wrap(err, "could not parse redis config")
		}

		rs := certmagic_redis.New()
		rs.Address = []string{rc.Address}
		rs.Username = rc.Username
		rs.Password = rc.Password
		rs.EncryptionKey = rc.EncryptionKey
		rs.KeyPrefix = rc.KeyPrefix

		cfg.Storage = rs
		err = rs.Provision(caddy.Context{
			Context: context.Background(),
		})
		if err != nil {
			return errors.Wrap(err, "could not provision redis storage")
		}
	}

	ln, err := listenfd.GetListener(
		1,
		net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)),
		log.Named("listenfd"),
	)
	if err != nil {
		return errors.Wrap(err, "could not bind plain socket")
	}

	go func(ln net.Listener) {
		s.redirectServer.Handler = issuer.HTTPChallengeHandler(s.redirectServer.Handler)
		if err := s.redirectServer.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) {
			log.Error("error in http handler", "error", err)
		}
	}(ln)

	log.Debug(
		"starting certmagic",
		"http_port",
		s.runtimeConfig.Port,
		"https_port",
		s.runtimeConfig.TLSPort,
	)
	err = cfg.ManageSync(context.TODO(), s.config.Domains)
	if err != nil {
		return errors.Wrap(err, "could not enable TLS")
	}
	tlsConfig := cfg.TLSConfig()
	tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)

	sln, err := listenfd.GetListenerTLS(
		0,
		net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.TLSPort)),
		tlsConfig,
		log.Named("listenfd"),
	)
	if err != nil {
		return errors.Wrap(err, "could not bind tls socket")
	}

	return s.Serve(sln)
}