package PVE::CertHelpers;

use strict;
use warnings;

use PVE::Certificate;
use PVE::JSONSchema;
use PVE::Tools;

my $account_prefix = '/etc/pve/priv/acme';

PVE::JSONSchema::register_standard_option(
    'pve-acme-account-name',
    {
        description => 'ACME account config file name.',
        type => 'string',
        format => 'pve-configid',
        format_description => 'name',
        optional => 1,
        default => 'default',
    },
);

PVE::JSONSchema::register_standard_option(
    'pve-acme-account-contact',
    {
        type => 'string',
        format => 'email-list',
        description => 'Contact email addresses.',
    },
);

PVE::JSONSchema::register_standard_option(
    'pve-acme-directory-url',
    {
        type => 'string',
        description => 'URL of ACME CA directory endpoint.',
        pattern => '^https?://.*',
    },
);

my $local_cert_lock = '/var/lock/pve-certs.lock';

sub cert_path_prefix {
    my ($node) = @_;

    return "/etc/pve/nodes/${node}/pveproxy-ssl";
}

sub default_cert_path_prefix {
    my ($node) = @_;

    return "/etc/pve/nodes/${node}/pve-ssl";
}

sub cert_lock {
    my ($timeout, $code, @param) = @_;

    return PVE::Tools::lock_file($local_cert_lock, $timeout, $code, @param);
}

sub set_cert_files {
    my ($cert, $key, $path_prefix, $force) = @_;

    my ($old_cert, $old_key, $info);

    my $cert_path = "${path_prefix}.pem";
    my $cert_path_tmp = "${path_prefix}.pem.old";
    my $key_path = "${path_prefix}.key";
    my $key_path_tmp = "${path_prefix}.key.old";

    die "Custom certificate file exists but force flag is not set.\n"
        if !$force && -e $cert_path;
    die "Custom certificate key file exists but force flag is not set.\n"
        if !$force && -e $key_path;

    PVE::Tools::file_copy($cert_path, $cert_path_tmp) if -e $cert_path;
    PVE::Tools::file_copy($key_path, $key_path_tmp) if -e $key_path;

    eval {
        PVE::Tools::file_set_contents($cert_path, $cert);
        PVE::Tools::file_set_contents($key_path, $key) if $key;
        $info = PVE::Certificate::get_certificate_info($cert_path);
    };
    my $err = $@;

    if ($err) {
        if (-e $cert_path_tmp && -e $key_path_tmp) {
            eval {
                warn "Attempting to restore old certificate files..\n";
                PVE::Tools::file_copy($cert_path_tmp, $cert_path);
                PVE::Tools::file_copy($key_path_tmp, $key_path);
            };
            warn "$@\n" if $@;
        }
        die "Setting certificate files failed - $err\n";
    }

    unlink $cert_path_tmp;
    unlink $key_path_tmp;

    return $info;
}

sub acme_account_dir {
    return $account_prefix;
}

sub list_acme_accounts {
    my $accounts = [];

    return $accounts if !-d $account_prefix;

    PVE::Tools::dir_glob_foreach(
        $account_prefix,
        qr/[^.]+.*/,
        sub {
            my ($name) = @_;

            push @$accounts, $name
                if PVE::JSONSchema::pve_verify_configid($name, 1);
        },
    );

    return $accounts;
}