package signer

import (
	"crypto/x509"
	"encoding/pem"
	"time"

	capi "k8s.io/api/certificates/v1beta1"

	"edge-infra.dev/pkg/edge/edge-issuer/controllers"
)

func FromEdgeCAStore(keyPEM []byte, certPEM []byte, duration time.Duration) (controllers.Signer, error) {
	return &edgeSigner{keyPEM, certPEM, duration}, nil
}

type edgeSigner struct {
	keyPEM   []byte
	certPEM  []byte
	duration time.Duration
}

func (o *edgeSigner) Sign(certTemplate *x509.Certificate) ([]byte, error) {
	key, err := parseKey(o.keyPEM)
	if err != nil {
		return nil, err
	}
	cert, err := parseCert(o.certPEM)
	if err != nil {
		return nil, err
	}

	ca := &CertificateAuthority{
		Certificate: cert,
		PrivateKey:  key,
		Backdate:    5 * time.Minute,
	}

	crtDER, err := ca.Sign(certTemplate, PermissiveSigningPolicy{
		TTL: o.duration,
		Usages: []capi.KeyUsage{
			capi.UsageServerAuth,
		},
	})
	if err != nil {
		return nil, err
	}

	return pem.EncodeToMemory(&pem.Block{
		Type:  "CERTIFICATE",
		Bytes: crtDER,
	}), nil
}