/*
  Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.

  Licensed under the Apache License, Version 2.0 (the "License").
  You may not use this file except in compliance with the License.
  A copy of the License is located at

      http://www.apache.org/licenses/LICENSE-2.0

  or in the "license" file accompanying this file. This file is distributed
  on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
  express or implied. See the License for the specific language governing
  permissions and limitations under the License.
*/

package cert

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"

	"github.com/prometheus/client_golang/prometheus"
	certificates "k8s.io/api/certificates/v1"
	clientset "k8s.io/client-go/kubernetes"
	"k8s.io/client-go/util/certificate"
)

// NewServerCertificateManager returns a certificate manager that stores TLS keys in Kubernetes Secrets
func NewServerCertificateManager(kubeClient clientset.Interface, namespace, secretName string, csr *x509.CertificateRequest) (certificate.Manager, error) {
	clientsetFn := func(_ *tls.Certificate) (clientset.Interface, error) {
		return kubeClient, nil
	}

	certificateStore := NewSecretCertStore(
		namespace,
		secretName,
		kubeClient,
	)

	var certificateRotation = prometheus.NewHistogram(
		prometheus.HistogramOpts{
			Subsystem: "certificate_manager",
			Name:      "server_rotation_seconds",
			Help:      "Histogram of the lifetime of a certificate. The value is the time in seconds the certificate lived before getting rotated",
		},
	)
	prometheus.MustRegister(certificateRotation)

	m, err := certificate.NewManager(&certificate.Config{
		ClientsetFn: clientsetFn,
		Template:    csr,
		Usages: []certificates.KeyUsage{
			// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
			//
			// Digital signature allows the certificate to be used to verify
			// digital signatures used during TLS negotiation.
			certificates.UsageDigitalSignature,
			// KeyEncipherment allows the cert/key pair to be used to encrypt
			// keys, including the symmetric keys negotiated during TLS setup
			// and used for data transfer.
			certificates.UsageKeyEncipherment,
			// ServerAuth allows the cert to be used by a TLS server to
			// authenticate itself to a TLS client.
			certificates.UsageServerAuth,
		},
		// Hard coding this since LegacyUnknownSignerName is no longer available in certificates/v1
		// https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers.
		SignerName:          "kubernetes.io/legacy-unknown",
		CertificateStore:    certificateStore,
		CertificateRotation: certificateRotation,
	})
	if err != nil {
		return nil, fmt.Errorf("failed to initialize server certificate manager: %v", err)
	}
	return m, nil
}