using Microsoft.Extensions.Configuration;

namespace ZB.MOM.WW.MxGateway.Server.Security.Tls;

/// <summary>
/// Inspects the Kestrel configuration to decide whether the gateway must supply
/// a generated default certificate (an HTTPS endpoint exists with no certificate
/// of its own).
/// </summary>
public static class KestrelTlsInspector
{
    /// <summary>
    /// Returns <see langword="true"/> when at least one HTTPS endpoint in
    /// <c>Kestrel:Endpoints</c> has no certificate of its own (no
    /// <c>Certificate:Path</c>, <c>Certificate:Subject</c>, or
    /// <c>Certificate:Thumbprint</c>), meaning the gateway must supply a
    /// generated fallback certificate.
    /// </summary>
    public static bool RequiresGeneratedCertificate(IConfiguration configuration)
    {
        IConfigurationSection endpoints = configuration.GetSection("Kestrel:Endpoints");
        foreach (IConfigurationSection endpoint in endpoints.GetChildren())
        {
            string? url = endpoint["Url"];
            if (string.IsNullOrWhiteSpace(url) ||
                !url.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
            {
                continue;
            }

            IConfigurationSection certificate = endpoint.GetSection("Certificate");
            bool hasOwnCertificate =
                !string.IsNullOrWhiteSpace(certificate["Path"]) ||
                !string.IsNullOrWhiteSpace(certificate["Subject"]) ||
                !string.IsNullOrWhiteSpace(certificate["Thumbprint"]);

            if (!hasOwnCertificate)
            {
                return true;
            }
        }

        return false;
    }
}