using System.IO;
using Serilog;

namespace ZB.MOM.WW.LmxProxy.Host.Configuration
{
    /// <summary>
    ///     Configuration for TLS/SSL settings for secure gRPC communication
    /// </summary>
    public class TlsConfiguration
    {
        /// <summary>
        ///     Gets or sets whether TLS is enabled for gRPC communication
        /// </summary>
        public bool Enabled { get; set; } = false;

        /// <summary>
        ///     Gets or sets the path to the server certificate file (.pem or .crt)
        /// </summary>
        public string ServerCertificatePath { get; set; } = string.Empty;

        /// <summary>
        ///     Gets or sets the path to the server private key file (.key)
        /// </summary>
        public string ServerKeyPath { get; set; } = string.Empty;

        /// <summary>
        ///     Gets or sets the path to the certificate authority file for client certificate validation (optional)
        /// </summary>
        public string? ClientCaCertificatePath { get; set; }

        /// <summary>
        ///     Gets or sets whether to require client certificates for mutual TLS
        /// </summary>
        public bool RequireClientCertificate { get; set; } = false;

        /// <summary>
        ///     Gets or sets whether to check certificate revocation
        /// </summary>
        public bool CheckCertificateRevocation { get; set; } = true;

        /// <summary>
        ///     Validates the TLS configuration
        /// </summary>
        /// <returns>True if configuration is valid, false otherwise</returns>
        public bool Validate()
        {
            if (!Enabled)
            {
                return true; // No validation needed if TLS is disabled
            }

            if (string.IsNullOrWhiteSpace(ServerCertificatePath))
            {
                Log.Error("TLS is enabled but ServerCertificatePath is not configured");
                return false;
            }

            if (string.IsNullOrWhiteSpace(ServerKeyPath))
            {
                Log.Error("TLS is enabled but ServerKeyPath is not configured");
                return false;
            }

            if (!File.Exists(ServerCertificatePath))
            {
                Log.Warning("Server certificate file not found: {Path} - will be auto-generated on startup",
                    ServerCertificatePath);
            }

            if (!File.Exists(ServerKeyPath))
            {
                Log.Warning("Server key file not found: {Path} - will be auto-generated on startup", ServerKeyPath);
            }

            if (RequireClientCertificate && string.IsNullOrWhiteSpace(ClientCaCertificatePath))
            {
                Log.Error("Client certificate is required but ClientCaCertificatePath is not configured");
                return false;
            }

            if (!string.IsNullOrWhiteSpace(ClientCaCertificatePath) && !File.Exists(ClientCaCertificatePath))
            {
                Log.Warning("Client CA certificate file not found: {Path} - will be auto-generated on startup",
                    ClientCaCertificatePath);
            }

            return true;
        }
    }
}