package tls

import (
	"crypto/x509"
	"fmt"
	"net"

	"github.com/hashicorp/terraform/helper/schema"
)

func resourceSelfSignedCert() *schema.Resource {
	s := resourceCertificateCommonSchema()

	s["subject"] = &schema.Schema{
		Type:     schema.TypeList,
		Required: true,
		Elem:     nameSchema,
		ForceNew: true,
	}

	s["dns_names"] = &schema.Schema{
		Type:        schema.TypeList,
		Optional:    true,
		Description: "List of DNS names to use as subjects of the certificate",
		ForceNew:    true,
		Elem: &schema.Schema{
			Type: schema.TypeString,
		},
	}

	s["ip_addresses"] = &schema.Schema{
		Type:        schema.TypeList,
		Optional:    true,
		Description: "List of IP addresses to use as subjects of the certificate",
		ForceNew:    true,
		Elem: &schema.Schema{
			Type: schema.TypeString,
		},
	}

	s["key_algorithm"] = &schema.Schema{
		Type:        schema.TypeString,
		Required:    true,
		Description: "Name of the algorithm to use to generate the certificate's private key",
		ForceNew:    true,
	}

	s["private_key_pem"] = &schema.Schema{
		Type:        schema.TypeString,
		Required:    true,
		Description: "PEM-encoded private key that the certificate will belong to",
		ForceNew:    true,
		StateFunc: func(v interface{}) string {
			return hashForState(v.(string))
		},
	}

	return &schema.Resource{
		Create: CreateSelfSignedCert,
		Delete: DeleteCertificate,
		Read:   ReadCertificate,
		Schema: s,
	}
}

func CreateSelfSignedCert(d *schema.ResourceData, meta interface{}) error {
	key, err := parsePrivateKey(d, "private_key_pem", "key_algorithm")
	if err != nil {
		return err
	}

	subjectConfs := d.Get("subject").([]interface{})
	if len(subjectConfs) != 1 {
		return fmt.Errorf("must have exactly one 'subject' block")
	}
	subjectConf := subjectConfs[0].(map[string]interface{})
	subject, err := nameFromResourceData(subjectConf)
	if err != nil {
		return fmt.Errorf("invalid subject block: %s", err)
	}

	cert := x509.Certificate{
		Subject:               *subject,
		BasicConstraintsValid: true,
	}

	dnsNamesI := d.Get("dns_names").([]interface{})
	for _, nameI := range dnsNamesI {
		cert.DNSNames = append(cert.DNSNames, nameI.(string))
	}
	ipAddressesI := d.Get("ip_addresses").([]interface{})
	for _, ipStrI := range ipAddressesI {
		ip := net.ParseIP(ipStrI.(string))
		if ip == nil {
			return fmt.Errorf("invalid IP address %#v", ipStrI.(string))
		}
		cert.IPAddresses = append(cert.IPAddresses, ip)
	}

	return createCertificate(d, &cert, &cert, publicKey(key), key)
}