/**
 * Self-signed certificate generation for HTTPS support
 */

import { X509Certificate } from 'node:crypto'
import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
import { homedir, networkInterfaces } from 'node:os'
import { join } from 'node:path'
import { generate } from 'selfsigned'

/**
 * Get all LAN IPv4 addresses
 */
export function getLanIPs(): string[] {
  const ips: string[] = []
  const nets = networkInterfaces()
  for (const name of Object.keys(nets)) {
    for (const net of nets[name] || []) {
      // Skip internal (loopback) and non-IPv4 addresses
      if (!net.internal && net.family === 'IPv4') {
        ips.push(net.address)
      }
    }
  }
  return ips
}

/**
 * Extract IP addresses from certificate's Subject Alternative Name (SAN)
 * SAN format: "IP Address:192.168.1.100, IP Address:127.0.0.1, DNS:localhost"
 */
function extractSanIPs(x509: X509Certificate): string[] {
  const san = x509.subjectAltName
  if (!san) return []

  const ips: string[] = []
  // Parse "IP Address:x.x.x.x" entries from SAN string
  const parts = san.split(', ')
  for (const part of parts) {
    const match = part.match(/^IP Address:(.+)$/)
    if (match && match[1]) {
      ips.push(match[1])
    }
  }
  return ips
}

const CERT_DIR = join(homedir(), '.acp-proxy')
const KEY_PATH = join(CERT_DIR, 'key.pem')
const CERT_PATH = join(CERT_DIR, 'cert.pem')

// Certificate validity in days
const CERT_VALIDITY_DAYS = 365

export interface TlsOptions {
  key: string
  cert: string
}

/**
 * Get or generate self-signed certificate
 * Certificates are cached in ~/.acp-proxy/
 */
export async function getOrCreateCertificate(): Promise<TlsOptions> {
  // Ensure directory exists
  if (!existsSync(CERT_DIR)) {
    mkdirSync(CERT_DIR, { recursive: true })
  }

  // Check if certificates already exist and are still valid
  if (existsSync(KEY_PATH) && existsSync(CERT_PATH)) {
    const certPem = readFileSync(CERT_PATH, 'utf-8')
    const keyPem = readFileSync(KEY_PATH, 'utf-8')

    try {
      const x509 = new X509Certificate(certPem)
      const validTo = new Date(x509.validTo)
      const now = new Date()

      // Check if cert is expired or will expire within 7 days
      const daysUntilExpiry = Math.floor(
        (validTo.getTime() - now.getTime()) / (1000 * 60 * 60 * 24),
      )

      if (daysUntilExpiry <= 7) {
        // Certificate expired or expiring soon
        console.log(
          `⚠️  Certificate ${daysUntilExpiry <= 0 ? 'expired' : `expires in ${daysUntilExpiry} days`}, regenerating...`,
        )
      } else {
        // Check if current LAN IPs are in the certificate's SAN
        const currentLanIPs = getLanIPs()
        const certSanIPs = extractSanIPs(x509)

        // Check if all current LAN IPs are covered by the certificate
        const missingIPs = currentLanIPs.filter(ip => !certSanIPs.includes(ip))

        if (missingIPs.length === 0) {
          console.log(`🔐 Using existing certificate from ${CERT_DIR}`)
          console.log(`   Valid for ${daysUntilExpiry} more days`)
          return { key: keyPem, cert: certPem }
        }

        // LAN IP changed, regenerate
        console.log(
          `⚠️  LAN IP changed (missing: ${missingIPs.join(', ')}), regenerating certificate...`,
        )
      }
    } catch {
      // Failed to parse certificate, regenerate
      console.log(`⚠️  Invalid certificate, regenerating...`)
    }
  }

  // Generate new self-signed certificate
  console.log(`🔐 Generating self-signed certificate...`)

  const attrs = [{ name: 'commonName', value: 'ACP Proxy Server' }]

  // Calculate expiry date
  const notAfterDate = new Date()
  notAfterDate.setDate(notAfterDate.getDate() + CERT_VALIDITY_DAYS)

  // Build altNames: localhost + loopback + all LAN IPs
  const altNames: Array<{ type: 1 | 2 | 6 | 7; value?: string; ip?: string }> =
    [
      { type: 2, value: 'localhost' },
      { type: 7, ip: '127.0.0.1' },
      { type: 7, ip: '::1' },
    ]

  // Add all current LAN IPs
  const lanIPs = getLanIPs()
  for (const ip of lanIPs) {
    altNames.push({ type: 7, ip })
  }

  if (lanIPs.length > 0) {
    console.log(`   Including LAN IPs: ${lanIPs.join(', ')}`)
  }

  const pems = await generate(attrs, {
    keySize: 2048,
    notAfterDate,
    algorithm: 'sha256',
    extensions: [
      {
        name: 'basicConstraints',
        cA: true,
      },
      {
        name: 'keyUsage',
        keyCertSign: true,
        digitalSignature: true,
        keyEncipherment: true,
      },
      {
        name: 'extKeyUsage',
        serverAuth: true,
      },
      {
        name: 'subjectAltName',
        altNames,
      },
    ],
  })

  // Save certificates
  writeFileSync(KEY_PATH, pems.private)
  writeFileSync(CERT_PATH, pems.cert)

  console.log(`✅ Certificate saved to ${CERT_DIR}`)
  console.log(`   Valid for ${CERT_VALIDITY_DAYS} days`)
  console.log(
    `   ⚠️  First access will show a security warning - click "Advanced" → "Proceed"`,
  )

  return {
    key: pems.private,
    cert: pems.cert,
  }
}