package tls

import (
	"context"
	"crypto/tls"

	"v2ray.com/core/common/net"
	"v2ray.com/core/transport/internet"
)

var (
	globalSessionCache = tls.NewLRUClientSessionCache(128)
)

func (c *Config) BuildCertificates() []tls.Certificate {
	certs := make([]tls.Certificate, 0, len(c.Certificate))
	for _, entry := range c.Certificate {
		keyPair, err := tls.X509KeyPair(entry.Certificate, entry.Key)
		if err != nil {
			newError("ignoring invalid X509 key pair").Base(err).AtWarning().WriteToLog()
			continue
		}
		certs = append(certs, keyPair)
	}
	return certs
}

func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
	config := &tls.Config{
		ClientSessionCache: globalSessionCache,
	}
	if c == nil {
		return config
	}

	for _, opt := range opts {
		opt(config)
	}

	config.InsecureSkipVerify = c.AllowInsecure
	config.Certificates = c.BuildCertificates()
	config.BuildNameToCertificate()
	if len(c.ServerName) > 0 {
		config.ServerName = c.ServerName
	}
	if len(c.NextProtocol) > 0 {
		config.NextProtos = c.NextProtocol
	}
	if len(config.NextProtos) == 0 {
		config.NextProtos = []string{"http/1.1"}
	}

	return config
}

type Option func(*tls.Config)

func WithDestination(dest net.Destination) Option {
	return func(config *tls.Config) {
		if dest.Address.Family().IsDomain() && len(config.ServerName) == 0 {
			config.ServerName = dest.Address.Domain()
		}
	}
}

func WithNextProto(protocol ...string) Option {
	return func(config *tls.Config) {
		if len(config.NextProtos) == 0 {
			config.NextProtos = protocol
		}
	}
}

func ConfigFromContext(ctx context.Context) *Config {
	securitySettings := internet.SecuritySettingsFromContext(ctx)
	if securitySettings == nil {
		return nil
	}
	config, ok := securitySettings.(*Config)
	if !ok {
		return nil
	}
	return config
}