# frozen_string_literal: true

module Gitlab
  module X509
    class Certificate
      CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze

      attr_reader :key, :cert, :ca_certs

      def key_string
        key.to_s
      end

      def cert_string
        cert.to_pem
      end

      def ca_certs_string
        ca_certs.map(&:to_pem).join('\n') unless ca_certs.blank?
      end

      def self.from_strings(key_string, cert_string, ca_certs_string = nil)
        key = OpenSSL::PKey::RSA.new(key_string)
        cert = OpenSSL::X509::Certificate.new(cert_string)
        ca_certs = load_ca_certs_bundle(ca_certs_string)

        new(key, cert, ca_certs)
      end

      def self.from_files(key_path, cert_path, ca_certs_path = nil)
        ca_certs_string = File.read(ca_certs_path) if ca_certs_path

        from_strings(File.read(key_path), File.read(cert_path), ca_certs_string)
      end

      # Returns an array of OpenSSL::X509::Certificate objects, empty array if none found
      #
      # Ruby OpenSSL::X509::Certificate.new will only load the first
      # certificate if a bundle is presented, this allows to parse multiple certs
      # in the same file
      def self.load_ca_certs_bundle(ca_certs_string)
        return [] unless ca_certs_string

        ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
          OpenSSL::X509::Certificate.new(ca_cert_string)
        end
      end

      def initialize(key, cert, ca_certs = nil)
        @key = key
        @cert = cert
        @ca_certs = ca_certs
      end
    end
  end
end