package validator

import (
	"crypto/tls"
	"errors"
	"fmt"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
)

// ValidateTLSConfig sets the default values and validates a schema.TLSConfig.
func ValidateTLSConfig(config *schema.TLSConfig, configDefault *schema.TLSConfig) (err error) {
	if config == nil {
		return
	}

	if config.ServerName == "" {
		config.ServerName = configDefault.ServerName
	}

	if config.MinimumVersion.Value == 0 {
		config.MinimumVersion.Value = configDefault.MinimumVersion.Value
	}

	if config.MaximumVersion.Value == 0 {
		config.MaximumVersion.Value = configDefault.MaximumVersion.Value
	}

	if config.MinimumVersion.MinVersion() < tls.VersionTLS10 {
		return errors.New("option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured")
	}

	if config.MinimumVersion.MinVersion() > config.MaximumVersion.MaxVersion() {
		return fmt.Errorf("option combination of 'minimum_version' and 'maximum_version' is invalid: minimum version %s is greater than the maximum version %s", config.MinimumVersion.String(), config.MaximumVersion.String())
	}

	if (config.CertificateChain.HasCertificates() || config.PrivateKey != nil) && !config.CertificateChain.EqualKey(config.PrivateKey) {
		return errors.New("option 'certificates' is invalid: provided certificate is not the public key for the private key provided")
	}

	return nil
}