/*
 *     Copyright 2022 The Dragonfly Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package rpc

import (
	"crypto/tls"
	"crypto/x509"
	"errors"

	"github.com/johanbrandhorst/certify"
	"google.golang.org/grpc/credentials"
)

// NewServerCredentialsByCertify returns server transport credentials by certify.
func NewServerCredentialsByCertify(tlsVerify bool, tlsCACert *tls.Certificate, certifyClient *certify.Certify) (credentials.TransportCredentials, error) {
	if !tlsVerify {
		return credentials.NewTLS(&tls.Config{
			GetCertificate: certifyClient.GetCertificate,
		}), nil
	}

	certPool := x509.NewCertPool()
	for _, cert := range tlsCACert.Certificate {
		if !certPool.AppendCertsFromPEM(cert) {
			return nil, errors.New("invalid CA Cert")
		}
	}

	tlsConfig := &tls.Config{
		GetCertificate: certifyClient.GetCertificate,
		ClientAuth:     tls.RequireAndVerifyClientCert,
		ClientCAs:      certPool,
	}

	return credentials.NewTLS(tlsConfig), nil
}