package pki

import (
	"time"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/certutil"
	"github.com/hashicorp/vault/sdk/logical"
)

func (b *backend) getGenerationParams(
	data *framework.FieldData,
) (exported bool, format string, role *roleEntry, errorResp *logical.Response) {
	exportedStr := data.Get("exported").(string)
	switch exportedStr {
	case "exported":
		exported = true
	case "internal":
	default:
		errorResp = logical.ErrorResponse(
			`the "exported" path parameter must be "internal" or "exported"`)
		return
	}

	format = getFormat(data)
	if format == "" {
		errorResp = logical.ErrorResponse(
			`the "format" path parameter must be "pem", "der", "der_pkcs", or "pem_bundle"`)
		return
	}

	role = &roleEntry{
		TTL:                  time.Duration(data.Get("ttl").(int)) * time.Second,
		KeyType:              data.Get("key_type").(string),
		KeyBits:              data.Get("key_bits").(int),
		AllowLocalhost:       true,
		AllowAnyName:         true,
		AllowIPSANs:          true,
		EnforceHostnames:     false,
		AllowedURISANs:       []string{"*"},
		AllowedOtherSANs:     []string{"*"},
		AllowedSerialNumbers: []string{"*"},
		OU:                   data.Get("ou").([]string),
		Organization:         data.Get("organization").([]string),
		Country:              data.Get("country").([]string),
		Locality:             data.Get("locality").([]string),
		Province:             data.Get("province").([]string),
		StreetAddress:        data.Get("street_address").([]string),
		PostalCode:           data.Get("postal_code").([]string),
	}

	if role.KeyType == "rsa" && role.KeyBits < 2048 {
		errorResp = logical.ErrorResponse("RSA keys < 2048 bits are unsafe and not supported")
		return
	}

	if err := certutil.ValidateKeyTypeLength(role.KeyType, role.KeyBits); err != nil {
		errorResp = logical.ErrorResponse(err.Error())
	}

	return
}