package authz

import (
	"context"
	"crypto/x509"
	"net"

	authzed "github.com/authzed/authzed-go/v1"
	"github.com/authzed/grpcutil"
	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/credentials/insecure"
)

func NewClient(ctx context.Context, host string, token string) (*authzed.Client, error) {
	tokenOption := grpcutil.WithInsecureBearerToken(token)
	if isTLS(ctx, host) {
		tokenOption = grpcutil.WithBearerToken(token)
	}
	return authzed.NewClient(
		host,
		grpc.WithTransportCredentials(credentialsFor(ctx, host)),
		tokenOption,
	)
}
func credentialsFor(ctx context.Context, host string) credentials.TransportCredentials {
	if isTLS(ctx, host) {
		pool, err := x509.SystemCertPool()
		if err != nil {
			pls.LogErrorNow(ctx, err)
			return insecure.NewCredentials()
		}

		return credentials.NewClientTLSFromCert(pool, "")
	}

	return insecure.NewCredentials()
}

func isTLS(ctx context.Context, host string) bool {
	if host == "" {
		return false
	}
	_, port, err := net.SplitHostPort(host)
	if err != nil {
		pls.LogError(ctx, err)
		return false
	}
	return port == "443"
}