using System.Security.Cryptography.X509Certificates;
using Azaion.Missions.JwksMock.Endpoints;
using Azaion.Missions.JwksMock.Services;

var builder = WebApplication.CreateBuilder(args);

// Tests source these from the compose env block (JWT_ISSUER, JWT_AUDIENCE,
// OLD_KEY_GRACE_SECONDS); appsettings.json supplies dev defaults.
var issuer            = builder.Configuration["JWT_ISSUER"]
                      ?? builder.Configuration["Jwks:Issuer"]
                      ?? throw new InvalidOperationException("JWT_ISSUER not configured");
var audience          = builder.Configuration["JWT_AUDIENCE"]
                      ?? builder.Configuration["Jwks:Audience"]
                      ?? throw new InvalidOperationException("JWT_AUDIENCE not configured");
var oldKeyGraceSecRaw = builder.Configuration["OLD_KEY_GRACE_SECONDS"]
                      ?? builder.Configuration["Jwks:OldKeyGraceSeconds"]
                      ?? "5";
var oldKeyGrace       = TimeSpan.FromSeconds(int.Parse(oldKeyGraceSecRaw, System.Globalization.CultureInfo.InvariantCulture));

builder.Services.AddSingleton(TimeProvider.System);
builder.Services.AddSingleton<KeyStore>(sp => new KeyStore(oldKeyGrace, sp.GetRequiredService<TimeProvider>()));
builder.Services.AddSingleton<TokenSigner>(sp => new TokenSigner(
    sp.GetRequiredService<KeyStore>(),
    sp.GetRequiredService<TimeProvider>(),
    issuer,
    audience));

builder.WebHost.ConfigureKestrel(options =>
{
    options.ListenAnyIP(8443, listen =>
    {
        listen.UseHttps(LoadTlsCert());
    });
});

var app = builder.Build();

app.MapGet("/.well-known/jwks.json", JwksEndpoint.Handle);
app.MapPost("/sign", SignEndpoint.Handle);
app.MapPost("/rotate-key", RotateKeyEndpoint.Handle);
app.MapGet("/healthz", () => Results.Ok(new { status = "ok" }));

app.Run();

// Loads the server TLS cert + key from the build context. The same cert is
// also published as `tests/jwks-mock-ca.crt` and mounted into the missions +
// e2e-consumer containers as a trust anchor.
static X509Certificate2 LoadTlsCert()
{
    var basePath = AppContext.BaseDirectory;
    var crtPath = Path.Combine(basePath, "tls", "jwks-mock.crt");
    var keyPath = Path.Combine(basePath, "tls", "jwks-mock.key");
    if (!File.Exists(crtPath) || !File.Exists(keyPath))
        throw new FileNotFoundException(
            $"jwks-mock TLS materials not found. Expected:\n  {crtPath}\n  {keyPath}\n" +
            "Run tests/Azaion.Missions.JwksMock/regen-cert.sh to regenerate.");
    return X509Certificate2.CreateFromPemFile(crtPath, keyPath);
}

public partial class Program; // For WebApplicationFactory if a host-process test ever needs it.