certctl/internal/api/handler/issuers.go

// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1

package handler

import (
	"context"
	"encoding/json"
	"errors"
	"github.com/certctl-io/certctl/internal/repository"
	"log/slog"
	"net/http"
	"strconv"
	"strings"

	"github.com/certctl-io/certctl/internal/api/middleware"
	"github.com/certctl-io/certctl/internal/domain"
)

// IssuerService defines the service interface for issuer operations.
type IssuerService interface {
	ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error)
	GetIssuer(ctx context.Context, id string) (*domain.Issuer, error)
	CreateIssuer(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error)
	UpdateIssuer(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error)
	DeleteIssuer(ctx context.Context, id string) error
	TestConnection(ctx context.Context, id string) error
}

// IssuerHandler handles HTTP requests for issuer operations.
type IssuerHandler struct {
	svc    IssuerService
	logger *slog.Logger
}

// NewIssuerHandler creates a new IssuerHandler with a service dependency.
func NewIssuerHandler(svc IssuerService) IssuerHandler {
	return IssuerHandler{svc: svc, logger: slog.Default()}
}

// NewIssuerHandlerWithLogger creates a new IssuerHandler with a custom logger.
func NewIssuerHandlerWithLogger(svc IssuerService, logger *slog.Logger) IssuerHandler {
	return IssuerHandler{svc: svc, logger: logger}
}

// ListIssuers lists all configured issuers.
// GET /api/v1/issuers?page=1&per_page=50
func (h IssuerHandler) ListIssuers(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodGet {
		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
		return
	}

	requestID := middleware.GetRequestID(r.Context())

	page := 1
	perPage := 50
	query := r.URL.Query()
	if p := query.Get("page"); p != "" {
		if parsed, err := strconv.Atoi(p); err == nil && parsed > 0 {
			page = parsed
		}
	}
	if pp := query.Get("per_page"); pp != "" {
		if parsed, err := strconv.Atoi(pp); err == nil && parsed > 0 && parsed <= 500 {
			perPage = parsed
		}
	}

	issuers, total, err := h.svc.ListIssuers(r.Context(), page, perPage)
	if err != nil {
		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list issuers", requestID)
		return
	}

	response := PagedResponse{
		Data:    issuers,
		Total:   total,
		Page:    page,
		PerPage: perPage,
	}

	JSON(w, http.StatusOK, response)
}

// GetIssuer retrieves a single issuer by ID.
// GET /api/v1/issuers/{id}
func (h IssuerHandler) GetIssuer(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodGet {
		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
		return
	}

	requestID := middleware.GetRequestID(r.Context())

	id := strings.TrimPrefix(r.URL.Path, "/api/v1/issuers/")
	if id == "" || strings.Contains(id, "/") {
		ErrorWithRequestID(w, http.StatusBadRequest, "Issuer ID is required", requestID)
		return
	}

	issuer, err := h.svc.GetIssuer(r.Context(), id)
	if err != nil {
		ErrorWithRequestID(w, http.StatusNotFound, "Issuer not found", requestID)
		return
	}

	JSON(w, http.StatusOK, issuer)
}

// CreateIssuer creates a new issuer configuration.
// POST /api/v1/issuers
func (h IssuerHandler) CreateIssuer(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
		return
	}

	requestID := middleware.GetRequestID(r.Context())

	var issuer domain.Issuer
	if err := json.NewDecoder(r.Body).Decode(&issuer); err != nil {
		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
		return
	}

	// Validate required fields
	if err := ValidateRequired("name", issuer.Name); err != nil {
		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
		return
	}
	if err := ValidateStringLength("name", issuer.Name, 255); err != nil {
		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
		return
	}
	if issuer.Type == "" {
		ErrorWithRequestID(w, http.StatusBadRequest, "type is required", requestID)
		return
	}

	created, err := h.svc.CreateIssuer(r.Context(), issuer)
	if err != nil {
		h.logger.Error("failed to create issuer", "error", err, "name", issuer.Name, "type", issuer.Type)
		errMsg := err.Error()
		switch {
		case strings.Contains(errMsg, "unique") || strings.Contains(errMsg, "duplicate"):
			ErrorWithRequestID(w, http.StatusConflict, "An issuer with this name already exists", requestID)
		case strings.Contains(errMsg, "unsupported issuer type"):
			ErrorWithRequestID(w, http.StatusBadRequest, errMsg, requestID)
		default:
			ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create issuer", requestID)
		}
		return
	}

	JSON(w, http.StatusCreated, created)
}

// UpdateIssuer updates an existing issuer configuration.
// PUT /api/v1/issuers/{id}
func (h IssuerHandler) UpdateIssuer(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPut {
		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
		return
	}

	requestID := middleware.GetRequestID(r.Context())

	id := strings.TrimPrefix(r.URL.Path, "/api/v1/issuers/")
	parts := strings.Split(id, "/")
	if len(parts) == 0 || parts[0] == "" {
		ErrorWithRequestID(w, http.StatusBadRequest, "Issuer ID is required", requestID)
		return
	}
	id = parts[0]

	var issuer domain.Issuer
	if err := json.NewDecoder(r.Body).Decode(&issuer); err != nil {
		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
		return
	}

	updated, err := h.svc.UpdateIssuer(r.Context(), id, issuer)
	if err != nil {
		h.logger.Error("failed to update issuer", "error", err, "id", id)
		errMsg := err.Error()
		switch {
		case strings.Contains(errMsg, "unique") || strings.Contains(errMsg, "duplicate"):
			ErrorWithRequestID(w, http.StatusConflict, "An issuer with this name already exists", requestID)
		case strings.Contains(errMsg, "not found"):
			ErrorWithRequestID(w, http.StatusNotFound, "Issuer not found", requestID)
		default:
			ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update issuer", requestID)
		}
		return
	}

	JSON(w, http.StatusOK, updated)
}

// DeleteIssuer deletes an issuer configuration.
// DELETE /api/v1/issuers/{id}
func (h IssuerHandler) DeleteIssuer(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodDelete {
		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
		return
	}

	requestID := middleware.GetRequestID(r.Context())

	id := strings.TrimPrefix(r.URL.Path, "/api/v1/issuers/")
	if id == "" || strings.Contains(id, "/") {
		ErrorWithRequestID(w, http.StatusBadRequest, "Issuer ID is required", requestID)
		return
	}

	if err := h.svc.DeleteIssuer(r.Context(), id); err != nil {
		if repository.IsForeignKeyError(err) {
			ErrorWithRequestID(w, http.StatusConflict, "Cannot delete issuer: certificates are still using this issuer", requestID)
		} else if errors.Is(err, repository.ErrNotFound) {
			ErrorWithRequestID(w, http.StatusNotFound, "Issuer not found", requestID)
		} else {
			ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete issuer", requestID)
		}
		return
	}

	w.WriteHeader(http.StatusNoContent)
}

// TestConnection tests the connection to an issuer.
// POST /api/v1/issuers/{id}/test
func (h IssuerHandler) TestConnection(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
		return
	}

	requestID := middleware.GetRequestID(r.Context())

	// Extract issuer ID from path /api/v1/issuers/{id}/test
	path := strings.TrimPrefix(r.URL.Path, "/api/v1/issuers/")
	parts := strings.Split(path, "/")
	if len(parts) < 2 || parts[0] == "" {
		ErrorWithRequestID(w, http.StatusBadRequest, "Issuer ID is required", requestID)
		return
	}
	issuerID := parts[0]

	if err := h.svc.TestConnection(r.Context(), issuerID); err != nil {
		ErrorWithRequestID(w, http.StatusInternalServerError, "Connection test failed", requestID)
		return
	}

	response := map[string]string{
		"status": "connection_successful",
	}

	JSON(w, http.StatusOK, response)
}