package com.zhentao.utils;

import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class WebServerConfig {

    @Value("${server.port}")
    private int httpsPort;

    @Value("${server.http.port:8080}")
    private int httpPort;

    @Value("${server.ssl.key-store}")
    private String keyStore;

    @Value("${server.ssl.key-store-password}")
    private String keyStorePassword;

    @Value("${server.ssl.key-alias}")
    private String keyAlias;

    @Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> customizer() {
        return factory -> {
            // 配置HTTPS连接器
            Connector httpsConnector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
            httpsConnector.setPort(httpsPort);
            httpsConnector.setSecure(true);
            httpsConnector.setScheme("https");

            // 配置SSL
            org.apache.coyote.http11.Http11NioProtocol protocol =
                    (org.apache.coyote.http11.Http11NioProtocol) httpsConnector.getProtocolHandler();
            protocol.setSSLEnabled(true);
            protocol.setKeystoreFile(keyStore);
            protocol.setKeystorePass(keyStorePassword);
            protocol.setKeyAlias(keyAlias);

            // 仅启用TLS 1.2和1.3
            protocol.setSslProtocol("TLSv1.2+TLSv1.3");
            protocol.setCiphers("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
                    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
                    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");

            factory.addAdditionalTomcatConnectors(httpsConnector);

            // 配置HTTP到HTTPS的重定向
            factory.addContextCustomizers(context -> {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            });

            // 配置HTTP连接器（用于重定向）
            Connector httpConnector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
            httpConnector.setPort(httpPort);
            httpConnector.setSecure(false);
            httpConnector.setScheme("http");
            httpConnector.setRedirectPort(httpsPort);
            factory.addAdditionalTomcatConnectors(httpConnector);
        };
    }
}