from .ssh import SSHClient

class CertificateManager:
    def __init__(self, config):
        # Certificate manager is on la-vmh-11 (LXC 11215)
        node = config.get_node('la-vmh-11')
        if not node:
            raise ValueError("Node 'la-vmh-11' not found in config")
        
        self.host = node['host']
        self.password = node.get('pass')
        self.user = config.get('proxmox.user', 'root')
        self.ssh_key = config.get('proxmox.ssh_key_path')
        self.client = SSHClient(self.host, self.user, self.ssh_key, self.password)
        self.lxc_id = "11215"
        self.shared_path = "/shared-certs"

    def exec_cert(self, cmd):
        return self.client.run(f"pct exec {self.lxc_id} -- {cmd}")

    def list_certs(self):
        res = self.exec_cert(f"ls -lh {self.shared_path}")
        return res.stdout

    def renew(self, force=False):
        script_path = "/root/local-config/infra-cert-mgr/scripts/dynamic-san-manager.sh"
        cmd = f"bash {script_path}"
        if force:
            cmd += " --force-update"
        
        res = self.exec_cert(cmd)
        if res.returncode != 0:
            raise RuntimeError(f"Certificate renewal failed: {res.stderr}")
        return res.stdout

    def check_expiry(self):
        # Checks expiry of the main wildcard cert
        cmd = f"openssl x509 -enddate -noout -in {self.shared_path}/loopaware.com.pem"
        res = self.exec_cert(cmd)
        return res.stdout.strip()