<?php
namespace App\Services;

use App\Models\TlsaRecord;

class TlsaService
{
    public function resolveMtaHost(): string
    {
        $base = env('BASE_DOMAIN', 'example.com');
        $sub  = env('MTA_SUB', 'mx') ?: 'mx';
        return "{$sub}.{$base}";
    }

    public function computeHashFromCert(string $host): ?string
    {
        $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
        if (!is_file($certPath)) return null;

        $cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
            . " | openssl pkey -pubin -outform DER"
            . " | openssl dgst -sha256";
        $out  = shell_exec($cmd.' 2>/dev/null') ?? '';
        $hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
        return $hash !== '' ? $hash : null;
    }

    public function refreshForMx(string $service = '_25._tcp'): ?TlsaRecord
    {
        $host = $this->resolveMtaHost();
        $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
        $hash = $this->computeHashFromCert($host);
        if (!$hash) return null;

        // DB upsert (global, domain_id = null)
        $rec = TlsaRecord::updateOrCreate(
            ['domain_id' => null, 'host' => $host, 'service' => $service],
            [
                'usage'     => 3,   // DANE-EE
                'selector'  => 1,   // SPKI
                'matching'  => 1,   // SHA-256
                'hash'      => $hash,
                'cert_path' => $certPath,
            ]
        );

        // Datei – nur aktualisieren, wenn sich der Hash ändert
        @mkdir('/etc/mailwolt/dns', 0755, true);
        $file = "/etc/mailwolt/dns/{$host}.tlsa.txt";
        $newLine = sprintf('%s.%s IN TLSA %d %d %d %s', $service, $host, 3, 1, 1, $hash);

        $needWrite = true;
        if (is_file($file)) {
            $current = trim((string)file_get_contents($file));
            if ($current === $newLine) {
                $needWrite = false;
            }
        }
        if ($needWrite) {
            file_put_contents($file, $newLine."\n");
        }

        return $rec;
    }
}
//
//namespace App\Services;
//
//use App\Models\TlsaRecord;
//
//class TlsaService
//{
//    public function resolveMtaHost(): string
//    {
//        $base = env('BASE_DOMAIN', 'example.com');
//        $sub  = env('MTA_SUB', 'mx') ?: 'mx';
//        return "{$sub}.{$base}";
//    }
//
//    public function computeHashFromCert(string $host): ?string
//    {
//        $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
//        if (!is_file($certPath)) return null;
//
//        $cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
//            . " | openssl pkey -pubin -outform DER"
//            . " | openssl dgst -sha256";
//        $out  = shell_exec($cmd.' 2>/dev/null') ?? '';
//        $hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
//        return $hash !== '' ? $hash : null;
//    }
//
//    /**
//     * Schreibt/aktualisiert TLSA in DB (global) + Datei unter /etc/mailwolt/dns/.
//     * Wir speichern ohne domain_id (global, nur pro Host/Service).
//     */
//    public function refreshForMx(string $service = '_25._tcp'): ?TlsaRecord
//    {
//        $host = $this->resolveMtaHost();
//        $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
//        $hash = $this->computeHashFromCert($host);
//        if (!$hash) return null;
//
//        // DB upsert (domain_id = null → globaler Eintrag)
//        $rec = TlsaRecord::updateOrCreate(
//            ['domain_id' => null, 'host' => $host, 'service' => $service],
//            [
//                'usage'     => 3,   // DANE-EE
//                'selector'  => 1,   // SPKI
//                'matching'  => 1,   // SHA-256
//                'hash'      => $hash,
//                'cert_path' => $certPath,
//            ]
//        );
//
//        // Datei schreiben (für externen DNS-Export etc.)
//        @mkdir('/etc/mailwolt/dns', 0755, true);
//        $line = sprintf('%s.%s IN TLSA %d %d %d %s',
//            $service, $host, 3, 1, 1, $hash);
//        file_put_contents("/etc/mailwolt/dns/{$host}.tlsa.txt", $line."\n");
//
//        return $rec;
//    }
//}