package ldap

import (
	"crypto/tls"
	"net"
	"strings"
	"time"

	"gitee.com/carlmax_my/console-core-go/pkg/errors"

	"github.com/go-ldap/ldap/v3"
	"github.com/randolphcyg/ldappool"
	"github.com/samber/lo"
)

var (
	DEF_LDAP_TIMEOUT time.Duration = 20 * time.Second
)

// 初始化连接池
func NewLdapPool(opts *LdapConnOptions) (ldappool.Pool, error) {
	// 初始化ldap连接池
	ldapPool, err := ldappool.NewChannelPool(1, 1000, "originalLdapPool",
		func(s string) (ldap.Client, error) {

			var dialer = &net.Dialer{
				Timeout: lo.Ternary(opts.Timeout <= 0, DEF_LDAP_TIMEOUT, opts.Timeout),
			}

			var conn *ldap.Conn
			var err error
			if strings.HasPrefix(opts.ConnUrl, "ldaps://") {
				conn, err = ldap.DialURL(opts.ConnUrl, ldap.DialWithDialer(dialer), ldap.DialWithTLSConfig(&tls.Config{InsecureSkipVerify: true}))
			} else {
				conn, err = ldap.DialURL(opts.ConnUrl, ldap.DialWithDialer(dialer))
			}

			if err != nil {
				return nil, errors.Wrap(err, "Fail to dial ldap url")
			}

			if opts.SslEncryption {
				// 重新连接TLS
				if err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true, ClientAuth: tls.NoClientCert}); err != nil {
					return nil, errors.Wrap(err, "Fail to start ldap tls")
				}
			}

			// 与只读用户绑定
			if err = conn.Bind(opts.AdminAccount, opts.Password); err != nil {
				return nil, errors.Wrap(err, "ldap admin user auth failed")
			}
			return conn, nil
		}, []uint16{ldap.LDAPResultTimeLimitExceeded, ldap.ErrorNetwork})

	if err != nil {
		return nil, errors.Wrap(err, "ldap NewChannelPool error")
	}

	return ldapPool, nil
}