package tlsauth

import (
	"context"
	"crypto/x509"

	"tildegit.org/tjp/sliderule"
)

// Approver is a function that validates a certificate.
//
// It should not be have to handle a nil argument.
type Approver func(context.Context, *sliderule.Request) bool

// RequireSpecificIdentity builds an approver that demands one specific client certificate.
func RequireSpecificIdentity(identity *x509.Certificate) Approver {
	return func(_ context.Context, request *sliderule.Request) bool {
		cert := Identity(request)
		return cert != nil && identity.Equal(cert)
	}
}

// Allow is an approver which permits anything.
func Allow(_ context.Context, _ *sliderule.Request) bool { return true }

// Reject is an approver which denies everything.
func Reject(_ context.Context, _ *sliderule.Request) bool { return false }