"""SSL context builder for Silo API clients."""

import os
import ssl


def build_ssl_context(verify: bool = True, cert_path: str = "") -> ssl.SSLContext:
    """Build an SSL context honouring the caller's verify/cert preferences.

    Args:
        verify: Whether to verify server certificates.
        cert_path: Optional path to a custom CA certificate file.

    Returns:
        A configured ``ssl.SSLContext``.
    """
    ctx = ssl.create_default_context()

    if not verify:
        ctx.check_hostname = False
        ctx.verify_mode = ssl.CERT_NONE
        return ctx

    if cert_path and os.path.isfile(cert_path):
        try:
            ctx.load_verify_locations(cert_path)
        except Exception:
            pass

    # The bundled Python may not find the system CA store automatically
    # (its compiled-in path points to the build environment).  Load the
    # system CA bundle explicitly so internal CAs (e.g. FreeIPA) are trusted.
    for ca_path in (
        "/etc/ssl/certs/ca-certificates.crt",  # Debian / Ubuntu
        "/etc/pki/tls/certs/ca-bundle.crt",  # RHEL / CentOS
    ):
        if os.path.isfile(ca_path):
            try:
                ctx.load_verify_locations(ca_path)
            except Exception:
                pass
            break

    return ctx