#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
生成 wpa_supplicant STA 配置（不经过 shell / wpa_passphrase），避免中文 SSID 在 /bin/sh 传参时被破坏。

与 wpa_passphrase 一致：PMK = PBKDF2-SHA1(password_utf8, ssid_utf8, 4096, 32)，
ssid 行使用 UTF-8 字节的十六进制（无引号），与 wpa_supplicant 文档一致。
"""
from __future__ import annotations

import hashlib

_CTRL_HEADER = (
    "ctrl_interface=/var/run/wpa_supplicant\n"
    "update_config=1\n\n"
)


def _ssid_utf8_bytes(ssid: str) -> bytes:
    b = (ssid or "").encode("utf-8")
    if not b:
        raise ValueError("SSID 为空")
    if len(b) > 32:
        raise ValueError("SSID UTF-8 超过 32 字节")
    return b


def build_sta_conf_psk(ssid: str, password: str) -> str:
    """WPA2-PSK STA：完整 wpa_supplicant.conf 文本。"""
    ssid_b = _ssid_utf8_bytes(ssid)
    pw = (password or "").encode("utf-8")
    if len(pw) < 8 or len(pw) > 63:
        raise ValueError("WPA2-PSK 密码长度应为 8–63 字节（UTF-8）")
    pmk = hashlib.pbkdf2_hmac("sha1", pw, ssid_b, 4096, 32)
    net = (
        "network={\n"
        f"\tssid={ssid_b.hex()}\n"
        f"\tpsk={pmk.hex()}\n"
        "}\n"
    )
    return _CTRL_HEADER + net


def build_sta_conf_open(ssid: str) -> str:
    """开放网络 STA：完整 wpa_supplicant.conf 文本。"""
    ssid_b = _ssid_utf8_bytes(ssid)
    net = (
        "network={\n"
        f"\tssid={ssid_b.hex()}\n"
        "\tkey_mgmt=NONE\n"
        "}\n"
    )
    return _CTRL_HEADER + net