//! Key rotation tasks of the relay.

use anyhow::Context;

use std::{

    sync::Arc,

    time::{Duration, SystemTime},

};

use tor_basic_utils::rand_hostname;

use tor_cert::x509::TlsKeyAndCert;

use tor_chanmgr::ChanMgr;

use tor_error::internal;

use tor_key_forge::ToEncodableCert;

use tor_keymgr::{

    CertSpecifierPattern, KeyCertificateSpecifier, KeyMgr, KeyPath, KeySpecifier,

    KeySpecifierPattern, Keygen, KeystoreSelector, ToEncodableKey,

};

use tor_proto::RelayIdentities;

use tor_relay_crypto::{

    RelaySigningKeyCert, gen_link_cert, gen_signing_cert, gen_tls_cert,

    pk::{

        RelayIdentityKeypair, RelayIdentityKeypairSpecifier, RelayIdentityRsaKeypair,

        RelayIdentityRsaKeypairSpecifier, RelayLinkSigningKeypair,

        RelayLinkSigningKeypairSpecifier, RelayLinkSigningKeypairSpecifierPattern,

        RelaySigningKeyCertSpecifier, RelaySigningKeyCertSpecifierPattern, RelaySigningKeypair,

        RelaySigningKeypairSpecifier, RelaySigningKeypairSpecifierPattern,

        RelaySigningPublicKeySpecifier, Timestamp,

    },

};

use tor_rtcompat::{Runtime, SleepProviderExt};

/// Buffer time before key expiry to trigger rotation. This ensures we rotate slightly before the

/// key actually expires rather than right at or after expiry.

///

/// C-tor uses 3 hours for the link/auth key and 1 day for the signing key. Let's use 3 hours here,

/// it should be plenty to make it happen even if hiccups happen.

const KEY_ROTATION_EXPIRE_BUFFER: Duration = Duration::from_secs(3 * 60 * 60);

/// Key lifefime duration of 2 days

const KEY_DURATION_2DAYS: Duration = Duration::from_secs(2 * 24 * 60 * 60);

/// Key lifefime duration of 30 days

const KEY_DURATION_30DAYS: Duration = Duration::from_secs(30 * 24 * 60 * 60);

/// Key lifefime duration of 6 months

const KEY_DURATION_6MONTHS: Duration = Duration::from_secs(6 * 30 * 24 * 60 * 60);

/// Build a fresh [`RelayIdentities`] object using a [`KeyMgr`].

///

/// Every single certificate is generated in this function.

///

/// This function assumes that all required keys are in the keymgr.

    // Get the identity keypairs.

    // We have to list match here because the key specifier here uses a valid_until. We don't know

    // what it is so we list and take the first one.

        )

        )

    // TLS key and cert. Random hostname like C-tor. We re-use the issuer_hostname for the RSA

    // legacy cert.

    // Create the RSA X509 certificate.

    )

    // The following expiry duration have been taken from C-tor.

    // Create the signing key cert, link cert and tls cert.

    //

    // TODO(relay): We need to check the KeyMgr for the signing cert but for now the KeyMgr API

    // doesn't allow us to get it out. We will do a re-design of the cert API there. This is fine

    // as long as we don't support offline keys.

/// Generate a key `K` directly into the key manager.

///

/// If the key already exists, the error is ignored as this could happen if the system time drifts

/// between the get and the generate.

{

        // Key already existing can happen due to wall clock strangeness,

        // so simply ignore it.

    };

/// Go through keystore entries matching `pattern` and remove any that are within

/// [`KEY_ROTATION_EXPIRE_BUFFER`] of expiry.

///

/// Returns `(removed, min_remaining)` where `removed` indicates whether any entry was deleted and

/// `min_remaining` is the minimum `valid_until` of the entries that were kept (if any).

{

        } else {

            min_valid_until =

        }

    }

/// Attempt to generate a key using the given [`KeySpecifier`].

///

/// Return true if generated else false.

{

/// Attempt to generate a key and cert using the given [`KeyCertificateSpecifier`] which is signed

/// by the given [`KeySpecifier]` in `signing_key_spec`.

///

/// The `make_certificate` is used to generate the certificate stored in the [`KeyMgr`].

///

/// Return true if generated else false.

{

/// Try to generate all keys and certs needed for a relay.

///

/// This tries to generate the [`RelayLinkSigningKeypair`] and the [`RelaySigningKeypair`] +

/// [`RelaySigningKeyCert`]. Note that identity keys are NOT generated within this function, it is

/// only attempted once at boot time. This is so we avoid retrying to generate them at each key

/// rotation as those identity keys never rotate.

///

/// Returns the minimum valid until value if a key was generated. Else, a None value indicates that

/// no key was generated.

    // The make certificate function needed for the get_or_generate_key_and_cert(). It is a closure

    // so we can capture the runtime wallclock.

    // We either get the existing one or generate this new one.

    ));

/// Remove any expired keys (and certs) that are expired.

///

/// Return (`removed`, `next_expiry`) where the `removed` indicates if at least one key has been

/// removed because it was expired. The `next_expiry` is the minimum value of all valid_until which

/// indicates the next closest expiry time.

        "key KP_relaysign_ed",

        "key KP_link_ed",

    // This should always be removed if the signing key above has been removed. However, we still

    // do a pass at the keystore considering the upcoming offline key feature that might have more

    // than one expired cert in the keystore.

        "signing key cert",

    // Have we at least removed one?

/// Attempt to rotate all keys except identity keys.

///

/// Returns (rotated, next_expiry) where `rotated` indicates if any key was rotated and

/// `next_expiry` is the earliest expiry time across all keys.

    // First do a pass to remove every expired key(s) or/and cert(s).

    // Then attempt to generate keys. If at least one was generated, we'll get the min expiry time

    // which we need to consider "rotated" so the caller can know that a new key appeared.

    // We should never get no expiry time.

/// Attempt to generate all keys. The list of keys is:

///

/// * Identity Ed25519 keypair [`RelayIdentityKeypair`].

/// * Identity RSA [`RelayIdentityRsaKeypair`].

/// * Relay signing keypair [`RelaySigningKeypair`].

/// * Relay link signing keypair [`RelayLinkSigningKeypair`].

///

/// This function is only called when our relay bootstraps in order to attempt to generate any

/// missing keys or/and rotate expired keys.

    // Attempt to generate our identity keys (ed and RSA). Those keys DO NOT rotate. It won't be

    // replaced if they already exists.

    // Attempt to rotate the keys. Any missing keys (and cert) will be generated.

    // Now that we have our up-to-date keys, build the RelayIdentities object.

/// Task to rotate keys when they need to be rotated.

    loop {

        // Attempt a rotation of all keys.

        // Sleep until the earliest key expiry minus buffer so we rotate before it expires.

        // If the subtraction would underflow, wake up immediately to rotate the expired key.

    }

#[cfg(test)]

mod test {

    // @@ begin test lint list maintained by maint/add_warning @@

    #![allow(clippy::bool_assert_comparison)]

    #![allow(clippy::clone_on_copy)]

    #![allow(clippy::dbg_macro)]

    #![allow(clippy::mixed_attributes_style)]

    #![allow(clippy::print_stderr)]

    #![allow(clippy::print_stdout)]

    #![allow(clippy::single_char_pattern)]

    #![allow(clippy::unwrap_used)]

    #![allow(clippy::unchecked_time_subtraction)]

    #![allow(clippy::useless_vec)]

    #![allow(clippy::needless_pass_by_value)]

    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->

    use super::*;

    use tor_keymgr::{ArtiEphemeralKeystore, KeyMgrBuilder};

    use tor_relay_crypto::pk::{

        RelayLinkSigningKeypairSpecifierPattern, RelaySigningKeypairSpecifierPattern,

    };

    use tor_rtcompat::SleepProvider;

    use tor_rtmock::MockRuntime;

    /// Generate the non-rotating identity keys so the rest of the key machinery can run.

    fn setup_identity_keys(keymgr: &KeyMgr) {

        use tor_relay_crypto::pk::{

            RelayIdentityKeypair, RelayIdentityKeypairSpecifier, RelayIdentityRsaKeypair,

            RelayIdentityRsaKeypairSpecifier,

        };

        generate_key::<RelayIdentityKeypair>(keymgr, &RelayIdentityKeypairSpecifier::new())

            .unwrap();

        generate_key::<RelayIdentityRsaKeypair>(keymgr, &RelayIdentityRsaKeypairSpecifier::new())

            .unwrap();

    }

    /// Initialize test basics that is runtime and a KeyMgr.

    fn new_keymgr() -> KeyMgr {

        let store = Box::new(ArtiEphemeralKeystore::new("test".to_string()));

        KeyMgrBuilder::default()

            .primary_store(store)

            .build()

            .unwrap()

    }

    /// Initial setup of a test. Build a mock runtime, key manager and setup identity keys.

    fn setup() -> KeyMgr {

        let keymgr = new_keymgr();

        setup_identity_keys(&keymgr);

        keymgr

    }

    /// Return a [`Timestamp`] given a [`SystemTime`] rounded down to its nearest second.

    ///

    /// In other words, the `tv_nsec` of a [`SystemTime`] is dropped.

    fn to_timestamp_in_secs(valid_until: SystemTime) -> Timestamp {

        use std::time::UNIX_EPOCH;

        let seconds = valid_until.duration_since(UNIX_EPOCH).unwrap().as_secs();

        Timestamp::from(UNIX_EPOCH + Duration::from_secs(seconds))

    }

    /// Return the number of link keys in the given KeyMgr.

    fn count_link_keys(keymgr: &KeyMgr) -> usize {

        keymgr

            .list_matching(

                &RelayLinkSigningKeypairSpecifierPattern::new_any()

                    .arti_pattern()

                    .unwrap(),

            )

            .unwrap()

            .len()

    }

    /// Return the number of signing keys in the given KeyMgr.

    fn count_signing_keys(keymgr: &KeyMgr) -> usize {

        keymgr

            .list_matching(

                &RelaySigningKeypairSpecifierPattern::new_any()

                    .arti_pattern()

                    .unwrap(),

            )

            .unwrap()

            .len()

    }

    /// Test the actual bootstrap function, `try_generate_keys()` which is in charge of

    /// initializing the identities.

    #[test]

    fn test_bootstrap() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = new_keymgr();

            let _identities = match try_generate_keys(&runtime, &keymgr) {

                Ok(ident) => ident,

                Err(e) => {

                    panic!("Unable to bootstrap keys and generate RelayIdentities: {e}");

                }

            };

        });

    }

    /// Simulate the bootstrap when no keys exists. We should have one link key and one signing key

    /// after the first rotation.

    #[test]

    fn test_initial_key_generation() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            let now = runtime.wallclock();

            let (rotated, next_expiry) = try_rotate_keys(now, &keymgr).unwrap();

            assert!(

                rotated,

                "keys should be reported as generated on first rotation"

            );

            assert_eq!(count_link_keys(&keymgr), 1, "expected one link key");

            assert_eq!(count_signing_keys(&keymgr), 1, "expected one signing key");

            // The earliest expiry should be the link key (~2 days out).

            let expected = runtime.wallclock() + KEY_DURATION_2DAYS;

            assert_eq!(

                next_expiry, expected,

                "next expiry should be ~{KEY_DURATION_2DAYS:?} from now, got {next_expiry:?}"

            );

        });

    }

    /// Calling rotate_keys a second time with fresh keys should indicate no rotation.

    #[test]

    fn test_rotation_on_fresh_keys() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            let now = runtime.wallclock();

            try_rotate_keys(now, &keymgr).unwrap();

            // Advance by 1 hour (inside 2 days of link key).

            runtime.advance_by(Duration::from_secs(60 * 60)).await;

            let (rotated, _) = try_rotate_keys(now, &keymgr).unwrap();

            assert!(!rotated, "fresh keys must not trigger a rotation");

            assert_eq!(count_link_keys(&keymgr), 1, "expected one link key");

            assert_eq!(count_signing_keys(&keymgr), 1, "expected one signing key");

        });

    }

    /// Test rotation before and after rotation expiry buffer for the link key.

    #[test]

    fn test_rotation_link_key() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            // First rotation creates the keys.

            try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            // Advance to 1 second _before_ the rotation-buffer threshold. We should not rotate

            // with this.

            let just_before =

                KEY_DURATION_2DAYS - KEY_ROTATION_EXPIRE_BUFFER - Duration::from_secs(1);

            runtime.advance_by(just_before).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(

                !rotated,

                "link key MUST NOT rotate before the expiry buffer threshold"

            );

            assert_eq!(count_link_keys(&keymgr), 1, "expected one link key");

            assert_eq!(count_signing_keys(&keymgr), 1, "expected one signing key");

            // Move it just after the expiry buffer and expect a rotation.

            let just_after =

                KEY_DURATION_2DAYS - KEY_ROTATION_EXPIRE_BUFFER + Duration::from_secs(1);

            runtime.advance_by(just_after).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(

                rotated,

                "link key should rotate inside the expiry buffer threshold"

            );

        });

    }

    /// Test rotation before and after rotation expiry buffer for the signing key.

    #[test]

    fn test_rotation_signing_key() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            // First rotation creates the keys.

            try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            // Closure to get the relay signing key keystore entry.

            let get_key_spec = || {

                let entries = keymgr

                    .list_matching(

                        &RelaySigningKeypairSpecifierPattern::new_any()

                            .arti_pattern()

                            .unwrap(),

                    )

                    .unwrap();

                let entry = entries.first().unwrap();

                let spec: RelaySigningKeypairSpecifier = entry.key_path().try_into().unwrap();

                spec

            };

            // Advance to 1 second _before_ the rotation-buffer threshold. We should not rotate

            // with this.

            let just_before =

                KEY_DURATION_30DAYS - KEY_ROTATION_EXPIRE_BUFFER - Duration::from_secs(1);

            runtime.advance_by(just_before).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(rotated, "Rotation must happen after 30 days");

            let spec = get_key_spec();

            assert_eq!(

                spec.valid_until(),

                to_timestamp_in_secs(

                    runtime.wallclock() + KEY_ROTATION_EXPIRE_BUFFER + Duration::from_secs(1)

                ),

                "RelaySigningKeypairSpecifier should not have rotated"

            );

            assert_eq!(count_link_keys(&keymgr), 1, "expected one link key");

            assert_eq!(count_signing_keys(&keymgr), 1, "expected one signing key");

            // Move it just after the expiry buffer and expect a rotation.

            let just_after =

                KEY_DURATION_30DAYS - KEY_ROTATION_EXPIRE_BUFFER + Duration::from_secs(1);

            runtime.advance_by(just_after).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(rotated, "Rotation must happen after 30 days");

            let spec = get_key_spec();

            assert_eq!(

                spec.valid_until(),

                to_timestamp_in_secs(runtime.wallclock() + KEY_DURATION_30DAYS),

                "RelaySigningKeypairSpecifier should have rotated"

            );

        });

    }

}