//! The `keys` subcommand.

// TODO: The output of these subcommands needs improvement. Also, some of the `display_` functions

// are repetitive and redundant.

use std::ops::Deref;

use std::str::FromStr;

use anyhow::Result;

use arti_client::{InertTorClient, TorClient, TorClientConfig};

use clap::{ArgMatches, Args, FromArgMatches, Parser, Subcommand};

use tor_keymgr::{KeyMgr, KeystoreEntry, KeystoreEntryResult, KeystoreId, UnrecognizedEntryError};

use tor_rtcompat::Runtime;

use crate::{ArtiConfig, subcommands::prompt};

#[cfg(feature = "onion-service-service")]

use tor_hsservice::OnionService;

/// Length of a line, used for formatting

// TODO: use COLUMNS instead of an arbitrary LINE_LEN

const LINE_LEN: usize = 80;

/// The `keys` subcommands the arti CLI will be augmented with.

#[derive(Debug, Parser)]

pub(crate) enum KeysSubcommands {

    /// Run keystore management commands.

    #[command(subcommand)]

    Keys(KeysSubcommand),

}

/// The `keys` subcommand.

#[derive(Subcommand, Debug, Clone)]

pub(crate) enum KeysSubcommand {

    /// List keys and certificates.

    ///

    /// Note: The output fields "Location" and "Keystore ID" represent,

    /// respectively, the raw identifier of an entry (e.g. <ARTI_PATH>.<ENTRY_TYPE>

    /// for `ArtiNativeKeystore`), and the identifier of the keystore that

    /// contains the entry.

    List(ListArgs),

    /// List keystores.

    ListKeystores,

    /// Validate the integrity of keystores.

    ///

    /// Detects and reports unrecognized entries and paths, as well as

    /// malformed or expired keys.

    ///

    /// Such entries will be removed if this command is invoked with `--sweep`.

    CheckIntegrity(CheckIntegrityArgs),

}

/// The arguments of the [`List`](KeysSubcommand::List) subcommand.

#[derive(Debug, Clone, Args)]

pub(crate) struct ListArgs {

    /// Identifier of the keystore.

    ///

    /// If omitted, keys and certificates

    /// from all the keystores will be returned.

    #[arg(short, long)]

    keystore_id: Option<String>,

}

/// The arguments of the [`CheckIntegrity`](KeysSubcommand::CheckIntegrity) subcommand.

#[derive(Debug, Clone, Args)]

pub(crate) struct CheckIntegrityArgs {

    /// Identifier of the keystore.

    ///

    /// If omitted, keys and certificates

    /// from all the keystores will be checked.

    #[arg(short, long)]

    keystore_id: Option<KeystoreId>,

    /// Remove the detected invalid keystore entries.

    #[arg(long, short, default_value_t = false)]

    sweep: bool,

    /// With this flag active no prompt will be shown

    /// and no confirmation will be asked.

    // TODO: Rephrase this and the `batch` flags of the

    // other commands in the present tense.

    #[arg(long, short, default_value_t = false)]

    batch: bool,

}

/// A set of invalid keystore entries associated with a keystore ID.

/// This struct is used solely to reduce type complexity; it does not

/// perform any validation (e.g., whether the entries actually belong

/// to the keystore indicated by the ID).

#[derive(Clone)]

struct InvalidKeystoreEntries<'a> {

    /// The `KeystoreId` that the entries are expected to belong to.

    keystore_id: KeystoreId,

    /// The list of invalid entries that logically belong to the keystore identified

    /// by `keystore_id`.

    entries: Vec<InvalidKeystoreEntry<'a>>,

}

/// An invalid keystore entry associated with the error that caused it to be

/// invalid. This struct is used solely to reduce type complexity; it does not

/// perform any validation (e.g., whether the `error_msg` actually corresponds

/// to the error that caused the invalid entry).

#[derive(Clone)]

struct InvalidKeystoreEntry<'a> {

    /// The entry

    entry: KeystoreEntryResult<KeystoreEntry<'a>>,

    /// The error message derived from the error that caused the entry to be invalid.

    /// This field is needed (even if `Err(UnrecognizedEntryError)` contains the error) because `Ok(KeystoreEntry)`s could be invalid too.

    error_msg: String,

}

/// Run the `keys` subcommand.

        ),

    }

/// Print information about a keystore entry.

        }

    }

/// Print information about an unrecognized keystore entry.

    #[allow(clippy::single_match)]

        // NOTE: For the time being Arti only supports

        // on-disk keystores, but more supported medium

        // will be added.

        }

    }

/// Run the `keys list` subcommand.

    // TODO: in the future we could group entries by their type

    // (recognized, unrecognized and unrecognized path).

    // That way we don't need to print "Unrecognized path",

    // "Unrecognized" entry etc. for each unrecognized entry.

            );

        }

        None => {

            );

        }

    }

/// Run `keys list-keystores` subcommand.

    }

/// Run `keys check-integrity` subcommand.

    };

    // Unlike `keystores`, which has type `Vec<(KeystoreId, Vec<KeystoreEntryResult<KeystoreEntry>>)>`,

    // `affected_keystores` has type `InvalidKeystoreEntries`. This distinction is

    // necessary because the entries in `keystores` will be evaluated, and if any are

    // found to be invalid, the associated error messages must be stored somewhere

    // for later display.

    cfg_if::cfg_if! {

        if #[cfg(feature = "onion-service-service")] {

            // `service` cannot be dropped as long as `expired_entries` is in use, since

            // `expired_entries` holds references to `services`.

        }

    }

                }

        cfg_if::cfg_if! {

            if #[cfg(feature = "onion-service-service")] {

                // For the current keystore, transfer its expired keys from `expired_entries`

                // to `invalid_entries`.

                        }

                    }

            }

        }

    }

    // Expired entries are obtained from the registered keystore. Since we have iterated over every

    // registered keystore and removed all entries associated with the current keystore, the

    // collection `expired_entries` should be empty. If it is not, there is a bug (see

    // [`OnionService::list_expired_keys`]).

    cfg_if::cfg_if! {

        if #[cfg(feature = "onion-service-service")] {

        }

    }

/// Helper function for `run_check_integrity` that reduces cognitive complexity.

///

/// Displays invalid keystore entries grouped by `KeystoreId`, showing the `raw_id`

/// of each key and the associated error message in a unified report to the user.

/// If no invalid entries are provided, nothing is printed.

    for InvalidKeystoreEntries {

    {

            };

        }

    }

/// Helper function of `run_list_keys`, reduces cognitive complexity.

        }

    }

/// Helper function for `run_check_integrity`.

///

/// Creates an [`OnionService`] for each configured hidden service.

#[cfg(feature = "onion-service-service")]

        );

    }

/// Helper function for `run_check_integrity`.

///

/// Gathers all expired keys from the provided hidden services.

#[cfg(feature = "onion-service-service")]

        );

    }

/// Helper function for `run_check_integrity`.

///

/// Removes invalid keystore entries.

/// Prints an error message if one or more entries fail to be removed.

/// Returns `Err` if an I/O error occurs.

    for InvalidKeystoreEntries {

        keystore_id: _,

    {

        for InvalidKeystoreEntry {

            error_msg: _,

        {

            };

        }

    }

/// Helper function for `display_invalid_keystore_entries` that reduces cognitive complexity.

///

/// Produces and displays the opening section of the final output, given a list of keystores

/// containing invalid entries and their IDs. This function does not check whether

/// `affected_keystores` or the inner collections are empty.