//! Read-only C Tor service key store implementation

//!

//! See [`CTorServiceKeystore`] for more details.

use crate::keystore::ctor::CTorKeystore;

use crate::keystore::ctor::err::{CTorKeystoreError, MalformedServiceKeyError};

use crate::keystore::fs_utils::{FilesystemAction, FilesystemError, checked_op};

use crate::keystore::{EncodableItem, ErasedKey, KeySpecifier, Keystore, KeystoreId};

use crate::raw::RawEntryId;

use crate::{

    CTorPath, KeyPath, KeystoreEntry, KeystoreEntryResult, Result, UnrecognizedEntry,

    UnrecognizedEntryError,

};

use fs_mistrust::Mistrust;

use tor_basic_utils::PathExt as _;

use tor_error::internal;

use tor_key_forge::{KeyType, KeystoreItemType};

use tor_llcrypto::pk::ed25519;

use tor_persist::hsnickname::HsNickname;

use std::io;

use std::path::{Path, PathBuf};

use std::result::Result as StdResult;

#[allow(unused_imports)]

use std::str::FromStr;

use std::sync::Arc;

use itertools::Itertools;

use walkdir::WalkDir;

/// A read-only C Tor service keystore.

///

/// This keystore provides read-only access to the hidden service keys

/// rooted at a given `HiddenServiceDirectory` directory

/// (see `HiddenServiceDirectory` in `tor(1)`).

///

/// This keystore can be used to read the `HiddenServiceDirectory/private_key`

/// and `HiddenServiceDirectory/public_key` C Tor keys, specified by

/// [`CTorPath::HsIdKeypair`] (with [`KeyType::Ed25519ExpandedKeypair`])

/// and [`CTorPath::HsIdPublicKey`] (with [`KeyType::Ed25519PublicKey`]),

/// respectively. Any other files stored in `HiddenServiceDirectory` will be ignored.

///

/// The only supported [`Keystore`] operations are [`contains`](Keystore::contains),

/// [`get`](Keystore::get), and [`list`](Keystore::list). All other keystore operations

/// will return an error.

///

/// This keystore implementation uses the [`CTorPath`] of the requested [`KeySpecifier`]

/// and the [`KeystoreItemType`] to identify the appropriate key.

/// If the requested `CTorPath` is not

/// [`HsIdPublicKey`](CTorPath::HsIdPublicKey) or

/// [`HsIdKeypair`](CTorPath::HsIdKeypair),

/// or if the [`HsNickname`] specified in the `CTorPath` does not match the nickname of this store,

/// the key will be declared not found.

/// If the requested `CTorPath` is

/// [`HsIdPublicKey`](CTorPath::HsIdPublicKey) or

/// [`HsIdKeypair`](CTorPath::HsIdKeypair),

/// but the `ItemType` and [`CTorPath`] are mismatched,

/// an error is returned.

pub struct CTorServiceKeystore {

    /// The underlying keystore

    keystore: CTorKeystore,

    /// The nickname of the service this keystore is meant for

    nickname: HsNickname,

}

impl CTorServiceKeystore {

    /// Create a new `CTorServiceKeystore`

    /// rooted at the specified `keystore_dir` directory.

    ///

    /// This function returns an error if `keystore_dir` is not a directory,

    /// or if it does not conform to the requirements of the specified `Mistrust`.

}

/// Extract the key path (relative to the keystore root) from the specified result `res`,

/// or return an error.

///

/// If `res` is `None`, return `ret`.

macro_rules! rel_path_if_supported {

    ($self:expr, $spec:expr, $ret:expr, $item_type:expr) => {{

        use CTorPath::*;

        use KeystoreItemType::*;

        // If the key specifier doesn't have a CTorPath,

        // we can't possibly handle this key.

        let Some(ctor_path) = $spec.ctor_path() else {

            return $ret;

        };

        // This keystore only deals with service keys...

        let nickname = match &ctor_path {

            HsClientDescEncKeypair { .. } => return $ret,

            HsIdKeypair { nickname } | HsIdPublicKey { nickname } => nickname,

        };

        // ...more specifically, it has the service keys of a *particular* service

        // (identified by nickname).

        if nickname != &$self.nickname {

            return $ret;

        };

        let relpath = $self

            .keystore

            .rel_path(PathBuf::from(ctor_path.to_string()));

        match ($item_type, &ctor_path) {

            (Key(KeyType::Ed25519ExpandedKeypair), HsIdKeypair { .. })

            | (Key(KeyType::Ed25519PublicKey), HsIdPublicKey { .. }) => Ok(()),

            _ => Err(CTorKeystoreError::InvalidKeystoreItemType {

                item_type: $item_type.clone(),

                item: format!("key {}", relpath.rel_path_unchecked().display_lossy()),

            }),

        }?;

        relpath

    }};

}

impl Keystore for CTorServiceKeystore {

            }

        };

        // The path exists, now check that it's actually a file and not a directory or symlink.

        } else {

        }

        use KeystoreItemType::*;

        };

            _ => {

            }

        };

    #[cfg(feature = "onion-service-cli-extra")]

    #[cfg(feature = "onion-service-cli-extra")]

        // This keystore can contain at most 2 keys (the public and private

        // keys of the service)

                    self,

                );

        // TODO: this block presents duplication with the equivalent

        // [`ArtiNativeKeystore`](crate::ArtiNativeKeystore) implementation

                        FilesystemError::Io {

                        }

                // Skip over directories as they won't be valid ctor-paths

                    /* This error should be impossible. */

                        "found key {} outside of keystore_dir {}?!",

                    )

                    // Check the properties of the parent directory by attempting to list its

                    // contents.

                // Check if path is one of the valid C Tor service key paths

                    None => {

                    }

                };

}

/// Helper for parsing C Tor's ed25519 key format.

macro_rules! parse_ed25519 {

    ($key:expr, $parse_fn:expr, $tag:expr, $key_len:expr) => {{

        let expected_len = $tag.len() + $key_len;

        if $key.len() != expected_len {

            return Err(MalformedServiceKeyError::InvalidKeyLen {

                len: $key.len(),

                expected_len,

            });

        }

        let (tag, key) = $key.split_at($tag.len());

        if tag != $tag {

            return Err(MalformedServiceKeyError::InvalidTag {

                tag: tag.to_vec(),

                expected_tag: $tag.into(),

            });

        }

        ($parse_fn)(key)

    }};

}

/// Helper for parsing C Tor's ed25519 public key format.

    /// The tag C Tor ed25519 public keys are expected to begin with.

    const PUBKEY_TAG: &[u8] = b"== ed25519v1-public: type0 ==\0\0\0";

    /// The size of an ed25519 public key.

    const PUBKEY_LEN: usize = 32;

        PUBKEY_LEN

    )

/// Helper for parsing C Tor's ed25519 keypair format.

    /// The tag C Tor ed25519 keypairs are expected to begin with.

    const KEYPAIR_TAG: &[u8] = b"== ed25519v1-secret: type0 ==\0\0\0";

    /// The size of an ed25519 keypair.

    const KEYPAIR_LEN: usize = 64;

        KEYPAIR_LEN

    )

#[cfg(test)]

mod tests {

    // @@ begin test lint list maintained by maint/add_warning @@

    #![allow(clippy::bool_assert_comparison)]

    #![allow(clippy::clone_on_copy)]

    #![allow(clippy::dbg_macro)]

    #![allow(clippy::mixed_attributes_style)]

    #![allow(clippy::print_stderr)]

    #![allow(clippy::print_stdout)]

    #![allow(clippy::single_char_pattern)]

    #![allow(clippy::unwrap_used)]

    #![allow(clippy::unchecked_time_subtraction)]

    #![allow(clippy::useless_vec)]

    #![allow(clippy::needless_pass_by_value)]

    #![allow(clippy::string_slice)] // See arti#2571

    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->

    use super::*;

    use std::fs;

    use tempfile::{TempDir, tempdir};

    use crate::test_utils::{DummyKey, TestCTorSpecifier, assert_found};

    const PUBKEY: &[u8] = include_bytes!("../../../testdata/tor-service/hs_ed25519_public_key");

    const PRIVKEY: &[u8] = include_bytes!("../../../testdata/tor-service/hs_ed25519_secret_key");

    #[cfg(unix)]

    use std::os::unix::fs::PermissionsExt;

    fn init_keystore(id: &str, nickname: &str) -> (CTorServiceKeystore, TempDir) {

        let keystore_dir = tempdir().unwrap();

        #[cfg(unix)]

        fs::set_permissions(&keystore_dir, fs::Permissions::from_mode(0o700)).unwrap();

        let id = KeystoreId::from_str(id).unwrap();

        let nickname = HsNickname::from_str(nickname).unwrap();

        let keystore = CTorServiceKeystore::from_path_and_mistrust(

            &keystore_dir,

            &Mistrust::default(),

            id,

            nickname,

        )

        .unwrap();

        const KEYS: &[(&str, &[u8])] = &[

            ("hs_ed25519_public_key", PUBKEY),

            ("hs_ed25519_secret_key", PRIVKEY),

        ];

        for (name, key) in KEYS {

            fs::write(keystore_dir.path().join(name), key).unwrap();

        }

        (keystore, keystore_dir)

    }

    #[test]

    fn get() {

        let (keystore, _keystore_dir) = init_keystore("foo", "allium-cepa");

        let unk_nickname = HsNickname::new("acutus-cepa".into()).unwrap();

        let path = CTorPath::HsIdPublicKey {

            nickname: unk_nickname.clone(),

        };

        // Not found!

        assert_found!(

            keystore,

            &TestCTorSpecifier(path.clone()),

            &KeyType::Ed25519PublicKey,

            false

        );

        // But if we use the right nickname (i.e. the one matching the keystore's nickname),

        // the key is found.

        let path = CTorPath::HsIdPublicKey {

            nickname: keystore.nickname.clone(),

        };

        assert_found!(

            keystore,

            &TestCTorSpecifier(path.clone()),

            &KeyType::Ed25519PublicKey,

            true

        );

        let path = CTorPath::HsIdKeypair {

            nickname: keystore.nickname.clone(),

        };

        assert_found!(

            keystore,

            &TestCTorSpecifier(path.clone()),

            &KeyType::Ed25519ExpandedKeypair,

            true

        );

    }

    #[test]

    fn unsupported_operation() {

        let (keystore, _keystore_dir) = init_keystore("foo", "allium-cepa");

        let path = CTorPath::HsIdPublicKey {

            nickname: keystore.nickname.clone(),

        };

        let err = keystore

            .remove(

                &TestCTorSpecifier(path.clone()),

                &KeyType::Ed25519PublicKey.into(),

            )

            .unwrap_err();

        assert_eq!(err.to_string(), "Operation not supported: remove");

        let err = keystore

            .insert(&DummyKey, &TestCTorSpecifier(path.clone()))

            .unwrap_err();

        assert_eq!(err.to_string(), "Operation not supported: insert");

    }

    #[test]

    fn wrong_keytype() {

        let (keystore, _keystore_dir) = init_keystore("foo", "allium-cepa");

        let path = CTorPath::HsIdPublicKey {

            nickname: keystore.nickname.clone(),

        };

        let err = keystore

            .get(

                &TestCTorSpecifier(path.clone()),

                &KeyType::X25519StaticKeypair.into(),

            )

            .map(|_| ())

            .unwrap_err();

        assert_eq!(

            err.to_string(),

            "Invalid item type X25519StaticKeypair for key hs_ed25519_public_key"

        );

    }

    #[test]

    fn list() {

        let (keystore, keystore_dir) = init_keystore("foo", "allium-cepa");

        // Insert unrecognized key

        let _ = fs::File::create(keystore_dir.path().join("unrecognized_key")).unwrap();

        let keys: Vec<_> = keystore.list().unwrap();

        // 2 recognized keys, 1 unrecognized key

        assert_eq!(keys.len(), 3);

        assert!(keys.iter().any(|entry| {

            if let Ok(e) = entry.as_ref() {

                return e.key_type() == &KeyType::Ed25519ExpandedKeypair.into();

            }

            false

        }));

        assert!(keys.iter().any(|entry| {

            if let Ok(e) = entry.as_ref() {

                return e.key_type() == &KeyType::Ed25519PublicKey.into();

            }

            false

        }));

        assert!(keys.iter().any(|entry| { entry.is_err() }));

    }

}