//! Key rotation tasks of the relay.

use anyhow::Context;

use std::{

    sync::Arc,

    time::{Duration, SystemTime},

};

use tor_basic_utils::rand_hostname;

use tor_cert::x509::TlsKeyAndCert;

use tor_chanmgr::ChanMgr;

use tor_error::internal;

use tor_key_forge::ToEncodableCert;

use tor_keymgr::{

    CertSpecifierPattern, KeyCertificateSpecifier, KeyMgr, KeyPath, KeySpecifier,

    KeySpecifierPattern, Keygen, KeystoreEntry, KeystoreSelector, ToEncodableKey,

};

use tor_proto::RelayChannelAuthMaterial;

use tor_proto::relay::CreateRequestHandler;

use tor_relay_crypto::{RelaySigningKeyCert, gen_link_cert, gen_signing_cert, gen_tls_cert};

use crate::keys::{

    RelayIdentityKeypairSpecifier, RelayIdentityRsaKeypairSpecifier,

    RelayLinkSigningKeypairSpecifier, RelayLinkSigningKeypairSpecifierPattern,

    RelayNtorKeypairSpecifier, RelayNtorKeypairSpecifierPattern, RelaySigningKeyCertSpecifier,

    RelaySigningKeyCertSpecifierPattern, RelaySigningKeypairSpecifier,

    RelaySigningKeypairSpecifierPattern, RelaySigningPublicKeySpecifier, Timestamp,

};

use tor_relay_crypto::pk::{

    RelayIdentityKeypair, RelayIdentityRsaKeypair, RelayLinkSigningKeypair, RelayNtorKeypair,

    RelaySigningKeypair,

};

use tor_rtcompat::{Runtime, SleepProviderExt};

use smallvec::SmallVec;

/// Buffer time before key expiry to trigger rotation. This ensures we rotate slightly before the

/// key actually expires rather than right at or after expiry.

///

/// C-tor uses 3 hours for the link/auth key and 1 day for the signing key. Let's use 3 hours here,

/// it should be plenty to make it happen even if hiccups happen.

const KEY_ROTATION_EXPIRE_BUFFER: Duration = Duration::from_secs(3 * 60 * 60);

// The following expiry durations have been taken from C-tor.

/// Lifetime of the link authentication key (KP_link_ed) certificate.

const LINK_CERT_LIFETIME: Duration = Duration::from_secs(2 * 24 * 60 * 60);

/// Lifetime of the relay signing key (KP_relaysign_ed) certificate.

const SIGNING_KEY_CERT_LIFETIME: Duration = Duration::from_secs(30 * 24 * 60 * 60);

/// Lifetime of the RSA identity key certificate.

const RSA_CROSSCERT_LIFETIME: Duration = Duration::from_secs(6 * 30 * 24 * 60 * 60);

/// Lifetime of the ntor circuit extension key (KP_ntor).

///

// TODO(relay): we should be using the "onion-key-rotation-days" consensus param

// instead of this hard-coded value.

const NTOR_KEY_LIFETIME: Duration = Duration::from_secs(28 * 24 * 60 * 60);

/// Default grace period for acceptance of an onion key (KP_ntor).

///

/// This represents the amount of time we are still willing to use this key

/// after it expires.

///

// TODO(relay): we should be using the "onion-key-grace-period-days" consensus param

// instead of this hard-coded value.

const NTOR_KEY_GRACE_PERIOD: Duration = Duration::from_secs(7 * 24 * 60 * 60);

/// The result of an action that affects the relay keys in the keystore.

#[derive(Copy, Clone, Debug)]

struct KeyChange {

    /// Whether the chan auth material has changed.

    chan_auth: bool,

    /// Whether the ntor keys have changed.

    ntor: bool,

}

impl KeyChange {

    /// The combined result of two [`KeyChange`]s.

        KeyChange {

        }

}

/// Build a fresh [`RelayChannelAuthMaterial`] object using a [`KeyMgr`].

///

/// The link cert and TLS certs are created in this function.

/// The signing key certificate is retrieved from the keymgr.

///

/// This function assumes that all required keys,

/// as well as the signing key certificate,

/// are already in the keystore.

    // Get the identity keypairs.

    // We have to list match here because the key specifier here uses a valid_until. We don't know

    // what it is so we list and take the first one.

        )

        )

        )

    // TLS key and cert. Random hostname like C-tor. We re-use the issuer_hostname for the RSA

    // legacy cert.

    // Create the RSA X509 certificate.

    )

    // Create the link cert and tls cert.

/// Generate a key `K` directly into the key manager.

///

/// If the key already exists, the error is ignored as this could happen if the system time drifts

/// between the get and the generate.

{

        // Key already existing can happen due to wall clock strangeness,

        // so simply ignore it.

    };

/// Go through keystore entries matching `pattern` and remove any that are

/// expired according to `is_expired`.

///

/// Returns `(removed, min_remaining)` where `removed` indicates whether any entry was deleted and

/// `min_remaining` is the minimum `valid_until` of the entries that were kept (if any).

{

        } else {

            min_valid_until =

        }

    }

/// Attempt to generate a key using the given [`KeySpecifier`].

///

/// Return true if generated else false.

{

/// Attempt to generate a key and cert using the given [`KeyCertificateSpecifier`] which is signed

/// by the given [`KeySpecifier]` in `signing_key_spec`.

///

/// The `make_certificate` is used to generate the certificate stored in the [`KeyMgr`].

///

/// Return true if generated else false.

{

/// Try to generate all keys and certs needed for a relay.

///

/// This tries to generate the [`RelayLinkSigningKeypair`] and the [`RelaySigningKeypair`] +

/// [`RelaySigningKeyCert`]. Note that identity keys are NOT generated within this function, it is

/// only attempted once at boot time. This is so we avoid retrying to generate them at each key

/// rotation as those identity keys never rotate.

///

/// Returns the minimum valid until value if a key was generated. Else, a None value indicates that

/// no key was generated.

    // The make certificate function needed for the get_or_generate_key_and_cert(). It is a closure

    // so we can capture the runtime wallclock.

    // We either get the existing one or generate this new one.

    ));

    // We generate a new ntor key if all existing keys are expired `now`

    // (without taking into account the grace period)

            // If *all* the ntor keys are expired (but still within the grace period),

            // we want to generate a new ntor key.

            //

            // Note: this needs to take the KEY_ROTATION_EXPIRE_BUFFER into account

            // because the main loop will wake us KEY_ROTATION_EXPIRE_BUFFER

            // *before* the valid_until elapses

        }

    };

/// Remove any expired keys (and certs) that are expired.

///

/// Return (`removed`, `next_expiry`) where the `removed` indicates if at least one key has been

/// removed because it was expired. The `next_expiry` is the minimum value of all valid_until which

/// indicates the next closest expiry time.

        "key KP_relaysign_ed",

        "key KP_link_ed",

    // This should always be removed if the signing key above has been removed. However, we still

    // do a pass at the keystore considering the upcoming offline key feature that might have more

    // than one expired cert in the keystore.

        "signing key cert",

    // When deciding whether to remove the key,

    // we need to take into account the special grace period ntor keys have

    // (we need to keep the key around even if it's "expired",

    // because some clients might still be using an older consensus

    // and hence might not know about our new key yet).

        // Note: we need to take into account KEY_ROTATION_EXPIRE_BUFFER

        // because the main loop always subtracts KEY_ROTATION_EXPIRE_BUFFER

        // from the returned next_expiry, but ideally,

        // I don't think we should be using this buffer for the ntor keys,

        // because they have a grace period and don't get removed immediately

        // anyway

        "key KP_ntor",

    // Have we at least removed one?

    };

    // TODO: we could, in theory, return this from remove_expired(),

    // but I don't want to make it any more complicated than it already is,

    // especially for an operation that runs relatively infrequently.

    // This is a best effort check. There is no guarantee the

    // second key is the "successor" of this key,

    // but in general, it will be, unless an external process

    // is concurrently modifying the keystore

    // (which something we explicitly don't try to protect against).

    //

    // We could, in theory, check that the valid_until of the two

    // keys are adequately spaced, but in practice I don't think

    // it matters much.

    // Note: for each ntor key, we need to wake up twice

    //

    //   * at its expiry time, to generate the next ntor key

    //   * at its expiry time + GRACE_PERIOD, to remove the old ntor key

        None => {

            // We removed the last ntor key, the wakeup time will be

            // determined by try_generate_key() later

        }

        // This special case may seem strange, but it's needed for

        // the specific scenario where there is only one ntor key

        // in the keystore with valid_until < now.

        //

        // Without it, there is no guarantee we will wake up at valid_until

        // to generate the new ntor key (when the key is generated,

        // we try to schedule a rotation task wakeup at valid_until,

        // but if the other keys have "sooner" `valid_until`s,

        // that wakeup will be lost.

            // The next key doesn't exist yet,

            // wake up at valid_until to generate it

        }

            // The next key exists, we only need to wake up

            // to garbage collect this one, after the grace period

            //

            // This avoids busy looping in the [valid_until, valid_until + grace_period]

            // time interval (if we don't add the grace period here, when

            // now = valid_until, we will keep waking up the main loop of the

            // key rotation task, and then not actually removing the key because

            // it's still within the grace period).

        }

    };

/// Attempt to rotate all keys except identity keys.

///

/// Returns (rotated, next_expiry) where `rotated` indicates if any key was rotated and

/// `next_expiry` is the earliest expiry time across all keys.

    // First do a pass to remove every expired key(s) or/and cert(s).

    // Then attempt to generate keys. If at least one was generated, we'll get the min expiry time

    // which we need to consider "rotated" so the caller can know that a new key appeared.

    // We should never get no expiry time.

/// Attempt to generate all keys. The list of keys is:

///

/// * Identity Ed25519 keypair [`RelayIdentityKeypair`].

/// * Identity RSA [`RelayIdentityRsaKeypair`].

/// * Relay signing keypair [`RelaySigningKeypair`].

/// * Relay link signing keypair [`RelayLinkSigningKeypair`].

/// * Relay ntor keypair [`RelayNtorKeypair`].

///

/// This function is only called when our relay bootstraps in order to attempt to generate any

/// missing keys or/and rotate expired keys.

    // Attempt to generate our identity keys (ed and RSA). Those keys DO NOT rotate. It won't be

    // replaced if they already exists.

    // Attempt to rotate the keys. Any missing keys (and cert) will be generated.

    // Now that we have our up-to-date keys, build the relay channel auth material object.

/// Task to rotate keys when they need to be rotated.

    loop {

        // Attempt a rotation of all keys.

            // Any keys left in the keystore at this point are considered to be usable

            // (either because they are newly generated, or because they are still

            // within the grace period).

        // Sleep until the earliest key expiry minus buffer so we rotate before it expires.

        // If the subtraction would underflow, wake up immediately to rotate the expired key.

    }

#[cfg(test)]

mod test {

    // @@ begin test lint list maintained by maint/add_warning @@

    #![allow(clippy::bool_assert_comparison)]

    #![allow(clippy::clone_on_copy)]

    #![allow(clippy::dbg_macro)]

    #![allow(clippy::mixed_attributes_style)]

    #![allow(clippy::print_stderr)]

    #![allow(clippy::print_stdout)]

    #![allow(clippy::single_char_pattern)]

    #![allow(clippy::unwrap_used)]

    #![allow(clippy::unchecked_time_subtraction)]

    #![allow(clippy::useless_vec)]

    #![allow(clippy::needless_pass_by_value)]

    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->

    use super::*;

    use crate::keys::{

        RelayLinkSigningKeypairSpecifierPattern, RelaySigningKeypairSpecifierPattern,

    };

    use tor_keymgr::{ArtiEphemeralKeystore, KeyMgrBuilder, KeySpecifierPattern};

    use tor_rtcompat::SleepProvider;

    use tor_rtmock::MockRuntime;

    /// Generate the non-rotating identity keys so the rest of the key machinery can run.

    fn setup_identity_keys(keymgr: &KeyMgr) {

        use crate::keys::{RelayIdentityKeypairSpecifier, RelayIdentityRsaKeypairSpecifier};

        use tor_relay_crypto::pk::{RelayIdentityKeypair, RelayIdentityRsaKeypair};

        generate_key::<RelayIdentityKeypair>(keymgr, &RelayIdentityKeypairSpecifier::new())

            .unwrap();

        generate_key::<RelayIdentityRsaKeypair>(keymgr, &RelayIdentityRsaKeypairSpecifier::new())

            .unwrap();

    }

    /// Initialize test basics that is runtime and a KeyMgr.

    fn new_keymgr() -> KeyMgr {

        let store = Box::new(ArtiEphemeralKeystore::new("test".to_string()));

        KeyMgrBuilder::default()

            .primary_store(store)

            .build()

            .unwrap()

    }

    /// Initial setup of a test. Build a mock runtime, key manager and setup identity keys.

    fn setup() -> KeyMgr {

        let keymgr = new_keymgr();

        setup_identity_keys(&keymgr);

        keymgr

    }

    /// Return a [`Timestamp`] given a [`SystemTime`] rounded down to its nearest second.

    ///

    /// In other words, the `tv_nsec` of a [`SystemTime`] is dropped.

    fn to_timestamp_in_secs(valid_until: SystemTime) -> Timestamp {

        use std::time::UNIX_EPOCH;

        let seconds = valid_until.duration_since(UNIX_EPOCH).unwrap().as_secs();

        Timestamp::from(UNIX_EPOCH + Duration::from_secs(seconds))

    }

    /// Return the number of keys matching the specified pattern

    fn count_keys(keymgr: &KeyMgr, pat: &dyn KeySpecifierPattern) -> usize {

        keymgr

            .list_matching(&pat.arti_pattern().unwrap())

            .unwrap()

            .len()

    }

    /// Return the number of link keys in the given KeyMgr.

    fn count_link_keys(keymgr: &KeyMgr) -> usize {

        count_keys(keymgr, &RelayLinkSigningKeypairSpecifierPattern::new_any())

    }

    /// Return the number of signing keys in the given KeyMgr.

    fn count_signing_keys(keymgr: &KeyMgr) -> usize {

        count_keys(keymgr, &RelaySigningKeypairSpecifierPattern::new_any())

    }

    /// Return the number of ntor keys in the given KeyMgr.

    fn count_ntor_keys(keymgr: &KeyMgr) -> usize {

        count_keys(keymgr, &RelayNtorKeypairSpecifierPattern::new_any())

    }

    /// Test the actual bootstrap function, `try_generate_keys()` which is in charge of

    /// initializing the auth material.

    #[test]

    fn test_bootstrap() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = new_keymgr();

            let _auth_material = match try_generate_keys(&runtime, &keymgr) {

                Ok(a) => a,

                Err(e) => {

                    panic!("Unable to bootstrap keys and generate RelayChannelAuthMaterial: {e}");

                }

            };

        });

    }

    /// Simulate the bootstrap when no keys exists. We should have one link key and one signing key

    /// after the first rotation.

    #[test]

    fn test_initial_key_generation() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            let now = runtime.wallclock();

            let (rotated, next_expiry) = try_rotate_keys(now, &keymgr).unwrap();

            assert!(

                rotated.chan_auth && rotated.ntor,

                "keys should be reported as generated on first rotation"

            );

            assert_eq!(count_link_keys(&keymgr), 1, "expected one link key");

            assert_eq!(count_signing_keys(&keymgr), 1, "expected one signing key");

            assert_eq!(count_ntor_keys(&keymgr), 1, "expected one ntor key");

            // The earliest expiry should be the link key (~2 days out).

            let expected = runtime.wallclock() + LINK_CERT_LIFETIME;

            assert_eq!(

                next_expiry, expected,

                "next expiry should be ~{LINK_CERT_LIFETIME:?} from now, got {next_expiry:?}"

            );

        });

    }

    /// Calling rotate_keys a second time with fresh keys should indicate no rotation.

    #[test]

    fn test_rotation_on_fresh_keys() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            let now = runtime.wallclock();

            try_rotate_keys(now, &keymgr).unwrap();

            // Advance by 1 hour (inside 2 days of link key).

            runtime.advance_by(Duration::from_secs(60 * 60)).await;

            let (rotated, _) = try_rotate_keys(now, &keymgr).unwrap();

            assert!(

                !rotated.chan_auth && !rotated.ntor,

                "fresh keys must not trigger a rotation"

            );

            assert_eq!(count_link_keys(&keymgr), 1, "expected one link key");

            assert_eq!(count_signing_keys(&keymgr), 1, "expected one signing key");

            assert_eq!(count_ntor_keys(&keymgr), 1, "expected one ntor key");

        });

    }

    /// Test rotation before and after rotation expiry buffer for the link key.

    #[test]

    fn test_rotation_link_key() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            // First rotation creates the keys.

            try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            // Advance to 1 second _before_ the rotation-buffer threshold. We should not rotate

            // with this.

            let just_before =

                LINK_CERT_LIFETIME - KEY_ROTATION_EXPIRE_BUFFER - Duration::from_secs(1);

            runtime.advance_by(just_before).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(

                !rotated.chan_auth,

                "link key MUST NOT rotate before the expiry buffer threshold"

            );

            assert!(

                !rotated.ntor,

                "ntor key MUST NOT rotate before the expiry buffer threshold"

            );

            assert_eq!(count_link_keys(&keymgr), 1, "expected one link key");

            assert_eq!(count_signing_keys(&keymgr), 1, "expected one signing key");

            // Move it just after the expiry buffer and expect a rotation.

            runtime.advance_by(Duration::from_secs(1)).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(

                rotated.chan_auth,

                "link key should rotate inside the expiry buffer threshold"

            );

        });

    }

    /// Test rotation before and after rotation expiry buffer for the signing key.

    #[test]

    fn test_rotation_signing_key() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            // First rotation creates the keys.

            try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            // Closure to get the relay signing key keystore entry.

            let get_key_spec = || {

                let entries = keymgr

                    .list_matching(

                        &RelaySigningKeypairSpecifierPattern::new_any()

                            .arti_pattern()

                            .unwrap(),

                    )

                    .unwrap();

                let entry = entries.first().unwrap();

                let spec: RelaySigningKeypairSpecifier = entry.key_path().try_into().unwrap();

                spec

            };

            // Advance to 1 second _before_ the rotation-buffer threshold. We should not rotate

            // with this.

            let just_before =

                SIGNING_KEY_CERT_LIFETIME - KEY_ROTATION_EXPIRE_BUFFER - Duration::from_secs(1);

            runtime.advance_by(just_before).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(rotated.chan_auth, "Rotation must happen after 30 days");

            let spec = get_key_spec();

            assert_eq!(

                spec.valid_until,

                to_timestamp_in_secs(

                    runtime.wallclock() + KEY_ROTATION_EXPIRE_BUFFER + Duration::from_secs(1)

                ),

                "RelaySigningKeypairSpecifier should not have rotated"

            );

            assert_eq!(count_link_keys(&keymgr), 1, "expected one link key");

            assert_eq!(count_signing_keys(&keymgr), 1, "expected one signing key");

            // Move it just after the expiry buffer and expect a rotation.

            runtime.advance_by(Duration::from_secs(1)).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(rotated.chan_auth, "Rotation must happen after 30 days");

            let spec = get_key_spec();

            assert_eq!(

                spec.valid_until,

                to_timestamp_in_secs(runtime.wallclock() + SIGNING_KEY_CERT_LIFETIME),

                "RelaySigningKeypairSpecifier should have rotated"

            );

        });

    }

    /// Test rotation before and after rotation expiry buffer for the ntor key.

    #[test]

    fn test_rotation_ntor_key() {

        MockRuntime::test_with_various(|runtime| async move {

            let keymgr = setup();

            // First rotation creates the keys.

            try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            // Advance to 1 second _before_ the rotation-buffer threshold. We should not rotate

            // with this.

            let just_before =

                NTOR_KEY_LIFETIME - KEY_ROTATION_EXPIRE_BUFFER - Duration::from_secs(1);

            runtime.advance_by(just_before).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(

                !rotated.ntor,

                "Ntor key MUST NOT rotate before the expiry buffer threshold"

            );

            assert_eq!(count_ntor_keys(&keymgr), 1, "expected one ntor key");

            // Move it just after the expiry buffer and expect a rotation.

            runtime.advance_by(Duration::from_secs(1)).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(

                rotated.ntor,

                "ntor key should rotate inside the expiry buffer threshold"

            );

            assert_eq!(

                count_ntor_keys(&keymgr),

                2,

                "there should be 2 ntor keys in the grace period"

            );

            runtime.advance_by(NTOR_KEY_GRACE_PERIOD).await;

            let (rotated, _) = try_rotate_keys(runtime.wallclock(), &keymgr).unwrap();

            assert!(

                rotated.ntor,

                "ntor key should rotate after the grace period"

            );

            assert_eq!(

                count_ntor_keys(&keymgr),

                1,

                "the old ntor key should have been removed after the grace period"

            );

        });

    }

}