# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import ssl
from ssl import SSLContext

from pyignite.constants import SSL_DEFAULT_CIPHERS, SSL_DEFAULT_VERSION
from pyignite.exceptions import ParameterError


def wrap(socket, ssl_params):
    """ Wrap socket in SSL wrapper. """
    if not ssl_params.get('use_ssl'):
        return socket

    context = create_ssl_context(ssl_params)

    return context.wrap_socket(sock=socket)


def check_ssl_params(params):
    expected_args = [
        'use_ssl',
        'ssl_version',
        'ssl_ciphers',
        'ssl_cert_reqs',
        'ssl_keyfile',
        'ssl_keyfile_password',
        'ssl_certfile',
        'ssl_ca_certfile',
    ]
    for param in params:
        if param not in expected_args:
            raise ParameterError((
                'Unexpected parameter for connection initialization: `{}`'
            ).format(param))


def create_ssl_context(ssl_params):
    if not ssl_params.get('use_ssl'):
        return None

    keyfile = ssl_params.get('ssl_keyfile', None)
    certfile = ssl_params.get('ssl_certfile', None)

    if keyfile and not certfile:
        raise ValueError("certfile must be specified")

    password = ssl_params.get('ssl_keyfile_password', None)
    ssl_version = ssl_params.get('ssl_version', SSL_DEFAULT_VERSION)
    ciphers = ssl_params.get('ssl_ciphers', SSL_DEFAULT_CIPHERS)
    cert_reqs = ssl_params.get('ssl_cert_reqs', ssl.CERT_NONE)
    ca_certs = ssl_params.get('ssl_ca_certfile', None)

    context = SSLContext(ssl_version)
    context.verify_mode = cert_reqs

    if ca_certs:
        context.load_verify_locations(ca_certs)
    if certfile:
        context.load_cert_chain(certfile, keyfile, password)
    if ciphers:
        context.set_ciphers(ciphers)

    return context