# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.


module Qpid::Proton

  # The SSL support for Transport.
  #
  # A Transport may be configured ot use SLL for encryption and/or
  # authentication. A Transport can be configured as either the SSL
  # client or the server. An SSL client is the party that proctively
  # establishes a connection to an SSL server. An SSL server is the
  # party that accepts a connection request from the remote SSL client.
  #
  # If either the client or the server needs to identify itself with the
  # remote node, it must have its SSL certificate configured.
  #
  # @see SSLDomain#credentials For setting the SSL certificate.
  #
  # If either the client or the server needs to verify the identify of the
  # remote node, it must have its database of trusted CAs configured.
  #
  # @see SSLDomain#trusted_ca_db Setting the CA database.
  #
  # An SSL server connection may allow the remote client to connect without
  # SS (i.e., "in the clear").
  #
  # @see SSLDomain#allow_unsecured_client Allowing unsecured clients.
  #
  # The level of verification required of the remote may be configured.
  #
  # @see SSLDomain#peer_authentication Setting peer authentication.
  #
  # Support for SSL client session resume is provided as well.
  #
  # @see SSLDomain
  # @see #resume_status
  #
  class SSL
 
    # Session resume state is unkonnwn or not supported.
    RESUME_UNKNOWN = Cproton::PN_SSL_RESUME_UNKNOWN
    # Session renegotiated and not resumed.
    RESUME_NEW = Cproton::PN_SSL_RESUME_NEW
    # Session resumed from the previous session.
    RESUME_REUSED = Cproton::PN_SSL_RESUME_REUSED

    # @private
    PROTON_METHOD_PREFIX = "pn_ssl"
    # @private
    include Util::Wrapper
    # @private
    include Util::ErrorHandler

    # Returns whether SSL is supported.
    #
    # @return [Boolean] True if SSL support is available.
    #
    def self.present?
      Cproton.pn_ssl_present
    end

    # @private
    def self.create(transport, domain, session_details = nil)
      result = nil
      # like python, make sure we're not creating a different SSL
      # object for a transport with an existing SSL object
      if transport.ssl?
        transport.instance_eval { result = @ssl }
        if ((!domain.nil? && (result.domain != domain)) ||
            (!session_details.nil? && (result.session_details != session_details)))
          raise SSLException.new("cannot re-configure existing SSL object")
        end
      else
        impl = Cproton.pn_ssl(transport.impl)
        session_id = nil
        session_id = session_details.session_id unless session_details.nil?
        result = SSL.new(impl, domain, session_details, session_id)
      end
      return result
    end

    private

    def initialize(impl, domain, session_details, session_id)
      @impl = impl
      @domain = domain.impl unless domain.nil?
      @session_details = session_details
      @session_id = session_id
      Cproton.pn_ssl_init(@impl, @domain, @session_id)
    end

    public

    # Returns the cipher name that is currently in used.
    #
    # Gets the text description of the cipher that is currently active, or
    # returns nil if SSL is not active. Note that the cipher in use my change
    # over time due to renegotiation or other changes to the SSL layer.
    #
    # @return [String, nil] The cipher name.
    #
    def cipher_name
      rc, name = Cproton.pn_ssl_get_cipher_name(@impl, 128)
      return name if rc
      nil
    end

    # Returns the name of the SSL protocol that is currently active, or
    # returns nil if SSL is nota ctive. Not that the protocol may change over
    # time due to renegotation.
    #
    # @return [String, nil] The protocol name.
    #
    def protocol_name
      rc, name = Cproton.pn_ssl_get_protocol_name(@impl, 128)
      name if rc
    end

    # Checks whether or not the state has resumed.
    #
    # Used for client session resume. When called on an active session, it
    # indicates wehther the state has been resumed from a previous session.
    #
    # *NOTE:* This is a best-effort service - there is no guarantee that the
    # remote server will accept the resumed parameters. The remote server may
    # choose to ignore these parameters, and request a renegotation instead.
    #
    def resume_status
      Cproton.pn_ssl_resume_status(@impl)
    end

    # Gets the peer hostname.
    #
    # @return [String] The peer hostname.
    def peer_hostname
      (error, name) = Cproton.pn_ssl_get_peer_hostname(@impl, 1024)
      raise SSLError.new if error < 0
      return name
    end
  end
end