#pragma once

#include <sys/types.h>

#include <cstdint>

#include "envoy/network/connection.h"

#include "envoy/network/transport_socket.h"

#include "envoy/secret/secret_callbacks.h"

#include "envoy/server/options.h"

#include "envoy/ssl/handshaker.h"

#include "envoy/ssl/private_key/private_key_callbacks.h"

#include "envoy/ssl/ssl_socket_extended_info.h"

#include "envoy/ssl/ssl_socket_state.h"

#include "envoy/stats/scope.h"

#include "envoy/stats/stats_macros.h"

#include "source/common/common/logger.h"

#include "source/common/tls/connection_info_impl_base.h"

#include "source/common/tls/utility.h"

#include "absl/container/node_hash_map.h"

#include "absl/synchronization/mutex.h"

#include "absl/types/optional.h"

#include "openssl/ssl.h"

namespace Envoy {

namespace Extensions {

namespace TransportSockets {

namespace Tls {

class SslHandshakerImpl;

class SslExtendedSocketInfoImpl;

class ValidateResultCallbackImpl : public Ssl::ValidateResultCallback {

public:

  ValidateResultCallbackImpl(Event::Dispatcher& dispatcher,

                             SslExtendedSocketInfoImpl& extended_socket_info)

  void onCertValidationResult(bool succeeded, Ssl::ClientValidationStatus detailed_status,

                              const std::string& error_details, uint8_t tls_alert) override;

  void onSslHandshakeCancelled();

private:

  Event::Dispatcher& dispatcher_;

  OptRef<SslExtendedSocketInfoImpl> extended_socket_info_;

};

class CertificateSelectionCallbackImpl : public Ssl::CertificateSelectionCallback,

                                         protected Logger::Loggable<Logger::Id::connection> {

public:

  CertificateSelectionCallbackImpl(Event::Dispatcher& dispatcher,

                                   SslExtendedSocketInfoImpl& extended_socket_info)

  void onCertificateSelectionResult(OptRef<const Ssl::TlsContext> selected_ctx,

                                    bool staple) override;

  void onSslHandshakeCancelled();

private:

  Event::Dispatcher& dispatcher_;

  OptRef<SslExtendedSocketInfoImpl> extended_socket_info_;

};

class SslExtendedSocketInfoImpl : public Envoy::Ssl::SslExtendedSocketInfo {

public:

  // Overridden to notify cert_validate_result_callback_ that the handshake has been cancelled.

  ~SslExtendedSocketInfoImpl() override;

  void setCertificateValidationStatus(Envoy::Ssl::ClientValidationStatus validated) override;

  Envoy::Ssl::ClientValidationStatus certificateValidationStatus() const override;

  Ssl::ValidateResultCallbackPtr createValidateResultCallback() override;

  void onCertificateValidationCompleted(bool succeeded, bool async) override;

  Ssl::CertificateSelectionCallbackPtr createCertificateSelectionCallback() override;

  void onCertificateSelectionCompleted(OptRef<const Ssl::TlsContext> selected_ctx, bool staple,

                                       bool async) override;

private:

  Envoy::Ssl::ClientValidationStatus certificate_validation_status_{

      Envoy::Ssl::ClientValidationStatus::NotValidated};

  SslHandshakerImpl& ssl_handshaker_;

  // Latch the in-flight async cert validation callback.

  // nullopt if there is none.

  OptRef<ValidateResultCallbackImpl> cert_validate_result_callback_;

  // Stores the TLS alert.

  uint8_t cert_validation_alert_{SSL_AD_CERTIFICATE_UNKNOWN};

  // Stores the validation result if there is any.

  // nullopt if no validation has ever been kicked off.

  Ssl::ValidateStatus cert_validation_result_{Ssl::ValidateStatus::NotStarted};

  // Latch the in-flight cert selection callback.

  // nullopt if there is none.

  OptRef<CertificateSelectionCallbackImpl> cert_selection_callback_{absl::nullopt};

  // Stores the cert selection result if there is any.

  // NotStarted if no cert selection has ever been kicked off.

  Ssl::CertificateSelectionStatus cert_selection_result_{

      Ssl::CertificateSelectionStatus::NotStarted};

  // Stores the detailed certificate validation error message.

  std::string cert_validation_error_;

  // Stores additional per-connection data needed by the certificate selector.

  Ssl::SelectionHandleConstSharedPtr cert_selection_handle_;

};

class SslHandshakerImpl : public ConnectionInfoImplBase,

                          public Ssl::Handshaker,

                          protected Logger::Loggable<Logger::Id::connection> {

public:

  SslHandshakerImpl(bssl::UniquePtr<SSL> ssl, int ssl_extended_socket_info_index,

                    Ssl::HandshakeCallbacks* handshake_callbacks);

  // Ssl::ConnectionInfo

  bool peerCertificateValidated() const override;

  // ConnectionInfoImplBase

  // Ssl::Handshaker

  Network::PostIoAction doHandshake() override;

  bssl::UniquePtr<SSL> ssl_;

private:

  Ssl::HandshakeCallbacks* handshake_callbacks_;

  Ssl::SocketState state_{Ssl::SocketState::PreHandshake};

  mutable SslExtendedSocketInfoImpl extended_socket_info_;

};

using SslHandshakerImplSharedPtr = std::shared_ptr<SslHandshakerImpl>;

class HandshakerFactoryContextImpl : public Ssl::HandshakerFactoryContext {

public:

  HandshakerFactoryContextImpl(Api::Api& api, const Server::Options& options,

                               absl::string_view alpn_protocols,

                               Singleton::Manager& singleton_manager,

                               Server::ServerLifecycleNotifier& lifecycle_notifier)

  // HandshakerFactoryContext

private:

  Api::Api& api_;

  const Server::Options& options_;

  const std::string alpn_protocols_;

  Singleton::Manager& singleton_manager_;

  Server::ServerLifecycleNotifier& lifecycle_notifier_;

};

class HandshakerFactoryImpl : public Ssl::HandshakerFactory {

public:

  Ssl::HandshakerFactoryCb createHandshakerCb(const Protobuf::Message&,

                                              Ssl::HandshakerFactoryContext&,

};

} // namespace Tls

} // namespace TransportSockets

} // namespace Extensions

} // namespace Envoy