-- Licensed to the Apache Software Foundation (ASF) under one
-- or more contributor license agreements.  See the NOTICE file
-- distributed with this work for additional information
-- regarding copyright ownership.  The ASF licenses this file
-- to you under the Apache License, Version 2.0 (the
-- "License"); you may not use this file except in compliance
-- with the License.  You may obtain a copy of the License at
--
--   http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing,
-- software distributed under the License is distributed on an
-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-- KIND, either express or implied.  See the License for the
-- specific language governing permissions and limitations
-- under the License.

-- local common libs
local require = require
local pcall = pcall
local ffi = require("ffi")
local C = ffi.C
local get_request = require("resty.core.base").get_request
local core = require("apisix.core")
local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
local apisix_ssl = require("apisix.ssl")
local _, ssl = pcall(require, "resty.apisix.ssl")
local error = error


ffi.cdef[[
unsigned long Tongsuo_version_num(void)
]]


-- local function
local function set_pem_ssl_key(sni, enc_cert, enc_pkey, sign_cert, sign_pkey)
    local r = get_request()
    if r == nil then
        return false, "no request found"
    end

    local parsed_enc_cert, err = apisix_ssl.fetch_cert(sni, enc_cert)
    if not parsed_enc_cert then
        return false, "failed to parse enc PEM cert: " .. err
    end

    local parsed_sign_cert, err = apisix_ssl.fetch_cert(sni, sign_cert)
    if not parsed_sign_cert then
        return false, "failed to parse sign PEM cert: " .. err
    end

    local ok, err = ssl.set_gm_cert(parsed_enc_cert, parsed_sign_cert)
    if not ok then
        return false, "failed to set PEM cert: " .. err
    end

    local parsed_enc_pkey, err = apisix_ssl.fetch_pkey(sni, enc_pkey)
    if not parsed_enc_pkey then
        return false, "failed to parse enc PEM priv key: " .. err
    end

    local parsed_sign_pkey, err = apisix_ssl.fetch_pkey(sni, sign_pkey)
    if not parsed_sign_pkey then
        return false, "failed to parse sign PEM priv key: " .. err
    end

    ok, err = ssl.set_gm_priv_key(parsed_enc_pkey, parsed_sign_pkey)
    if not ok then
        return false, "failed to set PEM priv key: " .. err
    end

    return true
end


local original_set_cert_and_key
local function set_cert_and_key(sni, value)
    if value.gm then
        -- process as GM certificate
        -- For GM dual certificate, the `cert` and `key` will be encryption cert/key.
        -- The first item in `certs` and `keys` will be sign cert/key.
        local enc_cert = value.cert
        local enc_pkey = value.key
        local sign_cert = value.certs[1]
        local sign_pkey = value.keys[1]
        return set_pem_ssl_key(sni, enc_cert, enc_pkey, sign_cert, sign_pkey)
    end
    return original_set_cert_and_key(sni, value)
end


local original_check_ssl_conf
local function check_ssl_conf(in_dp, conf)
    if conf.gm then
        -- process as GM certificate
        -- For GM dual certificate, the `cert` and `key` will be encryption cert/key.
        -- The first item in `certs` and `keys` will be sign cert/key.
        local ok, err = original_check_ssl_conf(in_dp, conf)
        -- check cert/key first in the original method
        if not ok then
            return nil, err
        end

        -- Currently, APISIX doesn't check the cert type (ECDSA / RSA). So we skip the
        -- check for now in this plugin.
        local num_certs = conf.certs and #conf.certs or 0
        local num_keys = conf.keys and #conf.keys or 0
        if num_certs ~= 1 or num_keys ~= 1 then
            return nil, "sign cert/key are required"
        end
        return true
    end
    return original_check_ssl_conf(in_dp, conf)
end


-- module define
local plugin_name = "gm"

-- plugin schema
local plugin_schema = {
    type = "object",
    properties = {
    },
}

local _M = {
    version  = 0.1,            -- plugin version
    priority = -43,
    name     = plugin_name,    -- plugin name
    schema   = plugin_schema,  -- plugin schema
}


function _M.init()
    if not pcall(function () return C.Tongsuo_version_num end) then
        error("need to build Tongsuo (https://github.com/Tongsuo-Project/Tongsuo) " ..
              "into the APISIX-Runtime")
    end

    ssl.enable_ntls()
    original_set_cert_and_key = radixtree_sni.set_cert_and_key
    radixtree_sni.set_cert_and_key = set_cert_and_key
    original_check_ssl_conf = apisix_ssl.check_ssl_conf
    apisix_ssl.check_ssl_conf = check_ssl_conf

    if core.schema.ssl.properties.gm ~= nil then
        error("Field 'gm' is occupied")
    end

    -- inject a mark to distinguish GM certificate
    core.schema.ssl.properties.gm = {
        type = "boolean"
    }
end


function _M.destroy()
    ssl.disable_ntls()
    radixtree_sni.set_cert_and_key = original_set_cert_and_key
    apisix_ssl.check_ssl_conf = original_check_ssl_conf
    core.schema.ssl.properties.gm = nil
end

-- module interface for schema check
-- @param `conf` user defined conf data
-- @param `schema_type` defined in `apisix/core/schema.lua`
-- @return <boolean>
function _M.check_schema(conf, schema_type)
    return core.schema.check(plugin_schema, conf)
end


return _M