"""
.. versionadded:: 0.20.0
"""
import abc
import enum
from dataclasses import dataclass
from datetime import datetime, timedelta
from typing import FrozenSet, Iterable, Optional

from asn1crypto import algos, keys

from .name_trees import PKIXSubtrees

__all__ = [
    'RevocationCheckingRule',
    'RevocationCheckingPolicy',
    'FreshnessReqType',
    'CertRevTrustPolicy',
    'PKIXValidationParams',
    'AlgorithmUsageConstraint',
    'AlgorithmUsagePolicy',
    'DisallowWeakAlgorithmsPolicy',
    'AcceptAllAlgorithms',
    'NonRevokedStatusAssertion',
    'DEFAULT_WEAK_HASH_ALGOS',
    'REQUIRE_REVINFO',
    'NO_REVOCATION',
]


DEFAULT_WEAK_HASH_ALGOS = frozenset(['md2', 'md5', 'sha1'])
"""
Digest algorithms considered weak by default.
"""

FRESHNESS_FALLBACK_VALIDITY_DEFAULT = timedelta(minutes=30)
"""
Default freshness used by the default/legacy freshness policy
when the revocation information does not specify a next update
time. In practice this only applies to OCSP responses.
"""


@dataclass(frozen=True)
class NonRevokedStatusAssertion:
    """
    Assert that a certificate was not revoked at some given date.
    """

    cert_sha256: bytes
    """
    SHA-256 hash of the certificate.
    """

    at: datetime
    """
    Moment in time at which the assertion is to be considered valid.
    """


@enum.unique
class RevocationCheckingRule(enum.Enum):
    """
    Rules determining in what circumstances revocation data has to be checked,
    and what kind.
    """

    # yes, this is consistently misspelled in all parts of the
    # ETSI TS 119 172 series...
    CRL_REQUIRED = "clrcheck"
    """
    Check CRLs.
    """

    OCSP_REQUIRED = "ocspcheck"
    """
    Check OCSP.
    """

    CRL_AND_OCSP_REQUIRED = "bothcheck"
    """
    Check CRL and OCSP.
    """

    CRL_OR_OCSP_REQUIRED = "eithercheck"
    """
    Check CRL or OCSP.
    """

    NO_CHECK = "nocheck"
    """
    Do not check.
    """

    CHECK_IF_DECLARED = "ifdeclaredcheck"
    """
    Check revocation information if declared in the certificate.
    
    .. warning::
        This is not an ESI check type, but is preserved for 
        compatibility with the 'hard-fail' mode in certvalidator.

    .. note::
        In this mode, cached CRLs will _not_ be checked if the certificate
        does not list any distribution points.
    """

    CHECK_IF_DECLARED_SOFT = "ifdeclaredsoftcheck"
    """
    Check revocation information if declared in the certificate, but
    do not fail validation if the check fails.

    .. warning::
        This is not an ESI check type, but is preserved for 
        compatibility with the 'soft-fail' mode in certvalidator.

    .. note::
        In this mode, cached CRLs will _not_ be checked if the certificate
        does not list any distribution points.
    """

    @property
    def strict(self) -> bool:
        # note that this is not quite the same as (not self.tolerant)!
        return self not in (
            RevocationCheckingRule.CHECK_IF_DECLARED,
            RevocationCheckingRule.CHECK_IF_DECLARED_SOFT,
            RevocationCheckingRule.NO_CHECK,
        )

    @property
    def tolerant(self) -> bool:
        return self in (
            RevocationCheckingRule.CHECK_IF_DECLARED_SOFT,
            RevocationCheckingRule.NO_CHECK,
        )

    @property
    def crl_mandatory(self) -> bool:
        return self in (
            RevocationCheckingRule.CRL_REQUIRED,
            RevocationCheckingRule.CRL_AND_OCSP_REQUIRED,
        )

    @property
    def crl_relevant(self) -> bool:
        return self not in (
            RevocationCheckingRule.NO_CHECK,
            RevocationCheckingRule.OCSP_REQUIRED,
        )

    @property
    def ocsp_mandatory(self) -> bool:
        return self in (
            RevocationCheckingRule.OCSP_REQUIRED,
            RevocationCheckingRule.CRL_AND_OCSP_REQUIRED,
        )

    @property
    def ocsp_relevant(self) -> bool:
        return self not in (
            RevocationCheckingRule.NO_CHECK,
            RevocationCheckingRule.CRL_REQUIRED,
        )


@dataclass(frozen=True)
class RevocationCheckingPolicy:
    """
    Class describing a revocation checking policy
    based on the types defined in the ETSI TS 119 172 series.
    """

    ee_certificate_rule: RevocationCheckingRule
    """
    Revocation rule applied to end-entity certificates.
    """

    intermediate_ca_cert_rule: RevocationCheckingRule
    """
    Revocation rule applied to certificates further up the path.
    """

    @classmethod
    def from_legacy(cls, policy: str):
        try:
            return LEGACY_POLICY_MAP[policy]
        except KeyError:
            raise ValueError(f"'{policy}' is not a valid revocation mode")

    @property
    def essential(self) -> bool:
        return not (
            self.ee_certificate_rule.tolerant
            and self.ee_certificate_rule.tolerant
        )


REQUIRE_REVINFO = RevocationCheckingPolicy(
    RevocationCheckingRule.CRL_OR_OCSP_REQUIRED,
    RevocationCheckingRule.CRL_OR_OCSP_REQUIRED,
)
"""
Policy indicating that revocation information is always required, but either
OCSP or CRL-based revocation information is OK.
"""


NO_REVOCATION = RevocationCheckingPolicy(
    ee_certificate_rule=RevocationCheckingRule.NO_CHECK,
    intermediate_ca_cert_rule=RevocationCheckingRule.NO_CHECK,
)
"""
Policy indicating that revocation information is never required.
"""


LEGACY_POLICY_MAP = {
    'soft-fail': RevocationCheckingPolicy(
        RevocationCheckingRule.CHECK_IF_DECLARED_SOFT,
        RevocationCheckingRule.CHECK_IF_DECLARED_SOFT,
    ),
    'hard-fail': RevocationCheckingPolicy(
        RevocationCheckingRule.CHECK_IF_DECLARED,
        RevocationCheckingRule.CHECK_IF_DECLARED,
    ),
    'require': REQUIRE_REVINFO,
}
"""
Mapping of legacy ``certvalidator`` revocation modes to
:class:`RevocationCheckingPolicy` objects.
"""


@enum.unique
class FreshnessReqType(enum.Enum):
    """
    Freshness requirement type.
    """

    DEFAULT = enum.auto()
    """
    The default freshness policy, i.e. the ``certvalidator`` legacy policy.
    This policy considers revocation info valid between its ``thisUpdate``
    and ``nextUpdate`` times, but not outside of that window.
    """

    MAX_DIFF_REVOCATION_VALIDATION = enum.auto()
    """
    Freshness policy requiring that the validation time, if later than the
    issuance date of the revocation info, be sufficiently close to that
    issuance date.
    """

    TIME_AFTER_SIGNATURE = enum.auto()
    """
    Freshness policy requiring that the revocation info be issued after a
    predetermined "cooldown period" after the certificate was used to produce
    a signature.
    """


@dataclass(frozen=True)
class CertRevTrustPolicy:
    """
    Class describing conditions for trusting revocation info.
    Based on CertificateRevTrust in ETSI TS 119 172-3.
    """

    revocation_checking_policy: RevocationCheckingPolicy
    """
    The revocation checking policy requirements.
    """

    freshness: Optional[timedelta] = None
    """
    Freshness interval. If not specified, this defaults to the distance
    between ``thisUpdate`` and ``nextUpdate`` for the given piece of revocation
    information.
    If the ``nextUpdate`` field is not present, then the effective default
    is 30 minutes.
    """

    freshness_req_type: FreshnessReqType = FreshnessReqType.DEFAULT
    """
    Controls whether the freshness requirement applies relatively to the
    signing time or to the validation time.
    """

    expected_post_expiry_revinfo_time: Optional[timedelta] = None
    """
    Duration for which the issuing CA is expected to supply status information
    after a certificate expires.
    """

    retroactive_revinfo: bool = False
    """
    Treat revocation info as retroactively valid, i.e. ignore the
    ``this_update`` field in CRLs and OCSP responses.
    This parameter is not taken into account for freshness policies other than
    :attr:`FreshnessReqType.DEFAULT`, and is ``False`` by default in those
    cases.

    .. warning::
        Be careful with this option, since it will cause incorrect
        behaviour for CAs that make use of certificate holds or other
        reversible revocation methods.
    """


def intersect_policy_sets(
    a_pols: FrozenSet[str], b_pols: FrozenSet[str]
) -> FrozenSet[str]:
    """
    Intersect two sets of policies, taking into account the special
    'any_policy'.

    :param a_pols:
        A set of policies.
    :param b_pols:
        Another set of policies.
    :return:
        The intersection of both.
    """

    a_any = 'any_policy' in a_pols
    b_any = 'any_policy' in b_pols

    if a_any and b_any:
        return frozenset(['any_policy'])
    elif a_any:
        return b_pols
    elif b_any:
        return b_pols
    else:
        return b_pols & a_pols


@dataclass(frozen=True)
class PKIXValidationParams:
    user_initial_policy_set: frozenset = frozenset(['any_policy'])
    """
    Set of policies that the user is willing to accept. By default, any policy
    is acceptable.
    
    When setting this parameter to a non-default value, you probably want to
    set :attr:`initial_explicit_policy` as well.
    
    .. note::
        These are specified in the policy domain of the trust root(s), and
        subject to policy mapping by intermediate certificate authorities.
    """

    initial_policy_mapping_inhibit: bool = False
    """
    Flag indicating whether policy mapping is forbidden along the entire    
    certification chains. By default, policy mapping is permitted.
    
    .. note::
        Policy constraints on intermediate certificates may force policy mapping
        to be inhibited from some point onwards.
    """

    initial_explicit_policy: bool = False
    """
    Flag indicating whether path validation must terminate with at least one
    permissible policy; see :attr:`user_initial_policy_set`.
    By default, no such requirement is imposed.
    
    .. note::
        If :attr:`user_initial_policy_set` is set to its default value of
        ``{'any_policy'}``, the effect is that the path validation must accept
        at least one policy, without specifying which.
        
    .. warning::
        Due to widespread mis-specification of policy extensions in the wild,
        many real-world certification chains terminate with an empty set
        (or rather, tree) of valid policies. Therefore, this flag is set to 
        ``False`` by default.
    """

    initial_any_policy_inhibit: bool = False
    """
    Flag indicating whether ``anyPolicy`` should be left unprocessed when it
    appears in a certificate. By default, ``anyPolicy`` is always processed
    when it appears.
    """

    initial_permitted_subtrees: Optional[PKIXSubtrees] = None
    """
    Set of permitted subtrees for each name type, indicating restrictions
    to impose on subject names (and alternative names) in the certification
    path.
    
    By default, all names are permitted.
    This behaviour can be modified by name constraints on intermediate CA
    certificates.
    """

    initial_excluded_subtrees: Optional[PKIXSubtrees] = None
    """
    Set of excluded subtrees for each name type, indicating restrictions
    to impose on subject names (and alternative names) in the certification
    path.

    By default, no names are excluded.
    This behaviour can be modified by name constraints on intermediate CA
    certificates.
    """

    def merge(self, other: 'PKIXValidationParams') -> 'PKIXValidationParams':
        """
        Combine the conditions of these PKIX validation params with another
        set of parameters, producing the most lenient set of parameters that
        is stricter than both inputs.

        :param other:
            Another set of PKIX validation parameters.
        :return:
            A combined set of PKIX validation parameters.
        """

        if 'any_policy' in self.user_initial_policy_set:
            init_policy_set = other.user_initial_policy_set
        elif 'any_policy' in other.user_initial_policy_set:
            init_policy_set = self.user_initial_policy_set
        else:
            init_policy_set = (
                other.user_initial_policy_set & self.user_initial_policy_set
            )

        initial_any_policy_inhibit = (
            self.initial_any_policy_inhibit and other.initial_any_policy_inhibit
        )
        initial_explicit_policy = (
            self.initial_explicit_policy and other.initial_explicit_policy
        )
        initial_policy_mapping_inhibit = (
            self.initial_policy_mapping_inhibit
            and other.initial_policy_mapping_inhibit
        )
        return PKIXValidationParams(
            user_initial_policy_set=init_policy_set,
            initial_any_policy_inhibit=initial_any_policy_inhibit,
            initial_explicit_policy=initial_explicit_policy,
            initial_policy_mapping_inhibit=initial_policy_mapping_inhibit,
        )


@dataclass(frozen=True)
class AlgorithmUsageConstraint:
    """
    Expression of a constraint on the usage of an algorithm (possibly with
    parameter choices).
    """

    allowed: bool
    """
    Flag indicating whether the algorithm can be used.
    """

    not_allowed_after: Optional[datetime] = None
    """
    Date indicating when the algorithm became unavailable (given the relevant
    choice of parameters, if applicable).
    """

    failure_reason: Optional[str] = None
    """
    A human-readable description of the failure reason, if applicable.
    """

    def __bool__(self):
        return self.allowed


class AlgorithmUsagePolicy(abc.ABC):
    """
    Abstract interface defining a usage policy for cryptographic algorithms.
    """

    def digest_algorithm_allowed(
        self, algo: algos.DigestAlgorithm, moment: Optional[datetime]
    ) -> AlgorithmUsageConstraint:
        """
        Determine if the indicated digest algorithm can be used at the point
        in time indicated.

        :param algo:
            A digest algorithm description in ASN.1 form.
        :param moment:
            The point in time at which the algorithm should be usable.
            If ``None``, then the returned judgment applies at all times.
        :return:
            A :class:`.AlgorithmUsageConstraint` expressing the judgment.
        """
        raise NotImplementedError

    def signature_algorithm_allowed(
        self,
        algo: algos.SignedDigestAlgorithm,
        moment: Optional[datetime],
        public_key: Optional[keys.PublicKeyInfo],
    ) -> AlgorithmUsageConstraint:
        """
        Determine if the indicated signature algorithm (including the associated
        digest function and any parameters, if applicable) can be used at the
        point in time indicated.

        :param algo:
            A signature mechanism description in ASN.1 form.
        :param moment:
            The point in time at which the algorithm should be usable.
            If ``None``, then the returned judgment applies at all times.
        :param public_key:
            The public key associated with the operation, if available.

            .. note::
                This parameter can be used to enforce key size limits or
                to filter out keys with known structural weaknesses.
        :return:
            A :class:`.AlgorithmUsageConstraint` expressing the judgment.
        """
        raise NotImplementedError


class DisallowWeakAlgorithmsPolicy(AlgorithmUsagePolicy):
    """
    Primitive usage policy that forbids a list of user-specified
    "weak" algorithms and allows everything else.
    It also ignores the time parameter completely.

    .. note::
        This denial-based strategy is supplied to provide a backwards-compatible
        default.
        In many scenarios, an explicit allow-based strategy is more appropriate.
        Users with specific security requirements are encouraged to implement
        :class:`.AlgorithmUsagePolicy` themselves.

    :param weak_hash_algos:
        The list of digest algorithms considered weak.
        Defaults to :const:`.DEFAULT_WEAK_HASH_ALGOS`.
    :param weak_signature_algos:
        The list of digest algorithms considered weak.
        Defaults to the empty set.
    :param rsa_key_size_threshold:
        The key length threshold for RSA keys, in bits.
    :param dsa_key_size_threshold:
        The key length threshold for DSA keys, in bits.
    """

    def __init__(
        self,
        weak_hash_algos=DEFAULT_WEAK_HASH_ALGOS,
        weak_signature_algos=frozenset(),
        rsa_key_size_threshold=2048,
        # TODO is this a reasonable default?
        dsa_key_size_threshold=3192,
    ):
        self.weak_hash_algos = weak_hash_algos
        self.weak_signature_algos = weak_signature_algos
        self.rsa_key_size_threshold = rsa_key_size_threshold
        self.dsa_key_size_threshold = dsa_key_size_threshold

    def digest_algorithm_allowed(
        self, algo: algos.DigestAlgorithm, moment: Optional[datetime]
    ) -> AlgorithmUsageConstraint:
        return AlgorithmUsageConstraint(
            algo['algorithm'].native not in self.weak_hash_algos
        )

    def signature_algorithm_allowed(
        self,
        algo: algos.SignedDigestAlgorithm,
        moment: Optional[datetime],
        public_key: Optional[keys.PublicKeyInfo],
    ) -> AlgorithmUsageConstraint:
        algo_name = algo.signature_algo
        algo_allowed = algo_name not in self.weak_signature_algos
        is_rsa = algo_name.startswith('rsa')
        is_dsa = algo_name == 'dsa'
        if algo_allowed and public_key is not None and (is_rsa or is_dsa):
            key_sz = public_key.bit_size
            failed_threshold = None
            if is_rsa and key_sz < self.rsa_key_size_threshold:
                failed_threshold = self.rsa_key_size_threshold
            elif is_dsa and key_sz < self.dsa_key_size_threshold:
                failed_threshold = self.dsa_key_size_threshold
            if failed_threshold is not None:
                return AlgorithmUsageConstraint(
                    allowed=False,
                    failure_reason=(
                        f"Key size {key_sz} for algorithm {algo_name} is "
                        f"considered too small; "
                        f"policy mandates >= {failed_threshold}"
                    ),
                )
        try:
            hash_algo = algo.hash_algo
        except ValueError:
            hash_algo = None
        if algo_allowed and hash_algo is not None:
            digest_allowed = self.digest_algorithm_allowed(
                algos.DigestAlgorithm({'algorithm': algo.hash_algo}), moment
            )
            if not digest_allowed:
                return AlgorithmUsageConstraint(
                    allowed=False,
                    failure_reason=(
                        f"Digest algorithm {digest_allowed} is not allowed, "
                        f"which disqualifies the signature mechanism "
                        f"{algo['algorithm'].native} as well."
                    ),
                    not_allowed_after=digest_allowed.not_allowed_after,
                )
        return AlgorithmUsageConstraint(allowed=algo_allowed)


class AcceptAllAlgorithms(AlgorithmUsagePolicy):
    def digest_algorithm_allowed(
        self, algo: algos.DigestAlgorithm, moment: Optional[datetime]
    ) -> AlgorithmUsageConstraint:
        return AlgorithmUsageConstraint(allowed=True)

    def signature_algorithm_allowed(
        self,
        algo: algos.SignedDigestAlgorithm,
        moment: Optional[datetime],
        public_key: Optional[keys.PublicKeyInfo],
    ) -> AlgorithmUsageConstraint:
        return AlgorithmUsageConstraint(allowed=True)