// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package tka

import (
	"bytes"
	"testing"

	"github.com/google/go-cmp/cmp"
	"tailscale.com/types/key"
	"tailscale.com/types/tkatype"
)

func TestComputeChainCandidates(t *testing.T) {
	c := newTestchain(t, `
        G1 -> I1 -> I2 -> I3 -> L2
               | -> L1     | -> L3
        
        G2 -> L4

        // We tweak these AUMs so they are different hashes.
        G2.hashSeed = 2
        L1.hashSeed = 2
        L3.hashSeed = 2
        L4.hashSeed = 3
    `)
	// Should result in 4 chains:
	// G1->L1, G1->L2, G1->L3, G2->L4

	i1H := c.AUMHashes["I1"]
	got, err := computeChainCandidates(c.Chonk(), &i1H, 50)
	if err != nil {
		t.Fatalf("computeChainCandidates() failed: %v", err)
	}

	want := []chain{
		{Oldest: c.AUMs["G2"], Head: c.AUMs["L4"]},
		{Oldest: c.AUMs["G1"], Head: c.AUMs["L3"], chainsThroughActive: true},
		{Oldest: c.AUMs["G1"], Head: c.AUMs["L1"], chainsThroughActive: true},
		{Oldest: c.AUMs["G1"], Head: c.AUMs["L2"], chainsThroughActive: true},
	}
	if diff := cmp.Diff(want, got, cmp.AllowUnexported(chain{})); diff != "" {
		t.Errorf("chains differ (-want, +got):\n%s", diff)
	}
}

func TestForkResolutionHash(t *testing.T) {
	c := newTestchain(t, `
        G1 -> L1
         | -> L2

        // tweak hashes so L1 & L2 are not identical
        L1.hashSeed = 2
        L2.hashSeed = 3
    `)

	got, err := computeActiveChain(c.Chonk(), nil, 50)
	if err != nil {
		t.Fatalf("computeActiveChain() failed: %v", err)
	}

	// The fork with the lowest AUM hash should have been chosen.
	l1H := c.AUMHashes["L1"]
	l2H := c.AUMHashes["L2"]
	want := l1H
	if bytes.Compare(l2H[:], l1H[:]) < 0 {
		want = l2H
	}

	if got := got.Head.Hash(); got != want {
		t.Errorf("head was %x, want %x", got, want)
	}
}

func TestForkResolutionSigWeight(t *testing.T) {
	pub, priv := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}

	c := newTestchain(t, `
        G1 -> L1
         | -> L2

        G1.template = addKey
        L1.hashSeed = 11
        L2.signedWith = key
    `,
		optTemplate("addKey", AUM{MessageKind: AUMAddKey, Key: &key}),
		optKey("key", key, priv))

	l1H := c.AUMHashes["L1"]
	l2H := c.AUMHashes["L2"]
	if bytes.Compare(l2H[:], l1H[:]) < 0 {
		t.Fatal("failed assert: h(l1) > h(l2)\nTweak hashSeed till this passes")
	}

	got, err := computeActiveChain(c.Chonk(), nil, 50)
	if err != nil {
		t.Fatalf("computeActiveChain() failed: %v", err)
	}

	// Based on the hash, l1H should be chosen.
	// But based on the signature weight (which has higher
	// precedence), it should be l2H
	want := l2H
	if got := got.Head.Hash(); got != want {
		t.Errorf("head was %x, want %x", got, want)
	}
}

func TestForkResolutionMessageType(t *testing.T) {
	pub, _ := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}

	c := newTestchain(t, `
        G1 -> L1
         | -> L2
         | -> L3

        G1.template = addKey
        L1.hashSeed = 11
        L2.template = removeKey
        L3.hashSeed = 18
    `,
		optTemplate("addKey", AUM{MessageKind: AUMAddKey, Key: &key}),
		optTemplate("removeKey", AUM{MessageKind: AUMRemoveKey, KeyID: key.MustID()}))

	l1H := c.AUMHashes["L1"]
	l2H := c.AUMHashes["L2"]
	l3H := c.AUMHashes["L3"]
	if bytes.Compare(l2H[:], l1H[:]) < 0 {
		t.Fatal("failed assert: h(l1) > h(l2)\nTweak hashSeed till this passes")
	}
	if bytes.Compare(l2H[:], l3H[:]) < 0 {
		t.Fatal("failed assert: h(l3) > h(l2)\nTweak hashSeed till this passes")
	}

	got, err := computeActiveChain(c.Chonk(), nil, 50)
	if err != nil {
		t.Fatalf("computeActiveChain() failed: %v", err)
	}

	// Based on the hash, L1 or L3 should be chosen.
	// But based on the preference for AUMRemoveKey messages,
	// it should be L2.
	want := l2H
	if got := got.Head.Hash(); got != want {
		t.Errorf("head was %x, want %x", got, want)
	}
}

func TestComputeStateAt(t *testing.T) {
	pub, _ := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}

	c := newTestchain(t, `
        G1 -> I1 -> I2
        I1.template = addKey
    `,
		optTemplate("addKey", AUM{MessageKind: AUMAddKey, Key: &key}))

	// G1 is before the key, so there shouldn't be a key there.
	state, err := computeStateAt(c.Chonk(), 500, c.AUMHashes["G1"])
	if err != nil {
		t.Fatalf("computeStateAt(G1) failed: %v", err)
	}
	if _, err := state.GetKey(key.MustID()); err != ErrNoSuchKey {
		t.Errorf("expected key to be missing: err = %v", err)
	}
	if *state.LastAUMHash != c.AUMHashes["G1"] {
		t.Errorf("LastAUMHash = %x, want %x", *state.LastAUMHash, c.AUMHashes["G1"])
	}

	// I1 & I2 are after the key, so the computed state should contain
	// the key.
	for _, wantHash := range []AUMHash{c.AUMHashes["I1"], c.AUMHashes["I2"]} {
		state, err = computeStateAt(c.Chonk(), 500, wantHash)
		if err != nil {
			t.Fatalf("computeStateAt(%X) failed: %v", wantHash, err)
		}
		if *state.LastAUMHash != wantHash {
			t.Errorf("LastAUMHash = %x, want %x", *state.LastAUMHash, wantHash)
		}
		if _, err := state.GetKey(key.MustID()); err != nil {
			t.Errorf("expected key to be present at state: err = %v", err)
		}
	}
}

// fakeAUM generates an AUM structure based on the template.
// If parent is provided, PrevAUMHash is set to that value.
//
// If template is an AUM, the returned AUM is based on that.
// If template is an int, a NOOP AUM is returned, and the
// provided int can be used to tweak the resulting hash (needed
// for tests you want one AUM to be 'lower' than another, so that
// that chain is taken based on fork resolution rules).
func fakeAUM(t *testing.T, template any, parent *AUMHash) (AUM, AUMHash) {
	if seed, ok := template.(int); ok {
		a := AUM{MessageKind: AUMNoOp, KeyID: []byte{byte(seed)}}
		if parent != nil {
			a.PrevAUMHash = (*parent)[:]
		}
		h := a.Hash()
		return a, h
	}

	if a, ok := template.(AUM); ok {
		if parent != nil {
			a.PrevAUMHash = (*parent)[:]
		}
		h := a.Hash()
		return a, h
	}

	panic("template must be an int or an AUM")
}

func TestOpenAuthority(t *testing.T) {
	pub, _ := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}

	//        /- L1
	// G1 - I1 - I2 - I3 -L2
	//                  \-L3
	// G2 - L4
	//
	// We set the previous-known ancestor to G1, so the
	// ancestor to start from should be G1.
	g1, g1H := fakeAUM(t, AUM{MessageKind: AUMAddKey, Key: &key}, nil)
	i1, i1H := fakeAUM(t, 2, &g1H) // AUM{MessageKind: AUMAddKey, Key: &key2}
	l1, l1H := fakeAUM(t, 13, &i1H)

	i2, i2H := fakeAUM(t, 2, &i1H)
	i3, i3H := fakeAUM(t, 5, &i2H)
	l2, l2H := fakeAUM(t, AUM{MessageKind: AUMNoOp, KeyID: []byte{7}, Signatures: []tkatype.Signature{{KeyID: key.MustID()}}}, &i3H)
	l3, l3H := fakeAUM(t, 4, &i3H)

	g2, g2H := fakeAUM(t, 8, nil)
	l4, _ := fakeAUM(t, 9, &g2H)

	// We make sure that I2 has a lower hash than L1, so
	// it should take that path rather than L1.
	if bytes.Compare(l1H[:], i2H[:]) < 0 {
		t.Fatal("failed assert: h(i2) > h(l1)\nTweak parameters to fakeAUM till this passes")
	}
	// We make sure L2 has a signature with key, so it should
	// take that path over L3. We assert that the L3 hash
	// is less than L2 so the test will fail if the signature
	// preference logic is broken.
	if bytes.Compare(l2H[:], l3H[:]) < 0 {
		t.Fatal("failed assert: h(l3) > h(l2)\nTweak parameters to fakeAUM till this passes")
	}

	// Construct the state of durable storage.
	chonk := &Mem{}
	err := chonk.CommitVerifiedAUMs([]AUM{g1, i1, l1, i2, i3, l2, l3, g2, l4})
	if err != nil {
		t.Fatal(err)
	}
	chonk.SetLastActiveAncestor(i1H)

	a, err := Open(chonk)
	if err != nil {
		t.Fatalf("New() failed: %v", err)
	}
	// Should include the key added in G1
	if _, err := a.state.GetKey(key.MustID()); err != nil {
		t.Errorf("missing G1 key: %v", err)
	}
	// The head of the chain should be L2.
	if a.Head() != l2H {
		t.Errorf("head was %x, want %x", a.state.LastAUMHash, l2H)
	}
}

func TestOpenAuthority_EmptyErrors(t *testing.T) {
	_, err := Open(&Mem{})
	if err == nil {
		t.Error("Expected an error initializing an empty authority, got nil")
	}
}

func TestAuthorityHead(t *testing.T) {
	c := newTestchain(t, `
        G1 -> L1
         | -> L2

        L1.hashSeed = 2
    `)

	a, _ := Open(c.Chonk())
	if got, want := a.head.Hash(), a.Head(); got != want {
		t.Errorf("Hash() returned %x, want %x", got, want)
	}
}

func TestAuthorityValidDisablement(t *testing.T) {
	pub, _ := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}
	c := newTestchain(t, `
        G1 -> L1

        G1.template = genesis
    `,
		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
			Keys:               []Key{key},
			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
		}}),
	)

	a, _ := Open(c.Chonk())
	if valid := a.ValidDisablement([]byte{1, 2, 3}); !valid {
		t.Error("ValidDisablement() returned false, want true")
	}
}

func TestCreateBootstrapAuthority(t *testing.T) {
	pub, priv := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}

	a1, genesisAUM, err := Create(&Mem{}, State{
		Keys:               []Key{key},
		DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
	}, signer25519(priv))
	if err != nil {
		t.Fatalf("Create() failed: %v", err)
	}

	a2, err := Bootstrap(&Mem{}, genesisAUM)
	if err != nil {
		t.Fatalf("Bootstrap() failed: %v", err)
	}

	if a1.Head() != a2.Head() {
		t.Fatal("created and bootstrapped authority differ")
	}

	// Both authorities should trust the key laid down in the genesis state.
	if !a1.KeyTrusted(key.MustID()) {
		t.Error("a1 did not trust genesis key")
	}
	if !a2.KeyTrusted(key.MustID()) {
		t.Error("a2 did not trust genesis key")
	}
}

func TestAuthorityInformNonLinear(t *testing.T) {
	pub, priv := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}

	c := newTestchain(t, `
        G1 -> L1
         | -> L2 -> L3
               | -> L4 -> L5

        G1.template = genesis
        L1.hashSeed = 3
        L2.hashSeed = 2
        L4.hashSeed = 2
    `,
		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
			Keys:               []Key{key},
			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
		}}),
		optKey("key", key, priv),
		optSignAllUsing("key"))

	storage := &Mem{}
	a, err := Bootstrap(storage, c.AUMs["G1"])
	if err != nil {
		t.Fatalf("Bootstrap() failed: %v", err)
	}

	// L2 does not chain from L1, disabling the isHeadChain optimization
	// and forcing Inform() to take the slow path.
	informAUMs := []AUM{c.AUMs["L1"], c.AUMs["L2"], c.AUMs["L3"], c.AUMs["L4"], c.AUMs["L5"]}

	if err := a.Inform(storage, informAUMs); err != nil {
		t.Fatalf("Inform() failed: %v", err)
	}
	for i, update := range informAUMs {
		stored, err := storage.AUM(update.Hash())
		if err != nil {
			t.Errorf("reading stored update %d: %v", i, err)
			continue
		}
		if diff := cmp.Diff(update, stored); diff != "" {
			t.Errorf("update %d differs (-want, +got):\n%s", i, diff)
		}
	}

	if a.Head() != c.AUMHashes["L3"] {
		t.Fatal("authority did not converge to correct AUM")
	}
}

func TestAuthorityInformLinear(t *testing.T) {
	pub, priv := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}

	c := newTestchain(t, `
        G1 -> L1 -> L2 -> L3

        G1.template = genesis
    `,
		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
			Keys:               []Key{key},
			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
		}}),
		optKey("key", key, priv),
		optSignAllUsing("key"))

	storage := &Mem{}
	a, err := Bootstrap(storage, c.AUMs["G1"])
	if err != nil {
		t.Fatalf("Bootstrap() failed: %v", err)
	}

	informAUMs := []AUM{c.AUMs["L1"], c.AUMs["L2"], c.AUMs["L3"]}

	if err := a.Inform(storage, informAUMs); err != nil {
		t.Fatalf("Inform() failed: %v", err)
	}
	for i, update := range informAUMs {
		stored, err := storage.AUM(update.Hash())
		if err != nil {
			t.Errorf("reading stored update %d: %v", i, err)
			continue
		}
		if diff := cmp.Diff(update, stored); diff != "" {
			t.Errorf("update %d differs (-want, +got):\n%s", i, diff)
		}
	}

	if a.Head() != c.AUMHashes["L3"] {
		t.Fatal("authority did not converge to correct AUM")
	}
}

func TestInteropWithNLKey(t *testing.T) {
	priv1 := key.NewNLPrivate()
	pub1 := priv1.Public()
	pub2 := key.NewNLPrivate().Public()
	pub3 := key.NewNLPrivate().Public()

	a, _, err := Create(&Mem{}, State{
		Keys: []Key{
			{
				Kind:   Key25519,
				Votes:  1,
				Public: pub1.KeyID(),
			},
			{
				Kind:   Key25519,
				Votes:  1,
				Public: pub2.KeyID(),
			},
		},
		DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
	}, priv1)
	if err != nil {
		t.Errorf("tka.Create: %v", err)
		return
	}

	if !a.KeyTrusted(pub1.KeyID()) {
		t.Error("pub1 want trusted, got untrusted")
	}
	if !a.KeyTrusted(pub2.KeyID()) {
		t.Error("pub2 want trusted, got untrusted")
	}
	if a.KeyTrusted(pub3.KeyID()) {
		t.Error("pub3 want untrusted, got trusted")
	}
}

func TestAuthorityCompact(t *testing.T) {
	pub, priv := testingKey25519(t, 1)
	key := Key{Kind: Key25519, Public: pub, Votes: 2}

	c := newTestchain(t, `
        G -> A -> B -> C -> D -> E

        G.template = genesis
        C.template = checkpoint2
    `,
		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
			Keys:               []Key{key},
			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
		}}),
		optTemplate("checkpoint2", AUM{MessageKind: AUMCheckpoint, State: &State{
			Keys:               []Key{key},
			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
		}}),
		optKey("key", key, priv),
		optSignAllUsing("key"))

	storage := &FS{base: t.TempDir()}
	a, err := Bootstrap(storage, c.AUMs["G"])
	if err != nil {
		t.Fatalf("Bootstrap() failed: %v", err)
	}
	a.Inform(storage, []AUM{c.AUMs["A"], c.AUMs["B"], c.AUMs["C"], c.AUMs["D"], c.AUMs["E"]})

	// Should compact down to C -> D -> E
	if err := a.Compact(storage, CompactionOptions{MinChain: 2, MinAge: 1}); err != nil {
		t.Fatal(err)
	}
	if a.oldestAncestor.Hash() != c.AUMHashes["C"] {
		t.Errorf("ancestor = %v, want %v", a.oldestAncestor.Hash(), c.AUMHashes["C"])
	}

	// Make sure the stored authority is still openable and resolves to the same state.
	stored, err := Open(storage)
	if err != nil {
		t.Fatalf("Failed to open stored authority: %v", err)
	}
	if stored.Head() != a.Head() {
		t.Errorf("Stored authority head differs: head = %v, want %v", stored.Head(), a.Head())
	}
	t.Logf("original ancestor = %v", c.AUMHashes["G"])
	if anc, _ := storage.LastActiveAncestor(); *anc != c.AUMHashes["C"] {
		t.Errorf("ancestor = %v, want %v", anc, c.AUMHashes["C"])
	}
}

func TestFindParentForRewrite(t *testing.T) {
	pub, _ := testingKey25519(t, 1)
	k1 := Key{Kind: Key25519, Public: pub, Votes: 1}

	pub2, _ := testingKey25519(t, 2)
	k2 := Key{Kind: Key25519, Public: pub2, Votes: 1}
	k2ID, _ := k2.ID()
	pub3, _ := testingKey25519(t, 3)
	k3 := Key{Kind: Key25519, Public: pub3, Votes: 1}

	c := newTestchain(t, `
        A -> B -> C -> D -> E
        A.template = genesis
        B.template = add2
        C.template = add3
        D.template = remove2
    `,
		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
			Keys:               []Key{k1},
			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
		}}),
		optTemplate("add2", AUM{MessageKind: AUMAddKey, Key: &k2}),
		optTemplate("add3", AUM{MessageKind: AUMAddKey, Key: &k3}),
		optTemplate("remove2", AUM{MessageKind: AUMRemoveKey, KeyID: k2ID}))

	a, err := Open(c.Chonk())
	if err != nil {
		t.Fatal(err)
	}

	// k1 was trusted at genesis, so there's no better rewrite parent
	// than the genesis.
	k1ID, _ := k1.ID()
	k1P, err := a.findParentForRewrite(c.Chonk(), []tkatype.KeyID{k1ID}, k1ID)
	if err != nil {
		t.Fatalf("FindParentForRewrite(k1) failed: %v", err)
	}
	if k1P != a.oldestAncestor.Hash() {
		t.Errorf("FindParentForRewrite(k1) = %v, want %v", k1P, a.oldestAncestor.Hash())
	}

	// k3 was trusted at C, so B would be an ideal rewrite point.
	k3ID, _ := k3.ID()
	k3P, err := a.findParentForRewrite(c.Chonk(), []tkatype.KeyID{k3ID}, k1ID)
	if err != nil {
		t.Fatalf("FindParentForRewrite(k3) failed: %v", err)
	}
	if k3P != c.AUMHashes["B"] {
		t.Errorf("FindParentForRewrite(k3) = %v, want %v", k3P, c.AUMHashes["B"])
	}

	// k2 was added but then removed, so HEAD is an appropriate rewrite point.
	k2P, err := a.findParentForRewrite(c.Chonk(), []tkatype.KeyID{k2ID}, k1ID)
	if err != nil {
		t.Fatalf("FindParentForRewrite(k2) failed: %v", err)
	}
	if k3P != c.AUMHashes["B"] {
		t.Errorf("FindParentForRewrite(k2) = %v, want %v", k2P, a.Head())
	}

	// There's no appropriate point where both k2 and k3 are simultaneously not trusted,
	// so the best rewrite point is the genesis AUM.
	doubleP, err := a.findParentForRewrite(c.Chonk(), []tkatype.KeyID{k2ID, k3ID}, k1ID)
	if err != nil {
		t.Fatalf("FindParentForRewrite({k2, k3}) failed: %v", err)
	}
	if doubleP != a.oldestAncestor.Hash() {
		t.Errorf("FindParentForRewrite({k2, k3}) = %v, want %v", doubleP, a.oldestAncestor.Hash())
	}
}

func TestMakeRetroactiveRevocation(t *testing.T) {
	pub, _ := testingKey25519(t, 1)
	k1 := Key{Kind: Key25519, Public: pub, Votes: 1}

	pub2, _ := testingKey25519(t, 2)
	k2 := Key{Kind: Key25519, Public: pub2, Votes: 1}
	pub3, _ := testingKey25519(t, 3)
	k3 := Key{Kind: Key25519, Public: pub3, Votes: 1}

	c := newTestchain(t, `
        A -> B -> C -> D
        A.template = genesis
        C.template = add2
        D.template = add3
    `,
		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
			Keys:               []Key{k1},
			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
		}}),
		optTemplate("add2", AUM{MessageKind: AUMAddKey, Key: &k2}),
		optTemplate("add3", AUM{MessageKind: AUMAddKey, Key: &k3}))

	a, err := Open(c.Chonk())
	if err != nil {
		t.Fatal(err)
	}

	// k2 was added by C, so a forking revocation should:
	// - have B as a parent
	// - trust the remaining keys at the time, k1 & k3.
	k1ID, _ := k1.ID()
	k2ID, _ := k2.ID()
	k3ID, _ := k3.ID()
	forkingAUM, err := a.MakeRetroactiveRevocation(c.Chonk(), []tkatype.KeyID{k2ID}, k1ID, AUMHash{})
	if err != nil {
		t.Fatalf("MakeRetroactiveRevocation(k2) failed: %v", err)
	}
	if bHash := c.AUMHashes["B"]; !bytes.Equal(forkingAUM.PrevAUMHash, bHash[:]) {
		t.Errorf("forking AUM has parent %v, want %v", forkingAUM.PrevAUMHash, bHash[:])
	}
	if _, err := forkingAUM.State.GetKey(k1ID); err != nil {
		t.Error("Forked state did not trust k1")
	}
	if _, err := forkingAUM.State.GetKey(k3ID); err != nil {
		t.Error("Forked state did not trust k3")
	}
	if _, err := forkingAUM.State.GetKey(k2ID); err == nil {
		t.Error("Forked state trusted removed-key k2")
	}

	// Test that removing all trusted keys results in an error.
	_, err = a.MakeRetroactiveRevocation(c.Chonk(), []tkatype.KeyID{k1ID, k2ID, k3ID}, k1ID, AUMHash{})
	if wantErr := "cannot revoke all trusted keys"; err == nil || err.Error() != wantErr {
		t.Fatalf("MakeRetroactiveRevocation({k1, k2, k3}) returned %v, expected %q", err, wantErr)
	}
}