// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// Copyright by contributors to this project.
// SPDX-License-Identifier: (Apache-2.0 OR MIT)

use crate::{identity::CredentialType, identity::SigningIdentity, time::MlsTime};
use alloc::vec;
use alloc::vec::Vec;
pub use mls_rs_core::identity::BasicCredential;
use mls_rs_core::{error::IntoAnyError, extension::ExtensionList, identity::IdentityProvider};

#[derive(Debug)]
#[cfg_attr(feature = "std", derive(thiserror::Error))]
#[cfg_attr(feature = "std", error("unsupported credential type found: {0:?}"))]
/// Error returned in the event that a non-basic
/// credential is passed to a [`BasicIdentityProvider`].
pub struct BasicIdentityProviderError(CredentialType);

impl IntoAnyError for BasicIdentityProviderError {
    #[cfg(feature = "std")]
    fn into_dyn_error(self) -> Result<Box<dyn std::error::Error + Send + Sync>, Self> {
        Ok(self.into())
    }
}

impl BasicIdentityProviderError {
    pub fn credential_type(&self) -> CredentialType {
        self.0
    }
}

#[derive(Clone, Debug, Default)]
/// An always-valid identity provider that works with [`BasicCredential`].
///
/// # Warning
///
/// This provider always returns `true` for `validate` as long as the
/// [`SigningIdentity`] used contains a [`BasicCredential`]. It is only
/// recommended to use this provider for testing purposes.
pub struct BasicIdentityProvider;

impl BasicIdentityProvider {
    pub fn new() -> Self {
        Self
    }
}

fn resolve_basic_identity(
    signing_id: &SigningIdentity,
) -> Result<&BasicCredential, BasicIdentityProviderError> {
    signing_id
        .credential
        .as_basic()
        .ok_or_else(|| BasicIdentityProviderError(signing_id.credential.credential_type()))
}

#[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
#[cfg_attr(mls_build_async, maybe_async::must_be_async)]
impl IdentityProvider for BasicIdentityProvider {
    type Error = BasicIdentityProviderError;

    async fn validate_member(
        &self,
        signing_identity: &SigningIdentity,
        _timestamp: Option<MlsTime>,
        _extensions: Option<&ExtensionList>,
    ) -> Result<(), Self::Error> {
        resolve_basic_identity(signing_identity).map(|_| ())
    }

    async fn validate_external_sender(
        &self,
        signing_identity: &SigningIdentity,
        _timestamp: Option<MlsTime>,
        _extensions: Option<&ExtensionList>,
    ) -> Result<(), Self::Error> {
        resolve_basic_identity(signing_identity).map(|_| ())
    }

    async fn identity(
        &self,
        signing_identity: &SigningIdentity,
        _extensions: &ExtensionList,
    ) -> Result<Vec<u8>, Self::Error> {
        resolve_basic_identity(signing_identity).map(|b| b.identifier.to_vec())
    }

    async fn valid_successor(
        &self,
        predecessor: &SigningIdentity,
        successor: &SigningIdentity,
        _extensions: &ExtensionList,
    ) -> Result<bool, Self::Error> {
        Ok(resolve_basic_identity(predecessor)? == resolve_basic_identity(successor)?)
    }

    fn supported_types(&self) -> Vec<CredentialType> {
        vec![BasicCredential::credential_type()]
    }
}