require 'socket'

require 'net/ssh/errors'
require 'net/ssh/loggable'
require 'net/ssh/version'
require 'net/ssh/transport/algorithms'
require 'net/ssh/transport/constants'
require 'net/ssh/transport/packet_stream'
require 'net/ssh/transport/server_version'
require 'net/ssh/verifiers/accept_new_or_local_tunnel'
require 'net/ssh/verifiers/accept_new'
require 'net/ssh/verifiers/always'
require 'net/ssh/verifiers/never'

module Net
  module SSH
    module Transport

      # The transport layer represents the lowest level of the SSH protocol, and
      # implements basic message exchanging and protocol initialization. It will
      # never be instantiated directly (unless you really know what you're about),
      # but will instead be created for you automatically when you create a new
      # SSH session via Net::SSH.start.
      class Session
        include Loggable
        include Constants

        # The standard port for the SSH protocol.
        DEFAULT_PORT = 22

        # The host to connect to, as given to the constructor.
        attr_reader :host

        # The port number to connect to, as given in the options to the constructor.
        # If no port number was given, this will default to DEFAULT_PORT.
        attr_reader :port

        # The underlying socket object being used to communicate with the remote
        # host.
        attr_reader :socket

        # The ServerVersion instance that encapsulates the negotiated protocol
        # version.
        attr_reader :server_version

        # The Algorithms instance used to perform key exchanges.
        attr_reader :algorithms

        # The host-key verifier object used to verify host keys, to ensure that
        # the connection is not being spoofed.
        attr_reader :host_key_verifier

        # The hash of options that were given to the object at initialization.
        attr_reader :options

        # Instantiates a new transport layer abstraction. This will block until
        # the initial key exchange completes, leaving you with a ready-to-use
        # transport session.
        def initialize(host, options={})
          self.logger = options[:logger]

          @host = host
          @port = options[:port] || DEFAULT_PORT
          @bind_address = options[:bind_address] || nil
          @options = options

          @socket =
            if (factory = options[:proxy])
              debug { "establishing connection to #{@host}:#{@port} through proxy" }
              factory.open(@host, @port, options)
            else
              debug { "establishing connection to #{@host}:#{@port}" }
              Socket.tcp(@host, @port, @bind_address, nil,
                         connect_timeout: options[:timeout])
            end

          @socket.extend(PacketStream)
          @socket.logger = @logger

          debug { "connection established" }

          @queue = []

          @host_key_verifier = select_host_key_verifier(options[:verify_host_key])

          @server_version = ServerVersion.new(socket, logger, options[:timeout])

          @algorithms = Algorithms.new(self, options)
          @algorithms.start
          wait { algorithms.initialized? }
        rescue Errno::ETIMEDOUT
          raise Net::SSH::ConnectionTimeout
        end

        def host_keys
          @host_keys ||= begin
            known_hosts = options.fetch(:known_hosts, KnownHosts)
            known_hosts.search_for(options[:host_key_alias] || host_as_string, options)
          end
        end

        # Returns the host (and possibly IP address) in a format compatible with
        # SSH known-host files.
        def host_as_string
          @host_as_string ||= begin
            string = "#{host}"
            string = "[#{string}]:#{port}" if port != DEFAULT_PORT

            peer_ip = socket.peer_ip

            if peer_ip != Net::SSH::Transport::PacketStream::PROXY_COMMAND_HOST_IP &&
               peer_ip != host
              string2 = peer_ip
              string2 = "[#{string2}]:#{port}" if port != DEFAULT_PORT
              string << "," << string2
            end

            string
          end
        end

        # Returns true if the underlying socket has been closed.
        def closed?
          socket.closed?
        end

        # Cleans up (see PacketStream#cleanup) and closes the underlying socket.
        def close
          socket.cleanup
          socket.close
        end

        # Performs a "hard" shutdown of the connection. In general, this should
        # never be done, but it might be necessary (in a rescue clause, for instance,
        # when the connection needs to close but you don't know the status of the
        # underlying protocol's state).
        def shutdown!
          error { "forcing connection closed" }
          socket.close
        end

        # Returns a new service_request packet for the given service name, ready
        # for sending to the server.
        def service_request(service)
          Net::SSH::Buffer.from(:byte, SERVICE_REQUEST, :string, service)
        end

        # Requests a rekey operation, and blocks until the operation completes.
        # If a rekey is already pending, this returns immediately, having no
        # effect.
        def rekey!
          if !algorithms.pending?
            algorithms.rekey!
            wait { algorithms.initialized? }
          end
        end

        # Returns immediately if a rekey is already in process. Otherwise, if a
        # rekey is needed (as indicated by the socket, see PacketStream#if_needs_rekey?)
        # one is performed, causing this method to block until it completes.
        def rekey_as_needed
          return if algorithms.pending?
          socket.if_needs_rekey? { rekey! }
        end

        # Returns a hash of information about the peer (remote) side of the socket,
        # including :ip, :port, :host, and :canonized (see #host_as_string).
        def peer
          @peer ||= { ip: socket.peer_ip, port: @port.to_i, host: @host, canonized: host_as_string }
        end

        # Blocks until a new packet is available to be read, and returns that
        # packet. See #poll_message.
        def next_message
          poll_message(:block)
        end

        # Tries to read the next packet from the socket. If mode is :nonblock (the
        # default), this will not block and will return nil if there are no packets
        # waiting to be read. Otherwise, this will block until a packet is
        # available. Note that some packet types (DISCONNECT, IGNORE, UNIMPLEMENTED,
        # DEBUG, and KEXINIT) are handled silently by this method, and will never
        # be returned.
        #
        # If a key-exchange is in process and a disallowed packet type is
        # received, it will be enqueued and otherwise ignored. When a key-exchange
        # is not in process, and consume_queue is true, packets will be first
        # read from the queue before the socket is queried.
        def poll_message(mode=:nonblock, consume_queue=true)
          loop do
            return @queue.shift if consume_queue && @queue.any? && algorithms.allow?(@queue.first)

            packet = socket.next_packet(mode, options[:timeout])
            return nil if packet.nil?

            case packet.type
            when DISCONNECT
              raise Net::SSH::Disconnect, "disconnected: #{packet[:description]} (#{packet[:reason_code]})"

            when IGNORE
              debug { "IGNORE packet received: #{packet[:data].inspect}" }

            when UNIMPLEMENTED
              lwarn { "UNIMPLEMENTED: #{packet[:number]}" }

            when DEBUG
              send(packet[:always_display] ? :fatal : :debug) { packet[:message] }

            when KEXINIT
              algorithms.accept_kexinit(packet)

            else
              return packet if algorithms.allow?(packet)
              push(packet)
            end
          end
        end

        # Waits (blocks) until the given block returns true. If no block is given,
        # this just waits long enough to see if there are any pending packets. Any
        # packets read are enqueued (see #push).
        def wait
          loop do
            break if block_given? && yield
            message = poll_message(:nonblock, false)
            push(message) if message
            break if !block_given?
          end
        end

        # Adds the given packet to the packet queue. If the queue is non-empty,
        # #poll_message will return packets from the queue in the order they
        # were received.
        def push(packet)
          @queue.push(packet)
        end

        # Sends the given message via the packet stream, blocking until the
        # entire message has been sent.
        def send_message(message)
          socket.send_packet(message)
        end

        # Enqueues the given message, such that it will be sent at the earliest
        # opportunity. This does not block, but returns immediately.
        def enqueue_message(message)
          socket.enqueue_packet(message)
        end

        # Configure's the packet stream's client state with the given set of
        # options. This is typically used to define the cipher, compression, and
        # hmac algorithms to use when sending packets to the server.
        def configure_client(options={})
          socket.client.set(options)
        end

        # Configure's the packet stream's server state with the given set of
        # options. This is typically used to define the cipher, compression, and
        # hmac algorithms to use when reading packets from the server.
        def configure_server(options={})
          socket.server.set(options)
        end

        # Sets a new hint for the packet stream, which the packet stream may use
        # to change its behavior. (See PacketStream#hints).
        def hint(which, value=true)
          socket.hints[which] = value
        end

        public

        # this method is primarily for use in tests
        attr_reader :queue #:nodoc:

        private

        # Compatibility verifier which allows users to keep using
        # custom verifier code without adding new :verify_signature
        # method.
        class CompatibleVerifier
          def initialize(verifier)
            @verifier = verifier
          end

          def verify(arguments)
            @verifier.verify(arguments)
          end

          def verify_signature(&block)
            yield
          end
        end

        # Instantiates a new host-key verification class, based on the value of
        # the parameter.
        #
        # Usually, the argument is a symbol like `:never` which corresponds to
        # a verifier, like `::Net::SSH::Verifiers::Never`.
        #
        # - :never (very insecure)
        # - :accept_new_or_local_tunnel (insecure)
        # - :accept_new (insecure)
        # - :always (secure)
        #
        # If the argument happens to respond to :verify and :verify_signature,
        # it is returned directly. Otherwise, an exception is raised.
        #
        # Values false, true, and :very were deprecated in
        # [#595](https://github.com/net-ssh/net-ssh/pull/595)
        def select_host_key_verifier(verifier)
          case verifier
          when false
            Kernel.warn('verify_host_key: false is deprecated, use :never')
            Net::SSH::Verifiers::Never.new
          when :never then
            Net::SSH::Verifiers::Never.new
          when true
            Kernel.warn('verify_host_key: true is deprecated, use :accept_new_or_local_tunnel')
            Net::SSH::Verifiers::AcceptNewOrLocalTunnel.new
          when :accept_new_or_local_tunnel, nil then
            Net::SSH::Verifiers::AcceptNewOrLocalTunnel.new
          when :very
            Kernel.warn('verify_host_key: :very is deprecated, use :accept_new')
            Net::SSH::Verifiers::AcceptNew.new
          when :accept_new then
            Net::SSH::Verifiers::AcceptNew.new
          when :secure then
            Kernel.warn('verify_host_key: :secure is deprecated, use :always')
            Net::SSH::Verifiers::Always.new
          when :always then
            Net::SSH::Verifiers::Always.new
          else
            if verifier.respond_to?(:verify)
              if verifier.respond_to?(:verify_signature)
                verifier
              else
                Kernel.warn("Warning: verifier without :verify_signature is deprecated")
                CompatibleVerifier.new(verifier)
              end
            else
              raise(
                ArgumentError,
                "Invalid argument to :verify_host_key (or deprecated " \
                ":paranoid): #{verifier.inspect}"
              )
            end
          end
        end
      end
    end
  end
end