package tls

import (
	
	

	
)

// Tracking the state of calling conn.loadSession
type LoadSessionTrackerState int

const NeverCalled LoadSessionTrackerState = 0
const UtlsAboutToCall LoadSessionTrackerState = 1
const CalledByULoadSession LoadSessionTrackerState = 2
const CalledByGoTLS LoadSessionTrackerState = 3

// The state of the session controller
type sessionControllerState int

const NoSession sessionControllerState = 0
const SessionTicketExtInitialized sessionControllerState = 1
const SessionTicketExtAllSet sessionControllerState = 2
const PskExtInitialized sessionControllerState = 3
const PskExtAllSet sessionControllerState = 4

// sessionController is responsible for managing and controlling all session related states. It manages the lifecycle of the session ticket extension and the psk extension, including initialization, removal if the client hello spec doesn't contain any of them, and setting the prepared state to the client hello.
//
// Users should never directly modify the underlying state. Violations will result in undefined behaviors.
//
// Users should never construct sessionController by themselves, use the function `newSessionController` instead.
type sessionController struct {
	// sessionTicketExt logically owns the session ticket extension
	sessionTicketExt ISessionTicketExtension

	// pskExtension logically owns the psk extension
	pskExtension PreSharedKeyExtension

	// uconnRef is a reference to the uconn
	uconnRef *UConn

	// state represents the internal state of the sessionController. Users are advised to modify the state only through designated methods and avoid direct manipulation, as doing so may result in undefined behavior.
	state sessionControllerState

	// loadSessionTracker keeps track of how the conn.loadSession method is being utilized.
	loadSessionTracker LoadSessionTrackerState

	// callingLoadSession is a boolean flag that indicates whether the `conn.loadSession` function is currently being invoked.
	callingLoadSession bool

	// locked is a boolean flag that becomes true once all states are appropriately set. Once `locked` is true, further modifications are disallowed, except for the binders.
	locked bool
}

// newSessionController constructs a new SessionController
func ( *UConn) *sessionController {
	return &sessionController{
		uconnRef:           ,
		sessionTicketExt:   nil,
		pskExtension:       nil,
		state:              NoSession,
		locked:             false,
		callingLoadSession: false,
		loadSessionTracker: NeverCalled,
	}
}

func ( *sessionController) () bool {
	return .locked
}

type shouldLoadSessionResult int

const shouldReturn shouldLoadSessionResult = 0
const shouldSetTicket shouldLoadSessionResult = 1
const shouldSetPsk shouldLoadSessionResult = 2
const shouldLoad shouldLoadSessionResult = 3

// shouldLoadSession determines the appropriate action to take when it is time to load the session for the clientHello.
// There are several possible scenarios:
//   - If a session ticket is already initialized, typically via the `initSessionTicketExt()` function, the ticket should be set in the client hello.
//   - If a pre-shared key (PSK) is already initialized, typically via the `overridePskExt()` function, the PSK should be set in the client hello.
//   - If both the `sessionTicketExt` and `pskExtension` are nil, which might occur if the client hello spec does not include them, we should skip the loadSession().
//   - In all other cases, the function proceeds to load the session.
func ( *sessionController) () shouldLoadSessionResult {
	if .sessionTicketExt == nil && .pskExtension == nil || .uconnRef.clientHelloBuildStatus != NotBuilt {
		// No need to load session since we don't have the related extensions.
		return shouldReturn
	}
	if .state == SessionTicketExtInitialized {
		return shouldSetTicket
	}
	if .state == PskExtInitialized {
		return shouldSetPsk
	}
	return shouldLoad
}

// utlsAboutToLoadSession updates the loadSessionTracker to `UtlsAboutToCall` to signal the initiation of a session loading operation,
// provided that the preconditions are met. If the preconditions are not met (due to incorrect utls implementation), this function triggers a panic.
func ( *sessionController) () {
	uAssert(.state == NoSession && !.locked, "tls: aboutToLoadSession failed: must only load session when the session of the client hello is not locked and when there's currently no session")
	.loadSessionTracker = UtlsAboutToCall
}

func ( *sessionController) ( string) {
	if .uconnRef.clientHelloBuildStatus != NotBuilt {
		panic(fmt.Sprintf("tls: %s failed: we can't modify the session after the clientHello is built", ))
	}
}

func ( *sessionController) ( string,  sessionControllerState,  ...sessionControllerState) {
	if .state !=  && !anyTrue(, func( int,  *sessionControllerState) bool {
		return .state == *
	}) {
		panic(fmt.Sprintf("tls: %s failed: undesired controller state %d", , .state))
	}
}

func ( *sessionController) ( string) {
	if .locked {
		panic(fmt.Sprintf("tls: %s failed: you must not modify the session after it's locked", ))
	}
}

func ( *sessionController) (,  string) {
	if !.uconnRef.skipResumptionOnNilExtension {
		panic(fmt.Sprintf("tls: %s failed: session resumption is enabled, but there is no %s in the ClientHelloSpec; Please consider provide one in the ClientHelloSpec; If this is intentional, you may consider disable resumption by setting Config.SessionTicketsDisabled to true, or set Config.PreferSkipResumptionOnNilExtension to true to suppress this exception", , ))
	}
}

// finalCheck performs a comprehensive check on the updated state to ensure the correctness of the changes.
// If the checks pass successfully, the sessionController's state will be locked.
// Any failure in passing the tests indicates incorrect implementations in the utls, which will result in triggering a panic.
// Refer to the documentation for the `locked` field for more detailed information.
func ( *sessionController) () {
	.assertControllerState("SessionController.finalCheck", PskExtAllSet, SessionTicketExtAllSet, NoSession)
	.locked = true
}

func [ Initializable,  func()]( ,  ) {
	uAssert(!.IsInitialized(), "tls: initialization failed: the extension is already initialized")
	()
	uAssert(.IsInitialized(), "tls: initialization failed: the extension is not initialized after initialization")
}

// initSessionTicketExt initializes the ticket and sets the state to `TicketInitialized`.
func ( *sessionController) ( *SessionState,  []byte) {
	.assertNotLocked("initSessionTicketExt")
	.assertHelloNotBuilt("initSessionTicketExt")
	.assertControllerState("initSessionTicketExt", NoSession)
	panicOnNil("initSessionTicketExt", , )
	if .sessionTicketExt == nil {
		.assertCanSkip("initSessionTicketExt", "session ticket extension")
		return
	}
	initializationGuard(.sessionTicketExt, func( ISessionTicketExtension) {
		.sessionTicketExt.InitializeByUtls(, )
	})
	.state = SessionTicketExtInitialized
}

// initPSK initializes the PSK extension using a valid session. The PSK extension
// should not be initialized previously, and the parameters must not be nil;
// otherwise, this function will trigger a panic.
func ( *sessionController) ( *SessionState,  *tls13.EarlySecret,  []byte,  []pskIdentity) {
	.assertNotLocked("initPskExt")
	.assertHelloNotBuilt("initPskExt")
	.assertControllerState("initPskExt", NoSession)
	panicOnNil("initPskExt", , , )
	if .pskExtension == nil {
		.assertCanSkip("initPskExt", "pre-shared key extension")
		return
	}
	initializationGuard(.pskExtension, func( PreSharedKeyExtension) {
		 := mapSlice(, func( pskIdentity) PskIdentity {
			return PskIdentity{
				Label:               .label,
				ObfuscatedTicketAge: .obfuscatedTicketAge,
			}
		})
		.InitializeByUtls(, .Secret(), , )
	})

	.state = PskExtInitialized
}

// setSessionTicketToUConn write the ticket states from the session ticket extension to the client hello and handshake state.
func ( *sessionController) () {
	uAssert(.sessionTicketExt != nil && .state == SessionTicketExtInitialized, "tls: setSessionTicketExt failed: invalid state")
	.uconnRef.HandshakeState.Session = .sessionTicketExt.GetSession()
	.uconnRef.HandshakeState.Hello.SessionTicket = .sessionTicketExt.GetTicket()
	.state = SessionTicketExtAllSet
}

// setPskToUConn sets the psk to the handshake state and client hello.
func ( *sessionController) () {
	uAssert(.pskExtension != nil && (.state == PskExtInitialized || .state == PskExtAllSet), "tls: setPskToUConn failed: invalid state")
	 := .pskExtension.GetPreSharedKeyCommon()
	if .state == PskExtInitialized {
		.uconnRef.HandshakeState.State13.EarlySecret = .EarlySecret
		.uconnRef.HandshakeState.Session = .Session
		.uconnRef.HandshakeState.Hello.PskIdentities = .Identities
		.uconnRef.HandshakeState.Hello.PskBinders = .Binders
	} else if .state == PskExtAllSet {
		uAssert(.uconnRef.HandshakeState.Session == .Session && sliceEq(.uconnRef.HandshakeState.State13.EarlySecret, .EarlySecret) &&
			allTrue(.uconnRef.HandshakeState.Hello.PskIdentities, func( int,  *PskIdentity) bool {
				return .Identities[].ObfuscatedTicketAge == .ObfuscatedTicketAge && sliceEq(.Identities[].Label, .Label)
			}), "tls: setPskToUConn failed: only binders are allowed to change on state `PskAllSet`")
	}
	.uconnRef.HandshakeState.State13.BinderKey = .BinderKey
	.state = PskExtAllSet
}

// shouldUpdateBinders determines whether binders should be updated based on the presence of an initialized psk extension.
// This function returns true if an initialized psk extension exists. Binders are allowed to be updated when the state is `PskAllSet`,
// as the `BuildHandshakeState` function can be called multiple times in this case. However, it's important to note that
// the session state, apart from binders, should not be altered more than once.
func ( *sessionController) () bool {
	if .pskExtension == nil {
		return false
	}
	return (.state == PskExtInitialized || .state == PskExtAllSet)
}

func ( *sessionController) () {
	uAssert(.shouldUpdateBinders(), "tls: updateBinders failed: shouldn't update binders")
	.pskExtension.PatchBuiltHello(.uconnRef.HandshakeState.Hello)
}

func ( *sessionController) ( Initializable,  func(),  sessionControllerState) error {
	panicOnNil("overrideExtension", )
	.assertNotLocked("overrideExtension")
	.assertControllerState("overrideExtension", NoSession)
	()
	if .IsInitialized() {
		.state = 
	}
	return nil
}

// overridePskExt allows the user of utls to customize the psk extension.
func ( *sessionController) ( PreSharedKeyExtension) error {
	return .overrideExtension(, func() { .pskExtension =  }, PskExtInitialized)
}

// overridePskExt allows the user of utls to customize the session ticket extension.
func ( *sessionController) ( ISessionTicketExtension) error {
	return .overrideExtension(, func() { .sessionTicketExt =  }, SessionTicketExtInitialized)
}

// syncSessionExts synchronizes the sessionController with the session-related
// extensions from the extension list after applying client hello specs.
//
//   - If the extension list is missing the session ticket extension or PSK
//     extension, owned extensions are dropped and states are reset.
//   - If the user provides a session ticket extension or PSK extension, the
//     corresponding extension from the extension list will be replaced.
//   - If the user doesn't provide session-related extensions, the extensions
//     from the extension list will be utilized.
//
// This function ensures that there is only one session ticket extension or PSK
// extension, and that the PSK extension is the last extension in the extension
// list.
func ( *sessionController) () error {
	uAssert(.uconnRef.clientHelloBuildStatus == NotBuilt, "tls: checkSessionExts failed: we can't modify the session after the clientHello is built")
	.assertNotLocked("checkSessionExts")
	.assertHelloNotBuilt("checkSessionExts")
	.assertControllerState("checkSessionExts", NoSession, SessionTicketExtInitialized, PskExtInitialized)
	 := 0
	 := false
	for ,  := range .uconnRef.Extensions {
		switch ext := .(type) {
		case ISessionTicketExtension:
			uAssert( == 0, "tls: checkSessionExts failed: multiple ISessionTicketExtensions in the extension list")
			if .sessionTicketExt == nil {
				// If there isn't a user-provided session ticket extension, use the one from the spec
				.sessionTicketExt = 
			} else {
				// Otherwise, replace the one in the extension list with the user-provided one
				.uconnRef.Extensions[] = .sessionTicketExt
			}
			 += 1
		case PreSharedKeyExtension:
			uAssert( == len(.uconnRef.Extensions)-1, "tls: checkSessionExts failed: PreSharedKeyExtension must be the last extension")
			if .pskExtension == nil {
				// If there isn't a user-provided psk extension, use the one from the spec
				.pskExtension = 
			} else {
				// Otherwise, replace the one in the extension list with the user-provided one
				.uconnRef.Extensions[] = .pskExtension
			}
			.pskExtension.SetOmitEmptyPsk(.uconnRef.config.OmitEmptyPsk)
			 = true
		}
	}
	if  == 0 {
		if .state == SessionTicketExtInitialized {
			return errors.New("tls: checkSessionExts failed: the user provided a session ticket, but the specification doesn't contain one")
		}
		.sessionTicketExt = nil
		.uconnRef.HandshakeState.Session = nil
		.uconnRef.HandshakeState.Hello.SessionTicket = nil
	}
	if ! {
		if .state == PskExtInitialized {
			return errors.New("tls: checkSessionExts failed: the user provided a psk, but the specification doesn't contain one")
		}
		.pskExtension = nil
		.uconnRef.HandshakeState.State13.BinderKey = nil
		.uconnRef.HandshakeState.State13.EarlySecret = nil
		.uconnRef.HandshakeState.Session = nil
		.uconnRef.HandshakeState.Hello.PskIdentities = nil
	}
	return nil
}

// onEnterLoadSessionCheck is intended to be invoked upon entering the `conn.loadSession` function.
// It is designed to ensure the correctness of the utls implementation. If the utls implementation is found to be incorrect, this function will trigger a panic.
func ( *sessionController) () {
	uAssert(!.locked, "tls: LoadSessionCoordinator.onEnterLoadSessionCheck failed: session is set and locked, no call to loadSession is allowed")
	switch .loadSessionTracker {
	case UtlsAboutToCall, NeverCalled:
		.callingLoadSession = true
	case CalledByULoadSession, CalledByGoTLS:
		panic("tls: LoadSessionCoordinator.onEnterLoadSessionCheck failed: you must not call loadSession() twice")
	default:
		panic("tls: LoadSessionCoordinator.onEnterLoadSessionCheck failed: unimplemented state")
	}
}

// onLoadSessionReturn is intended to be invoked upon returning from the `conn.loadSession` function.
// It serves as a validation step for the correctness of the underlying utls implementation.
// If the utls implementation is incorrect, this function will trigger a panic.
func ( *sessionController) () {
	uAssert(.callingLoadSession, "tls: LoadSessionCoordinator.onLoadSessionReturn failed: it's not loading sessions, perhaps this function is not being called by loadSession.")
	switch .loadSessionTracker {
	case NeverCalled:
		.loadSessionTracker = CalledByGoTLS
	case UtlsAboutToCall:
		.loadSessionTracker = CalledByULoadSession
	default:
		panic("tls: LoadSessionCoordinator.onLoadSessionReturn failed: unimplemented state")
	}
	.callingLoadSession = false
}

// shouldLoadSessionWriteBinders checks if `conn.loadSession` should proceed to write binders and marshal the client hello. If the utls implementation
// is incorrect, this function will trigger a panic.
func ( *sessionController) () bool {
	uAssert(.callingLoadSession, "tls: shouldWriteBinders failed: LoadSessionCoordinator isn't loading sessions, perhaps this function is not being called by loadSession.")

	switch .loadSessionTracker {
	case NeverCalled:
		return true
	case UtlsAboutToCall:
		return false
	default:
		panic("tls: shouldWriteBinders failed: unimplemented state")
	}
}