// Copyright 2023 Woodpecker Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package encryption

import "errors"

// Common.
const (
	rawKeyConfigFlag             = "encryption-raw-key"
	tinkKeysetFilepathConfigFlag = "encryption-tink-keyset"
	disableEncryptionConfigFlag  = "encryption-disable-flag"

	ciphertextSampleConfigKey = "encryption-ciphertext-sample"

	keyTypeTink = "tink"
	keyTypeRaw  = "raw"
	keyTypeNone = "none"

	keyIDAssociatedData   = "Primary key id"
	AES_GCM_SIV_NonceSize = 12 //nolint:revive,stylecheck
)

var (
	errEncryptionNotEnabled = errors.New("encryption is not enabled")
	errEncryptionKeyInvalid = errors.New("encryption key is invalid")
	errEncryptionKeyRotated = errors.New("encryption key is being rotated")
)

const (
	// Error wrapping templates.
	errTemplateFailedInitializingUnencrypted = "failed initializing server in unencrypted mode: %w"
	errTemplateFailedInitializing            = "failed initializing encryption service: %w"
	errTemplateFailedEnablingEncryption      = "failed enabling encryption: %w"
	errTemplateFailedRotatingEncryption      = "failed rotating encryption: %w"
	errTemplateFailedDisablingEncryption     = "failed disabling encryption: %w"
	errTemplateFailedLoadingServerConfig     = "failed to load server encryption config: %w"
	errTemplateFailedUpdatingServerConfig    = "failed updating server encryption configuration: %w"
	errTemplateFailedInitializingClients     = "failed initializing encryption clients: %w"
	errTemplateFailedValidatingKey           = "failed validating encryption key: %w"
	errTemplateEncryptionFailed              = "encryption error: %w"
	errTemplateBase64DecryptionFailed        = "decryption error: Base64 decryption failed. Cause: %w"
	errTemplateDecryptionFailed              = "decryption error: %w"

	// Error messages.
	errMessageTemplateUnsupportedKeyType = "unsupported encryption key type: %s"
	errMessageCantUseBothServices        = "cannot use raw encryption key and tink keyset at the same time"
	errMessageNoKeysProvided             = "encryption enabled but no keys provided"
	errMessageFailedRotatingEncryption   = "failed rotating encryption"

	// Log messages.
	logMessageEncryptionEnabled       = "encryption enabled"
	logMessageEncryptionDisabled      = "encryption disabled"
	logMessageEncryptionKeyRegistered = "registered new encryption key"
	logMessageClientsInitialized      = "initialized encryption on registered clients"
	logMessageClientsEnabled          = "enabled encryption on registered service"
	logMessageClientsRotated          = "updated encryption key on registered service"
	logMessageClientsDecrypted        = "disabled encryption on registered service"
)

// Tink.
const (
	// Error wrapping templates.
	errTemplateTinkFailedLoadingKeyset              = "failed loading encryption keyset: %w"
	errTemplateTinkFailedValidatingKeyset           = "failed validating encryption keyset: %w"
	errTemplateTinkFailedInitializeFileWatcher      = "failed initializing keyset file watcher: %w"
	errTemplateTinkFailedSubscribeKeysetFileChanges = "failed subscribing on encryption keyset file changes: %w"
	errTemplateTinkFailedOpeningKeyset              = "failed opening encryption keyset file: %w"
	errTemplateTinkFailedReadingKeyset              = "failed reading encryption keyset from file: %w"
	errTemplateTinkFailedInitializingAEAD           = "failed initializing AEAD instance: %w"

	// Error messages.
	errMessageTinkKeysetFileWatchFailed = "failed watching encryption keyset file changes"

	// Log message templates.
	logTemplateTinkKeysetFileChanged       = "changes detected in encryption keyset file: '%s'. Encryption service will be reloaded"
	logTemplateTinkLoadingKeyset           = "loading encryption keyset from file: %s"
	logTemplateTinkFailedClosingKeysetFile = "could not close keyset file: %s"
)

// AES.
const (
	// Error wrapping templates.
	errTemplateAesFailedLoadingCipher   = "failed loading encryption cipher: %w"
	errTemplateAesFailedCalculatingHash = "failed calculating hash: %w"
	errTemplateAesFailedGeneratingKey   = "failed generating key from passphrase: %w"
	errTemplateAesFailedGeneratingKeyID = "failed generating key id: %w"
)