/*
 * Amazon FreeRTOS
 * Copyright (C) 2017 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy of
 * this software and associated documentation files (the "Software"), to deal in
 * the Software without restriction, including without limitation the rights to
 * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 * the Software, and to permit persons to whom the Software is furnished to do so,
 * subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
 * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 *
 * http://aws.amazon.com/freertos
 * http://www.FreeRTOS.org
 */

/**
 * @file aws_ota_agent.h
 * @brief OTA Agent Interface
 */

#ifndef _AWS_OTA_AGENT_H_
#define _AWS_OTA_AGENT_H_

/* Type definitions for OTA Agent */
#include "aws_ota_types.h"

/* Includes required by the FreeRTOS timers structure. */
#include "FreeRTOS.h"
#include "timers.h"

/* Include for console serial output. */
#include "aws_logging_task.h"

/* Evaluates to the length of a constant string defined like 'static const char str[]= "xyz"; */
#define CONST_STRLEN( s )    ( ( ( uint32_t ) sizeof( s ) ) - 1UL )

/* The OTA signature algorithm string is specified by the PAL. */
#define OTA_FILE_SIG_KEY_STR_MAX_LENGTH    32
extern const char cOTA_JSON_FileSignatureKey[ OTA_FILE_SIG_KEY_STR_MAX_LENGTH ];

/**
 * @brief Special OTA Agent printing definition.
 */
#define OTA_DEBUG_LOG_LEVEL    1
#if OTA_DEBUG_LOG_LEVEL >= 1
    #define DEFINE_OTA_METHOD_NAME( name )    static const char OTA_METHOD_NAME[] = name;
    #define OTA_LOG_L1         vLoggingPrintf
#else
    #define DEFINE_OTA_METHOD_NAME( name )
    #define OTA_LOG_L1( ... )
#endif
#if OTA_DEBUG_LOG_LEVEL >= 2
    #define DEFINE_OTA_METHOD_NAME_L2( name )    static const char OTA_METHOD_NAME[] = name;
    #define OTA_LOG_L2    vLoggingPrintf
#else
    #define DEFINE_OTA_METHOD_NAME_L2( name )
    #define OTA_LOG_L2( ... )
#endif
#if OTA_DEBUG_LOG_LEVEL >= 3
    #define DEFINE_OTA_METHOD_NAME_L3( name )    static const char OTA_METHOD_NAME[] = name;
    #define OTA_LOG_L3    vLoggingPrintf
#else
    #define DEFINE_OTA_METHOD_NAME_L3( name )
    #define OTA_LOG_L3( ... )
#endif

/**
 * @brief OTA Agent states.
 *
 * The current state of the OTA Task (OTA Agent).
 *
 * @note There is currently support only for a single OTA context.
 */
typedef enum
{
    eOTA_AgentState_Unknown = -1,     /*!< The OTA agent state is not yet known. */
    eOTA_AgentState_NotReady = 0,     /*!< The OTA agent task is not running. */
    eOTA_AgentState_Ready = 1,        /*!< The OTA agent task is running and ready to transfer. */
    eOTA_AgentState_Active = 2,       /*!< The OTA agent is actively receiving an update. */
    eOTA_AgentState_ShuttingDown = 3, /*!< The OTA agent task is performing shut down activities. */
    eOTA_NumAgentStates = 4
} OTA_State_t;

/* A composite cryptographic signature structure able to hold our largest supported signature. */

#define kOTA_MaxSignatureSize    256            /* Max bytes supported for a file signature (2048 bit RSA is 256 bytes). */

typedef struct
{
    uint16_t usSize;                         /* Size, in bytes, of the signature. */
    uint8_t ucData[ kOTA_MaxSignatureSize ]; /* The binary signature data. */
} Sig256_t;

/**
 * @brief OTA Error type.
 */
typedef uint32_t OTA_Err_t;

/**
 * @defgroup OTA Error code operation helpers.
 * @brief Helper constants for extracting the error code from the OTA error returned.
 *
 * The OTA error codes consist of an agent code in the upper 8 bits of a 32 bit word and sometimes
 * merged with a platform specific code in the lower 24 bits. You must refer to the platform PAL
 * layer in use to determine the meaning of the lower 24 bits.
 */
#define kOTA_PAL_ErrMask                 0xffffffUL   /*!< The PAL layer uses the signed low 24 bits of the OTA error code. */
#define kOTA_Main_ErrMask                0xff000000UL /*!< Mask out all but the OTA Agent error code (high 8 bits). */
#define kOTA_MainErrShiftDownBits        24U          /*!< The OTA Agent error code is the highest 8 bits of the word. */

/**
 * @defgroup OTA Agent error codes.
 * @brief Error codes returned by OTA agent API.
 *
 * @note OTA agent error codes are in the upper 8 bits of the 32 bit OTA error word, OTA_Err_t.
 */
#define kOTA_Err_Panic                   0xfe000000UL     /*!< Unrecoverable FW error. Probably should log error and reboot. */
#define kOTA_Err_Uninitialized           0xff000000UL     /*!< The error code has not yet been set by a logic path. */
#define kOTA_Err_None                    0x00000000UL
#define kOTA_Err_SignatureCheckFailed    0x01000000UL     /*!< The signature check failed for the specified file. */
#define kOTA_Err_BadSignerCert           0x02000000UL     /*!< The signer certificate was not readable or zero length. */
#define kOTA_Err_OutOfMemory             0x03000000UL     /*!< General out of memory error. */
#define kOTA_Err_ActivateFailed          0x04000000UL     /*!< The activation of the new OTA image failed. */
#define kOTA_Err_CommitFailed            0x05000000UL     /*!< The acceptance commit of the new OTA image failed. */
#define kOTA_Err_RejectFailed            0x06000000UL     /*!< Error trying to reject the OTA image. */
#define kOTA_Err_AbortFailed             0x07000000UL     /*!< Error trying to abort the OTA. */
#define kOTA_Err_PublishFailed           0x08000000UL     /*!< Attempt to publish a MQTT message failed. */
#define kOTA_Err_BadImageState           0x09000000UL     /*!< The specified OTA image state was out of range. */
#define kOTA_Err_NoActiveJob             0x0a000000UL     /*!< Attempt to set final image state without an active job. */
#define kOTA_Err_NoFreeContext           0x0b000000UL     /*!< There wasn't an OTA file context available for processing. */
#define kOTA_Err_FileAbort               0x10000000UL     /*!< Error in low level file abort. */
#define kOTA_Err_FileClose               0x11000000UL     /*!< Error in low level file close. */
#define kOTA_Err_RxFileCreateFailed      0x12000000UL     /*!< The PAL failed to create the OTA receive file. */
#define kOTA_Err_BootInfoCreateFailed    0x13000000UL     /*!< The PAL failed to create the OTA boot info file. */
#define kOTA_Err_RxFileTooLarge          0x14000000UL     /*!< The OTA receive file is too big for the platform to support. */
#define kOTA_Err_NullFilePtr             0x20000000UL     /*!< Attempt to use a null file pointer. */
#define kOTA_Err_MomentumAbort           0x21000000UL     /*!< Too many OTA stream requests without any response. */
#define kOTA_Err_DowngradeNotAllowed     0x22000000UL     /*!< Firmware version is older than the previous version. */
#define kOTA_Err_SameFirmwareVersion     0x23000000UL     /*!< Firmware version is the same as previous. New firmware could have failed to commit. */
#define kOTA_Err_JobParserError          0x24000000UL     /*!< An error occurred during job document parsing. See reason sub-code. */
#define kOTA_Err_FailedToEncodeCBOR      0x25000000UL     /*!< Failed to encode CBOR object. */
#define kOTA_Err_ImageStateMismatch      0x26000000UL     /*!< The OTA job was in Self Test but the platform image state was not. Possible tampering. */
#define kOTA_Err_GenericIngestError      0x27000000UL     /*!< A failure in block ingestion not caused by the PAL. See the error sub code. */
#define kOTA_Err_UserAbort               0x28000000UL     /*!< User aborted the active OTA. */
#define kOTA_Err_ResetNotSupported       0x29000000UL     /*!< We tried to reset the device but the device doesn't support it. */
#define kOTA_Err_TopicTooLarge           0x2a000000UL     /*!< Attempt to build a topic string larger than the supplied buffer. */

/**
 * @brief OTA Job callback events.
 *
 * After an OTA update image is received and authenticated, the agent calls the user
 * callback (set with the OTA_AgentInit API) with the value eOTA_JobEvent_Activate to
 * signal that the device must be rebooted to activate the new image. When the device
 * boots, if the OTA job status is in self test mode, the agent calls the user callback
 * with the value eOTA_JobEvent_StartTest, signaling that any additional self tests
 * should be performed.
 *
 * If the OTA receive fails for any reason, the agent calls the user callback with
 * the value eOTA_JobEvent_Fail instead to allow the user to log the failure and take
 * any action deemed appropriate by the user code.
 *
 * See the OTA_ImageState_t type for more information.
 */
typedef enum
{
    eOTA_JobEvent_Activate = 0,  /*!< OTA receive is authenticated and ready to activate. */
    eOTA_JobEvent_Fail = 1,      /*!< OTA receive failed. Unable to use this update. */
    eOTA_JobEvent_StartTest = 2, /*!< OTA job is now in self test, perform user tests. */
    eOTA_LastJobEvent = eOTA_JobEvent_StartTest
} OTA_JobEvent_t;


/**
 * @brief OTA Image states.
 *
 * After an OTA update image is received and authenticated, it is logically moved to
 * the Self Test state by the OTA agent pending final acceptance. After the image is
 * activated and tested by your user code, you should put it into either the Accepted
 * or Rejected state by calling OTA_SetImageState( eOTA_ImageState_Accepted ) or
 * OTA_SetImageState( eOTA_ImageState_Rejected ). If the image is accepted, it becomes
 * the main firmware image to be booted from then on. If it is rejected, the image is
 * no longer valid and shall not be used, reverting to the last known good image.
 *
 * If you want to abort an active OTA transfer, you may do so by calling the API
 * OTA_SetImageState( eOTA_ImageState_Aborted ).
 */
typedef enum
{
    eOTA_ImageState_Unknown = 0,  /*!< The initial state of the OTA MCU Image. */
    eOTA_ImageState_Testing = 1,  /*!< The state of the OTA MCU Image post successful download and reboot. */
    eOTA_ImageState_Accepted = 2, /*!< The state of the OTA MCU Image post successful download and successful self_test. */
    eOTA_ImageState_Rejected = 3, /*!< The state of the OTA MCU Image when the job has been rejected. */
    eOTA_ImageState_Aborted = 4,  /*!< The state of the OTA MCU Image after a timeout publish to the stream request fails.
                                   *   Also if the OTA MCU image is aborted in the middle of a stream. */
    eOTA_LastImageState = eOTA_ImageState_Aborted
} OTA_ImageState_t;


/**
 * @brief OTA File Context Information.
 *
 * Information about an OTA Update file that is to be streamed. This structure is filled in from a
 * job notification MQTT message. Currently only one file context can be streamed at time.
 */
typedef struct
{
    uint8_t * pucFilePath; /*!< Local file pathname. */
    union
    {
        int32_t lFileHandle;     /*!< Device internal file pointer or handle.
                                  * File type is handle after file is open for write. */
        #if WIN32
            FILE * pxFile;       /*!< File type is stdio FILE structure after file is open for write. */
        #endif
        uint8_t * pucFile;       /*!< File type is RAM/Flash image pointer after file is open for write. */
    };
    TimerHandle_t xRequestTimer; /*!< The request timer associated with this OTA context. */
    uint32_t ulFileSize;         /*!< The size of the file in bytes. */
    uint32_t ulBlocksRemaining;  /*!< How many blocks remain to be received (a code optimization). */
    uint32_t ulFileAttributes;   /*!< Flags specific to the file being received (e.g. secure, bundle, archive). */
    uint32_t ulServerFileID;     /*!< The file is referenced by this numeric ID in the OTA job. */
    uint32_t ulRequestMomentum;  /*!< The number of stream requests published before a response was received. */
    uint8_t * pucJobName;        /*!< The job name associated with this file from the job service. */
    uint8_t * pucStreamName;     /*!< The stream associated with this file from the OTA service. */
    Sig256_t * pxSignature;      /*!< Pointer to the file's signature structure. */
    uint8_t * pucRxBlockBitmap;  /*!< Bitmap of blocks received (for de-duping and missing block request). */
    uint8_t * pucCertFilepath;   /*!< Pathname of the certificate file used to validate the receive file. */
    uint32_t ulUpdaterVersion;   /*!< Used by OTA self-test detection, the version of FW that did the update. */
    bool_t xIsInSelfTest;        /*!< True if the job is in self test mode. */
} OTA_FileContext_t;


/**
 * @brief OTA update complete callback function typedef.
 *
 * The user may register a callback function when initializing the OTA Agent. This
 * callback is used to notify the main application when the OTA update job is complete.
 * Typically, it is used to reset the device after a successful update by calling
 * OTA_ActivateNewImage() and may also be used to kick off user specified self tests
 * during the Self Test phase. If the user does not supply a custom callback function,
 * a default callback handler is used that automatically calls OTA_ActivateNewImage()
 * after a successful update.
 *
 * @note:
 *
 * The callback function is called with one of the following arguments:
 *
 *      eOTA_JobEvent_Activate      OTA update is authenticated and ready to activate.
 *      eOTA_JobEvent_Fail          OTA update failed. Unable to use this update.
 *      eOTA_JobEvent_StartTest     OTA job is now ready for optional user self tests.
 *
 * When eOTA_JobEvent_Activate is received, the job status details have been updated with
 * the state as ready for Self Test. After reboot, the new firmware will (normally) be
 * notified that it is in the Self Test phase via the callback and the application may
 * then optionally run its own tests before committing the new image.
 *
 * If the callback function is called with a result of eOTA_JobEvent_Fail, the OTA update
 * job has failed in some way and should be rejected.
 *
 * @param[in] eEvent An OTA update event from the OTA_JobEvent_t enum.
 */
typedef void (* pxOTACompleteCallback_t)( OTA_JobEvent_t eEvent );

/*---------------------------------------------------------------------------*/
/*								Public API									 */
/*---------------------------------------------------------------------------*/

/**
 * @brief OTA Agent initialization function.
 *
 * Initialize the OTA engine by starting the OTA Agent ("OTA Task") in the system. This function must
 * be called with the MQTT messaging client context before calling OTA_CheckForUpdate(). Only one
 * OTA Agent may exist.
 *
 * @param[in] pvClient The messaging protocol client context (e.g. an MQTT context).
 * @param[in] pucThingName A pointer to a C string holding the Thing name.
 * @param[in] xFunc Static callback function for when an OTA job is complete. This function will have
 * input of the state of the OTA image after download and during self-test.
 * @param[in] xTicksToWait The number of ticks to wait until the OTA Task signals that it is ready.
 * If this is set to zero, then the function will return immediately after creating the OTA task but
 * the OTA task may not be ready to operate yet. The state may be queried with OTA_GetAgentState().
 *
 * @return The state of the OTA Agent upon return from the OTA_State_t enum.
 * If the agent was successfully initialized and ready to operate, the state will be
 * eOTA_AgentState_Ready. Otherwise, it will be one of the other OTA_State_t enum values.
 */
OTA_State_t OTA_AgentInit( void * pvClient,
                           const uint8_t * pucThingName,
                           pxOTACompleteCallback_t xFunc,
                           TickType_t xTicksToWait );

/**
 * @brief Signal to the OTA Agent to shut down.
 *
 * Signals the OTA agent task to shut down. The OTA agent will unsubscribe from all MQTT job
 * notification topics, stop in progress OTA jobs, if any, and clear all resources.
 *
 * @param[in] xTicksToWait The number of ticks to wait for the OTA Agent to complete the shutdown process.
 * If this is set to zero, the function will return immediately without waiting. The actual state is
 * returned to the caller.
 *
 * @return One of the OTA agent states from the OTA_State_t enum.
 * A normal shutdown will return eOTA_AgentState_NotReady. Otherwise, refer to the OTA_State_t enum for details.
 */
OTA_State_t OTA_AgentShutdown( TickType_t xTicksToWait );

/**
 * @brief Get the current state of the OTA agent.
 *
 * @return The current state of the OTA agent.
 */
OTA_State_t OTA_GetAgentState( void );

/**
 * @brief Activate the newest MCU image received via OTA.
 *
 * This function should reset the MCU and cause a reboot of the system to execute the newly updated
 * firmware. It should be called by the user code sometime after the eOTA_JobEvent_Activate event
 * is passed to the users application via the OTA Job Complete Callback mechanism. Refer to the
 * OTA_AgentInit() function for more information about configuring the callback.
 *
 * @return kOTA_Err_None if successful, otherwise an error code prefixed with 'kOTA_Err_' from the
 * list above.
 */
OTA_Err_t OTA_ActivateNewImage( void );

/**
 * @brief Set the state of the current MCU image.
 *
 * The states are eOTA_ImageState_Testing, eOTA_ImageState_Accepted, eOTA_ImageState_Aborted or
 * eOTA_ImageState_Rejected; see OTA_ImageState_t documentation. This will update the status of the
 * current image and publish to the active job status topic.
 *
 * @param[in] The state to set of the OTA image.
 *
 * @return kOTA_Err_None if successful, otherwise an error code prefixed with 'kOTA_Err_' from the
 * list above.
 */
OTA_Err_t OTA_SetImageState( OTA_ImageState_t eState );

/**
 * @brief Get the state of the currently running MCU image.
 *
 * The states are eOTA_ImageState_Testing, eOTA_ImageState_Accepted, eOTA_ImageState_Aborted or
 * eOTA_ImageState_Rejected; see OTA_ImageState_t documentation.
 *
 * @return The state of the current context's OTA image.
 */
OTA_ImageState_t OTA_GetImageState( void );

/* @brief Request for the next available OTA job from the job service via MQTT.
 *
 * @return kOTA_Err_None if successful, otherwise an error code prefixed with 'kOTA_Err_' from the
 * list above.
 */
OTA_Err_t OTA_CheckForUpdate( void );

/*---------------------------------------------------------------------------*/
/*							Statistics API									 */
/*---------------------------------------------------------------------------*/

/**
 * @brief Get the number of OTA message packets received by the OTA agent.
 *
 * @note Calling OTA_AgentInit() will reset this statistic.
 *
 * @return The number of OTA packets that have been received but not
 * necessarily queued for processing by the OTA agent.
 */
uint32_t OTA_GetPacketsReceived( void );

/**
 * @brief Get the number of OTA message packets queued by the OTA agent.
 *
 * @note Calling OTA_AgentInit() will reset this statistic.
 *
 * @return The number of OTA packets that have been queued for processing.
 * This implies there was a free message queue entry so it can be passed
 * to the agent for processing.
 */
uint32_t OTA_GetPacketsQueued( void );

/**
 * @brief Get the number of OTA message packets processed by the OTA agent.
 *
 * @note Calling OTA_AgentInit() will reset this statistic.
 *
 * @return the number of OTA packets that have actually been processed.
 *
 */
uint32_t OTA_GetPacketsProcessed( void );

/**
 * @brief Get the number of OTA message packets dropped by the OTA agent.
 *
 * @note Calling OTA_AgentInit() will reset this statistic.
 *
 * @return the number of OTA packets that have been dropped because
 * of either no queue or at shutdown cleanup.
 */
uint32_t OTA_GetPacketsDropped( void );

#endif /* ifndef _AWS_OTA_AGENT_H_ */