// Ensure the server counts the server TLS versions used
import {
    detectDefaultTLSProtocol,
    sslProviderSupportsTLS1_0,
    sslProviderSupportsTLS1_1,
} from "jstests/ssl/libs/ssl_helpers.js";

let SERVER_CERT = "jstests/libs/server.pem";
let CLIENT_CERT = "jstests/libs/client.pem";
let CA_CERT = "jstests/libs/ca.pem";

const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"];

// First, figure out what protocol our local TLS stack wants to speak.
// We're going to observe a connection of this type from the testrunner.
const expectedDefaultProtocol = detectDefaultTLSProtocol();
print("Expected default protocol: " + expectedDefaultProtocol);

function runTestWithoutSubset(client) {
    print("Running test: " + client);
    let disabledProtocols = protocols.slice();
    let expectedCounts = [0, 0, 0, 0, 0];
    expectedCounts[protocols.indexOf(expectedDefaultProtocol)] = 1;
    let index = disabledProtocols.indexOf(client);
    disabledProtocols.splice(index, 1);
    expectedCounts[index] += 1;
    print(tojson(expectedCounts));

    const conn = MongoRunner.runMongod({
        tlsMode: "allowTLS",
        tlsCertificateKeyFile: SERVER_CERT,
        tlsDisabledProtocols: "none",
        useLogFiles: true,
        tlsLogVersions: "TLS1_0,TLS1_1,TLS1_2,TLS1_3",
        tlsCAFile: CA_CERT,
    });

    const exitStatus = runMongoProgram(
        "mongo",
        "--tls",
        "--tlsAllowInvalidHostnames",
        "--tlsCertificateKeyFile",
        CLIENT_CERT,
        "--tlsCAFile",
        CA_CERT,
        "--port",
        conn.port,
        "--tlsDisabledProtocols",
        disabledProtocols.join(","),
        "--eval",
        // The Javascript string "1.0" is implicitly converted to the
        // Number(1) Workaround this with parseFloat
        "one = Number.parseFloat(1).toPrecision(2); a = {};" +
            "a[one] = NumberLong(" +
            expectedCounts[0] +
            ");" +
            'a["1.1"] = NumberLong(' +
            expectedCounts[1] +
            ");" +
            'a["1.2"] = NumberLong(' +
            expectedCounts[2] +
            ");" +
            'a["1.3"] = NumberLong(' +
            expectedCounts[3] +
            ");" +
            'a["unknown"] = NumberLong(' +
            expectedCounts[4] +
            ");" +
            "assert.eq(db.serverStatus().transportSecurity, a);",
    );

    if (expectedDefaultProtocol === "TLS1_2" && client === "TLS1_3") {
        // If the runtime environment does not support TLS 1.3, a client cannot connect to a
        // server if TLS 1.3 is its only usable protocol version.
        assert.neq(0, exitStatus, "A client which does not support TLS 1.3 should not be able to connect with it");
        MongoRunner.stopMongod(conn);
        return;
    }

    assert.eq(0, exitStatus, "");

    print(`Checking ${conn.fullOptions.logFile} for TLS version message`);
    const log = cat(conn.fullOptions.logFile);

    const lines = log.split("\n");
    let found = false;
    for (let logMsg of lines) {
        if (!logMsg) {
            continue;
        }
        const logJson = JSON.parse(logMsg);
        if (
            logJson.id === 23218 &&
            /1\.\d/.test(logJson.attr.tlsVersion) &&
            /127.0.0.1:\d+/.test(logJson.attr.remoteHost)
        ) {
            found = true;
            break;
        }
    }
    assert(
        found,
        "'Accepted connection with TLS Version' log line missing in log file!\n" +
            "Log file contents: " +
            conn.fullOptions.logFile +
            "\n************************************************************\n" +
            log +
            "\n************************************************************",
    );

    MongoRunner.stopMongod(conn);
}
if (sslProviderSupportsTLS1_0()) {
    runTestWithoutSubset("TLS1_0");
}
if (sslProviderSupportsTLS1_1()) {
    runTestWithoutSubset("TLS1_1");
}
runTestWithoutSubset("TLS1_2");
runTestWithoutSubset("TLS1_3");