// Copyright 2023 The Pigweed Authors
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.

#include "pw_bluetooth_sapphire/internal/host/att/permissions.h"

namespace bt::att {
namespace {

fit::result<ErrorCode> CheckSecurity(const AccessRequirements& reqs,
                                     const sm::SecurityProperties& security) {
  if (reqs.encryption_required() &&
      security.level() < sm::SecurityLevel::kEncrypted) {
    // If the peer is bonded but the link is not encrypted the "Insufficient
    // Encryption" error should be sent. Our GAP layer always keeps the link
    // encrypted so the authentication procedure needs to fail during
    // connection. We don't distinguish this from the un-paired state.
    // (NOTE: It is possible for the link to be authenticated without encryption
    // in LE Security Mode 2, which we do not support).
    return fit::error(ErrorCode::kInsufficientAuthentication);
  }

  if ((reqs.authentication_required() || reqs.authorization_required()) &&
      security.level() < sm::SecurityLevel::kAuthenticated) {
    return fit::error(ErrorCode::kInsufficientAuthentication);
  }

  if (reqs.encryption_required() &&
      security.enc_key_size() < reqs.min_enc_key_size()) {
    return fit::error(ErrorCode::kInsufficientEncryptionKeySize);
  }

  return fit::ok();
}

}  // namespace

fit::result<ErrorCode> CheckReadPermissions(
    const AccessRequirements& reqs, const sm::SecurityProperties& security) {
  if (!reqs.allowed()) {
    return fit::error(ErrorCode::kReadNotPermitted);
  }
  return CheckSecurity(reqs, security);
}

fit::result<ErrorCode> CheckWritePermissions(
    const AccessRequirements& reqs, const sm::SecurityProperties& security) {
  if (!reqs.allowed()) {
    return fit::error(ErrorCode::kWriteNotPermitted);
  }
  return CheckSecurity(reqs, security);
}

}  // namespace bt::att