// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CONTENT_BROWSER_PRIVATE_AGGREGATION_PRIVATE_AGGREGATION_HOST_H_
#define CONTENT_BROWSER_PRIVATE_AGGREGATION_PRIVATE_AGGREGATION_HOST_H_

#include <stddef.h>
#include <stdint.h>

#include <optional>
#include <string>
#include <vector>

#include "base/functional/callback.h"
#include "base/memory/raw_ref.h"
#include "base/numerics/safe_conversions.h"
#include "base/time/time.h"
#include "base/timer/elapsed_timer.h"
#include "content/browser/aggregation_service/aggregatable_report.h"
#include "content/browser/private_aggregation/private_aggregation_budget_key.h"
#include "content/browser/private_aggregation/private_aggregation_budgeter.h"
#include "content/browser/private_aggregation/private_aggregation_caller_api.h"
#include "content/browser/private_aggregation/private_aggregation_pending_contributions.h"
#include "content/common/content_export.h"
#include "mojo/public/cpp/bindings/pending_receiver.h"
#include "mojo/public/cpp/bindings/receiver_set.h"
#include "third_party/blink/public/common/shared_storage/shared_storage_utils.h"
#include "third_party/blink/public/mojom/private_aggregation/private_aggregation_host.mojom.h"

namespace base {
class ElapsedTimer;
class Uuid;
}  // namespace base
namespace url {
class Origin;
}  // namespace url

namespace content {

class AggregatableReportRequest;
class BrowserContext;

// UI thread class responsible for implementing the mojo interface used by
// worklets and renderers to request reports be sent and maintaining the
// receiver set for this interface. It is responsible for validating the
// messages received and then passing them on for budget approval.
class CONTENT_EXPORT PrivateAggregationHost
    : public blink::mojom::PrivateAggregationHost {
 public:
  // These values are persisted to logs. Entries should not be renumbered and
  // numeric values should never be reused.
  enum class PipeResult {
    kReportSuccess = 0,
    kReportSuccessButTruncatedDueToTooManyContributions = 1,
    kNoReportButNoError = 2,
    kApiDisabledInSettings = 3,
    kEnableDebugModeCalledMultipleTimes = 4,
    kNegativeValue = 5,
    kFilteringIdInvalid = 6,
    kNecessaryFeatureNotEnabled = 7,
    kMaxValue = kNecessaryFeatureNotEnabled,
  };

  // These values are persisted to logs. Entries should not be renumbered and
  // numeric values should never be reused.
  enum class TimeoutResult {
    kOccurredBeforeRemoteDisconnection = 0,
    kOccurredAfterRemoteDisconnection = 1,
    kCanceledDueToError = 2,
    kStillScheduledOnShutdown = 3,

    kMaxValue = kStillScheduledOnShutdown,
  };

  // These values are persisted to logs. Entries should not be renumbered and
  // numeric values should never be reused.
  enum class FilteringIdStatus {
    kNoFilteringIdWithDefaultMaxBytes = 0,
    kFilteringIdProvidedWithDefaultMaxBytes = 1,
    kNoFilteringIdWithCustomMaxBytes = 2,
    kFilteringIdProvidedWithCustomMaxBytes = 3,

    kMaxValue = kFilteringIdProvidedWithCustomMaxBytes,
  };

  // Indicates the desired behavior when a report has no contributions, such as
  // when budget is denied or `contributeToHistogram()` was not called.
  enum class NullReportBehavior {
    // Still send a report, but without any contributions.
    kSendNullReport,

    // Drop the report.
    kDontSendReport,
  };

  using ReportRequestGenerator = base::OnceCallback<AggregatableReportRequest(
      std::vector<blink::mojom::AggregatableReportHistogramContribution>)>;

  // Version string for the reports generated by this API.
  static constexpr char kApiReportVersion[] = "1.0";

  static constexpr size_t kDefaultFilteringIdMaxBytes = 1;

  // The maximum allowed context_id string length.
  static constexpr int kMaxContextIdLength = 64;
  static_assert(kMaxContextIdLength ==
                    blink::kPrivateAggregationApiContextIdMaxLength,
                "Maximum length of context_id should be aligned between Shared "
                "Storage and Private Aggregation.");

  // The duration of time that `SendReportOnTimeoutOrDisconnect()`
  // unconditionally adds to the scheduled report time. Marked public for
  // testing.
  static constexpr base::TimeDelta kTimeForLocalProcessing =
      base::Milliseconds(100);

  // Returns the effective maximum number of contributions that can go in an
  // `AggregatableReport` after merging. The `requested_max_contributions`
  // parameter comes from the web-visible `maxContributions` field.
  //
  // This method is marked public for testing; this enables golden report
  // unittests to match the browser's actual behavior.
  static base::StrictNumeric<size_t> GetEffectiveMaxContributions(
      PrivateAggregationCallerApi caller_api,
      std::optional<size_t> requested_max_contributions);

  // `on_report_request_details_received` and `browser_context` must be
  // non-null.
  PrivateAggregationHost(
      base::RepeatingCallback<
          void(ReportRequestGenerator,
               PrivateAggregationPendingContributions::Wrapper,
               PrivateAggregationBudgetKey,
               NullReportBehavior)> on_report_request_details_received,
      BrowserContext* browser_context);
  PrivateAggregationHost(const PrivateAggregationHost&) = delete;
  PrivateAggregationHost& operator=(const PrivateAggregationHost&) = delete;
  ~PrivateAggregationHost() override;

  // See `PrivateAggregationManager::BindNewReceiver()`.
  [[nodiscard]] virtual bool BindNewReceiver(
      url::Origin worklet_origin,
      url::Origin top_frame_origin,
      PrivateAggregationCallerApi caller_api,
      std::optional<std::string> context_id,
      std::optional<base::TimeDelta> timeout,
      std::optional<url::Origin> aggregation_coordinator_origin,
      size_t filtering_id_max_bytes,
      std::optional<size_t> max_contributions,
      mojo::PendingReceiver<blink::mojom::PrivateAggregationHost>
          pending_receiver);

  bool IsDebugModeAllowed(const url::Origin& top_frame_origin,
                          const url::Origin& reporting_origin);

  // blink::mojom::PrivateAggregationHost:
  void ContributeToHistogram(
      std::vector<blink::mojom::AggregatableReportHistogramContributionPtr>
          contribution_ptrs) override;
  void ContributeToHistogramOnEvent(
      blink::mojom::PrivateAggregationErrorEvent error_event,
      std::vector<blink::mojom::AggregatableReportHistogramContributionPtr>
          contribution_ptrs) override;
  void EnableDebugMode(blink::mojom::DebugKeyPtr debug_key) override;

  void FlushReceiverSetForTesting() { receiver_set_.FlushForTesting(); }

 private:
  friend class PrivateAggregationReportGoldenLatestVersionTest;

  struct ReceiverContext;

  static AggregatableReportRequest GenerateReportRequest(
      base::ElapsedTimer timeout_or_disconnect_timer,
      blink::mojom::DebugModeDetailsPtr debug_mode_details,
      base::Time scheduled_report_time,
      AggregatableReportRequest::DelayType delay_type,
      base::Uuid report_id,
      const url::Origin& reporting_origin,
      PrivateAggregationCallerApi caller_api,
      std::optional<std::string> context_id,
      std::optional<url::Origin> aggregation_coordinator_origin,
      size_t specified_filtering_id_max_bytes,
      size_t max_contributions,
      std::vector<blink::mojom::AggregatableReportHistogramContribution>
          contributions);

  void CloseCurrentPipe(PipeResult pipe_result);

  void OnTimeoutBeforeDisconnect(mojo::ReceiverId id);

  void OnReceiverDisconnected();

  void SendReportOnTimeoutOrDisconnect(
      ReceiverContext& current_context,
      base::TimeDelta remaining_timeout,
      PrivateAggregationPendingContributions::TimeoutOrDisconnect
          timeout_or_disconnect);

  // Performs shared validation for `ContributeToHistogram()` and
  // `ContributeToHistogramOnEvent()` calls.
  bool ValidateContributeCall(
      const std::vector<
          blink::mojom::AggregatableReportHistogramContributionPtr>&
          contribution_ptrs);

  // Set iff the private aggregation developer mode is set.
  bool should_not_delay_reports_;

  base::RepeatingCallback<void(ReportRequestGenerator,
                               PrivateAggregationPendingContributions::Wrapper,
                               PrivateAggregationBudgetKey,
                               NullReportBehavior)>
      on_report_request_details_received_;

  mojo::ReceiverSet<blink::mojom::PrivateAggregationHost, ReceiverContext>
      receiver_set_;

  // `this` is indirectly owned by the StoragePartitionImpl, which itself is
  // owned by `browser_context_`.
  raw_ref<BrowserContext> browser_context_;
};

}  // namespace content

#endif  // CONTENT_BROWSER_PRIVATE_AGGREGATION_PRIVATE_AGGREGATION_HOST_H_