# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.


# Updater
# ==============================================================
@depends(build_project, target)
def updater_default(build_project, target):
    if build_project == "tools/update-programs":
        return True
    return build_project != "mobile/android" and target.os != "iOS"


option(
    "--enable-updater",
    default=updater_default,
    help="{Enable|Disable} building the updater",
)

set_config("MOZ_UPDATER", True, when="--enable-updater")
set_define("MOZ_UPDATER", True, when="--enable-updater")

# Updates that do not verify signatures
# ==============================================================

option(
    "--enable-unverified-updates",
    default=False,
    help="Enable application update without verifying MAR or updater binary signatures",
)


@depends("--enable-unverified-updates", "--enable-compile-environment")
def disable_unverified_updates(unverified_updates, compile_environment):
    if unverified_updates:
        if not compile_environment:
            die("--enable-unverified-updates requires --enable-compile-environment")
    return not unverified_updates


set_define(
    "MOZ_VERIFY_MAR_SIGNATURE",
    depends_if(disable_unverified_updates)(lambda _: True),
)
set_config(
    "MOZ_VERIFY_MAR_SIGNATURE",
    True,
    depends_if(disable_unverified_updates)(lambda _: True),
)

set_config(
    "DISABLE_UPDATER_AUTHENTICODE_CHECK",
    True,
    depends_if("--enable-unverified-updates")(lambda _: True),
)

# Mac elevated updates without production signing
# ==============================================================

option(
    "--enable-mac-elevated-updates-with-generic-certs",
    when=target_is_osx,
    default=False,
    help="Allow local developer-signed builds to perform elevated updates on macOS",
)


def mac_prod_requirements_string(identifier):
    return (
        f'identifier "{identifier}" and anchor apple generic and '
        "certificate 1[field.1.2.840.113635.100.6.2.6] and "
        "certificate leaf[field.1.2.840.113635.100.6.1.13] and "
        'certificate leaf[subject.OU] = "43AQ936H96"'
    )


def mac_relaxed_requirements_string(identifier):
    return f'identifier "{identifier}" and anchor apple generic'


@depends("--enable-mac-elevated-updates-with-generic-certs", when=target_is_osx)
def smauthorizedclients_requirements(enabled):
    bundle_id_env_var = "$(MOZ_MACBUNDLE_ID)"
    if enabled:
        return mac_relaxed_requirements_string(bundle_id_env_var)
    else:
        return mac_prod_requirements_string(bundle_id_env_var)


set_config("MOZ_SMAUTHORIZEDCLIENTS_REQUIREMENTS", smauthorizedclients_requirements)


@depends("--enable-mac-elevated-updates-with-generic-certs", when=target_is_osx)
def smprivilegedexec_requirements(enabled):
    updater_id = "org.mozilla.updater"
    if enabled:
        return mac_relaxed_requirements_string(updater_id)
    else:
        return mac_prod_requirements_string(updater_id)


set_config("MOZ_SMPRIVILEGEDEXECUTABLES_REQUIREMENTS", smprivilegedexec_requirements)

# MAR channel ID configuration
# ==============================================================

option(env="MAR_CHANNEL_ID", nargs=1, help="MAR channel identifier")

set_config(
    "MAR_CHANNEL_ID",
    depends_if("MAR_CHANNEL_ID")(lambda channel: channel[0]),
)

option(
    env="ACCEPTED_MAR_CHANNEL_IDS", nargs="+", help="Accepted MAR channel identifiers"
)

set_config(
    "ACCEPTED_MAR_CHANNEL_IDS",
    depends_if("ACCEPTED_MAR_CHANNEL_IDS")(lambda channels: ",".join(channels)),
)

# Use NSS for MAR signatures even on platforms where system libraries are
# supported (currently Windows and macOS).
# ==============================================================

can_toggle_nss_mar = target_is_windows | target_is_osx

option(
    "--enable-nss-mar",
    when=can_toggle_nss_mar,
    help="Enable using NSS to check MAR signatures instead of system crypto",
)


@depends(
    depends("--enable-nss-mar", when=can_toggle_nss_mar)(lambda x: x),
    can_toggle_nss_mar,
)
def enable_nss_mar(enabled, can_toggle_nss_mar):
    return enabled or not can_toggle_nss_mar


set_config("MOZ_USE_NSS_FOR_MAR", True, when=enable_nss_mar)

# Maintenance service (Windows only)
# ==============================================================


@depends("--enable-updater")
def maintenance_service_default(updater):
    return bool(updater)


option(
    "--enable-maintenance-service",
    when=target_is_windows,
    default=maintenance_service_default,
    help="{Enable|Disable} building of maintenance service",
)

set_define(
    "MOZ_MAINTENANCE_SERVICE",
    depends_if("--enable-maintenance-service", when=target_is_windows)(lambda _: True),
)
set_config(
    "MOZ_MAINTENANCE_SERVICE",
    depends_if("--enable-maintenance-service", when=target_is_windows)(lambda _: True),
)


@depends("--enable-maintenance-service", "--enable-updater", when=target_is_windows)
def check_maintenance_service(mainteance_service, updater):
    if mainteance_service and not updater:
        die("--enable-updater is required to --enable-maintenance-service")
    return mainteance_service


# Update agent (currently Windows and macOS only)
# This is an independent task that runs on a schedule to
# check for, download, and install updates.
# ==============================================================


@depends("--enable-backgroundtasks", "--enable-updater", build_project)
def update_agent_default(backgroundtasks, updater, build_project):
    return bool(backgroundtasks) and bool(updater) and build_project == "browser"


option(
    "--disable-update-agent",
    when=target_is_windows | target_is_osx,
    default=update_agent_default,
    help="{Enable|Disable} building update agent",
)

set_config(
    "MOZ_UPDATE_AGENT",
    depends_if("--enable-update-agent", when=target_is_windows | target_is_osx)(
        lambda _: True
    ),
)


@depends(
    "--enable-update-agent",
    "--enable-backgroundtasks",
    "--enable-updater",
    when=target_is_windows | target_is_osx,
)
def check_update_agent(update_agent, backgroundtasks, updater):
    if update_agent and not backgroundtasks:
        die("--enable-backgroundtasks is required to --enable-update-agent")
    if update_agent and not updater:
        die("--enable-updater is required to --enable-update-agent")
    return update_agent


# Enable or disable the default browser agent, which monitors the user's default
# browser setting on Windows.
# ==============================================================================


@depends(target, build_project)
def default_browser_agent_default(target, build_project):
    return target.os == "WINNT" and build_project == "browser"


option(
    "--enable-default-browser-agent",
    default=default_browser_agent_default,
    help="{Enable|Disable} building the default browser agent",
)


@depends("--enable-default-browser-agent", when=target_is_windows)
def default_agent_flag(enabled):
    if enabled:
        return True


set_config("MOZ_DEFAULT_BROWSER_AGENT", default_agent_flag)


# Enable or disable the notification server, which allows Windows native
# notifications to persist when the application is not running and relaunch as
# necessary.
# ==============================================================================
@depends(target, build_project)
def notification_server_default(target, build_project):
    return target.os == "WINNT" and build_project in (
        "browser",
        "comm/mail",
    )


option(
    "--disable-notification-server",
    when=notification_server_default,
    help="Disable building the notification server",
)

set_config("MOZ_NOTIFICATION_SERVER", True, when="--enable-notification-server")