// Copyright (C) Moondance Labs Ltd.

// This file is part of Tanssi.

// Tanssi is free software: you can redistribute it and/or modify

// it under the terms of the GNU General Public License as published by

// the Free Software Foundation, either version 3 of the License, or

// (at your option) any later version.

// Tanssi is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

// GNU General Public License for more details.

// You should have received a copy of the GNU General Public License

// along with Tanssi.  If not, see <http://www.gnu.org/licenses/>

//! ExternalValidatorSlashes pallet.

//!

//! A pallet to store slashes based on offences committed by validators

//! Slashes can be cancelled during the DeferPeriod through cancel_deferred_slash

//! Slashes can also be forcedly injected via the force_inject_slash extrinsic

//! Slashes for a particular era are removed after the bondingPeriod has elapsed

//!

//! ## OnOffence trait

//!

//! The pallet also implements the OnOffence trait that reacts to offences being injected by other pallets

//! Invulnerables are not slashed and no slashing information is stored for them

#![cfg_attr(not(feature = "std"), no_std)]

extern crate alloc;

use {

    alloc::{collections::vec_deque::VecDeque, vec, vec::Vec},

    frame_support::{pallet_prelude::*, traits::DefensiveSaturating},

    frame_system::pallet_prelude::*,

    log::log,

    pallet_staking::SessionInterface,

    parity_scale_codec::{Decode, DecodeWithMemTracking, Encode, FullCodec},

    sp_core::H256,

    sp_runtime::{

        traits::{Convert, Debug, One, Saturating, Zero},

        DispatchResult, Perbill,

    },

    sp_staking::{

        offence::{OffenceDetails, OnOffenceHandler},

        EraIndex, SessionIndex,

    },

    tp_traits::{

        apply, derive_storage_traits, EraIndexProvider, ExternalIndexProvider,

        InvulnerablesProvider, OnEraStart,

    },

};

use {

    snowbridge_core::ChannelId,

    tp_bridge::{Command, DeliverMessage, SlashData, TanssiMessage, TicketInfo, ValidateMessage},

};

pub use pallet::*;

#[cfg(test)]

mod mock;

#[cfg(test)]

mod tests;

#[cfg(feature = "runtime-benchmarks")]

mod benchmarking;

pub mod weights;

#[frame_support::pallet]

pub mod pallet {

    use super::*;

    pub use crate::weights::WeightInfo;

    #[pallet::event]

    #[pallet::generate_deposit(pub(super) fn deposit_event)]

    pub enum Event<T: Config> {

        /// Removed author data

        SlashReported {

            validator: T::ValidatorId,

            fraction: Perbill,

            slash_era: EraIndex,

        },

        /// The slashes message was sent correctly.

        SlashesMessageSent {

            message_id: H256,

            slashes_command: Command,

        },

    }

    #[pallet::config]

    pub trait Config: frame_system::Config {

        /// A stable ID for a validator.

        type ValidatorId: Member

            + Parameter

            + MaybeSerializeDeserialize

            + MaxEncodedLen

            + TryFrom<Self::AccountId>;

        /// A conversion from account ID to validator ID.

        type ValidatorIdOf: Convert<Self::AccountId, Option<Self::ValidatorId>>;

        /// Number of eras that slashes are deferred by, after computation.

        ///

        /// This should be less than the bonding duration. Set to 0 if slashes

        /// should be applied immediately, without opportunity for intervention.

        #[pallet::constant]

        type SlashDeferDuration: Get<EraIndex>;

        /// Number of eras that staked funds must remain bonded for.

        #[pallet::constant]

        type BondingDuration: Get<EraIndex>;

        // SlashId type, used as a counter on the number of slashes

        type SlashId: Default

            + FullCodec

            + TypeInfo

            + Copy

            + Clone

            + Debug

            + Eq

            + Saturating

            + One

            + Ord

            + MaxEncodedLen;

        /// Interface for interacting with a session pallet.

        type SessionInterface: SessionInterface<Self::AccountId>;

        /// Era index provider, used to fetch the active era among other things

        type EraIndexProvider: EraIndexProvider;

        /// Invulnerable provider, used to get the invulnerables to know when not to slash

        type InvulnerablesProvider: InvulnerablesProvider<Self::ValidatorId>;

        /// Validate a message that will be sent to Ethereum.

        type ValidateMessage: ValidateMessage;

        /// Send a message to Ethereum. Needs to be validated first.

        type OutboundQueue: DeliverMessage<

            Ticket = <<Self as pallet::Config>::ValidateMessage as ValidateMessage>::Ticket,

        >;

        /// Provider to retrieve the current external index of validators

        type ExternalIndexProvider: ExternalIndexProvider;

        /// How many queued slashes are being processed per block.

        #[pallet::constant]

        type QueuedSlashesProcessedPerBlock: Get<u32>;

        /// The weight information of this pallet.

        type WeightInfo: WeightInfo;

    }

    #[pallet::error]

    pub enum Error<T> {

        /// The era for which the slash wants to be cancelled has no slashes

        EmptyTargets,

        /// No slash was found to be cancelled at the given index

        InvalidSlashIndex,

        /// Slash indices to be cancelled are not sorted or unique

        NotSortedAndUnique,

        /// Provided an era in the future

        ProvidedFutureEra,

        /// Provided an era that is not slashable

        ProvidedNonSlashableEra,

        /// The slash to be cancelled has already elapsed the DeferPeriod

        DeferPeriodIsOver,

        /// There was an error computing the slash

        ErrorComputingSlash,

        /// Failed to validate the message that was going to be sent to Ethereum

        EthereumValidateFail,

        /// Failed to deliver the message to Ethereum

        EthereumDeliverFail,

        /// Invalid params for root_test_send_msg_to_eth

        RootTestInvalidParams,

    }

    #[apply(derive_storage_traits)]

    #[derive(MaxEncodedLen, DecodeWithMemTracking, Default)]

    pub enum SlashingModeOption {

        #[default]

        Enabled,

        LogOnly,

        Disabled,

    }

    #[pallet::pallet]

    pub struct Pallet<T>(PhantomData<T>);

    /// All slashing events on validators, mapped by era to the highest slash proportion

    /// and slash value of the era.

    #[pallet::storage]

    pub(crate) type ValidatorSlashInEra<T: Config> =

        StorageDoubleMap<_, Twox64Concat, EraIndex, Twox64Concat, T::AccountId, Perbill>;

    /// A mapping from still-bonded eras to the first session index of that era.

    ///

    /// Must contains information for eras for the range:

    /// `[active_era - bounding_duration; active_era]`

    #[pallet::storage]

    #[pallet::unbounded]

    pub type BondedEras<T: Config> =

        StorageValue<_, Vec<(EraIndex, SessionIndex, u64)>, ValueQuery>;

    /// A counter on the number of slashes we have performed

    #[pallet::storage]

    #[pallet::getter(fn next_slash_id)]

    pub type NextSlashId<T: Config> = StorageValue<_, T::SlashId, ValueQuery>;

    /// All unapplied slashes that are queued for later.

    #[pallet::storage]

    #[pallet::unbounded]

    #[pallet::getter(fn slashes)]

    pub type Slashes<T: Config> =

        StorageMap<_, Twox64Concat, EraIndex, Vec<Slash<T::AccountId, T::SlashId>>, ValueQuery>;

    /// All unreported slashes that will be processed in the future.

    #[pallet::storage]

    #[pallet::unbounded]

    #[pallet::getter(fn unreported_slashes)]

    pub type UnreportedSlashesQueue<T: Config> =

        StorageValue<_, VecDeque<Slash<T::AccountId, T::SlashId>>, ValueQuery>;

    // Turns slashing on or off

    #[pallet::storage]

    pub type SlashingMode<T: Config> = StorageValue<_, SlashingModeOption, ValueQuery>;

    #[pallet::call]

    impl<T: Config> Pallet<T> {

        /// Cancel a slash that was deferred for a later era

        #[pallet::call_index(0)]

        #[pallet::weight(T::WeightInfo::cancel_deferred_slash(slash_indices.len() as u32))]

        pub fn cancel_deferred_slash(

            origin: OriginFor<T>,

            era: EraIndex,

            slash_indices: Vec<u32>,

            // We need to be in the defer period

            );

            );

            // fetch slashes for the era in which we want to defer

            );

            // Remove elements starting from the highest index to avoid shifting issues.

            // insert back slashes

        }

        #[pallet::call_index(1)]

        #[pallet::weight(T::WeightInfo::force_inject_slash())]

        pub fn force_inject_slash(

            origin: OriginFor<T>,

            era: EraIndex,

            validator: T::AccountId,

            percentage: Perbill,

            external_idx: u64,

            )

            // If we defer duration is 0, we immediately apply and confirm

            } else {

            };

        }

        #[pallet::call_index(2)]

        #[pallet::weight(T::WeightInfo::root_test_send_msg_to_eth())]

        pub fn root_test_send_msg_to_eth(

            origin: OriginFor<T>,

            nonce: H256,

            num_msgs: u32,

            msg_size: u32,

            // Ensure we don't accidentally pass huge params that would stall the chain

            );

                // Make sure each message has a different payload

                // Extend with zeros until msg_size is reached

                // Example command, this should be something like "ReportSlashes"

                // Validate

                // validate the message

                // Ignore fee because for now only root can send messages

                        );

                // Deliver

                    );

            }

        }

        #[pallet::call_index(3)]

        #[pallet::weight(T::WeightInfo::set_slashing_mode())]

        }

    }

    #[pallet::hooks]

    impl<T: Config> Hooks<BlockNumberFor<T>> for Pallet<T> {

    }

}

/// This is intended to be used with `FilterHistoricalOffences`.

impl<T: Config>

    OnOffenceHandler<T::AccountId, pallet_session::historical::IdentificationTuple<T>, Weight>

    for Pallet<T>

where

    T: Config<ValidatorId = <T as frame_system::Config>::AccountId>,

    T: pallet_session::Config<ValidatorId = <T as frame_system::Config>::AccountId>,

    T: pallet_session::historical::Config,

    T::SessionHandler: pallet_session::SessionHandler<<T as frame_system::Config>::AccountId>,

    T::SessionManager: pallet_session::SessionManager<<T as frame_system::Config>::AccountId>,

    <T as pallet::Config>::ValidatorIdOf: Convert<

        <T as frame_system::Config>::AccountId,

        Option<<T as frame_system::Config>::AccountId>,

    >,

{

        // Account reads for active_era and era_to_session_start.

        // Fast path for active-era report - most likely.

        // `slash_session` cannot be in a future active era. It must be in `active_era` or before.

            // Account for get_external_index read.

        } else {

            // Reverse because it's more likely to find reports from recent eras.

            {

                // Before bonding period. defensive - should be filtered out.

            }

        };

            // Skip if the validator is invulnerable.

            // Account for one read and one possible write inside compute_slash.

            );

                // Defer to end of some `slash_defer_duration` from now.

                    slash_fraction,

                    slash_era,

                    active_era,

                );

                    // Cover slash defer duration equal to 0

                    // Slashes are applied at the end of the current era

                } else {

                    // Else, slashes are applied after slash_defer_period since the slashed era

                };

                // Fix unwrap

        }

}

impl<T: Config> OnEraStart for Pallet<T> {

        // This should be small, as slashes are limited by the num of validators

        // let's put 1000 as a conservative measure

        const REMOVE_LIMIT: u32 = 1000;

                // Prune out everything that's from before the first-kept index.

                // Kill slashing metadata.

                            pruned_era

                        );

                }

}

impl<T: Config> Pallet<T> {

    /// Returns number of slashes that were sent to ethereum.

                    // no more slashes to process in the queue

                };

            }

        // Build command with slashes.

        // Validate and deliver the message

            }

            }

        };

}

/// A pending slash record. The value of the slash has been computed but not applied yet,

/// rather deferred for several eras.

#[derive(Encode, Decode, RuntimeDebug, TypeInfo, Clone, PartialEq)]

pub struct Slash<AccountId, SlashId> {

    /// external index identifying a given set of validators

    pub external_idx: u64,

    /// The stash ID of the offending validator.

    pub validator: AccountId,

    /// Reporters of the offence; bounty payout recipients.

    pub reporters: Vec<AccountId>,

    /// The amount of payout.

    pub slash_id: SlashId,

    pub percentage: Perbill,

    // Whether the slash is confirmed or still needs to go through deferred period

    pub confirmed: bool,

}

impl<AccountId, SlashId: One> Slash<AccountId, SlashId> {

    /// Initializes the default object using the given `validator`.

}

/// Computes a slash of a validator and nominators. It returns an unapplied

/// record to be applied at some later point. Slashing metadata is updated in storage,

/// since unapplied records are only rarely intended to be dropped.

///

/// The pending slash record returned does not have initialized reporters. Those have

/// to be set at a higher level, if any.

    // compare slash proportions rather than slash values to avoid issues due to rounding

    // error.

        // we slash based on the max in era - this new event is not the max,

        // so neither the validator or any nominators will need an update.

        //

        // this does lead to a divergence of our system from the paper, which

        // pays out some reward even if the latest report is not max-in-era.

        // we opt to avoid the nominator lookups and edits and leave more rewards

        // for more drastic misbehavior.

    }

/// Check that list is sorted and has no duplicates.