// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef DBUS_FILE_DESCRIPTOR_H_
#define DBUS_FILE_DESCRIPTOR_H_

#include "base/memory/scoped_ptr.h"
#include "base/move.h"
#include "dbus/dbus_export.h"

namespace dbus {

// FileDescriptor is a type used to encapsulate D-Bus file descriptors
// and to follow the RAII idiom appropiate for use with message operations
// where the descriptor might be easily leaked.  To guard against this the
// descriptor is closed when an instance is destroyed if it is owned.
// Ownership is asserted only when PutValue is used and TakeValue can be
// used to take ownership.
//
// For example, in the following
//  FileDescriptor fd;
//  if (!reader->PopString(&name) ||
//      !reader->PopFileDescriptor(&fd) ||
//      !reader->PopUint32(&flags)) {
// the descriptor in fd will be closed if the PopUint32 fails.  But
//   writer.AppendFileDescriptor(dbus::FileDescriptor(1));
// will not automatically close "1" because it is not owned.
//
// Descriptors must be validated before marshalling in a D-Bus message
// or using them after unmarshalling.  We disallow descriptors to a
// directory to reduce the security risks.  Splitting out validation
// also allows the caller to do this work on the File thread to conform
// with i/o restrictions.
class CHROME_DBUS_EXPORT FileDescriptor {
  MOVE_ONLY_TYPE_FOR_CPP_03(FileDescriptor);

 public:
  // This provides a simple way to pass around file descriptors since they must
  // be closed on a thread that is allowed to perform I/O.
  struct Deleter {
    void CHROME_DBUS_EXPORT operator()(FileDescriptor* fd);
  };

  // Permits initialization without a value for passing to
  // dbus::MessageReader::PopFileDescriptor to fill in and from int values.
  FileDescriptor() : value_(-1), owner_(false), valid_(false) {}
  explicit FileDescriptor(int value) : value_(value), owner_(false),
      valid_(false) {}

  FileDescriptor(FileDescriptor&& other);

  virtual ~FileDescriptor();

  FileDescriptor& operator=(FileDescriptor&& other);

  // Retrieves value as an int without affecting ownership.
  int value() const;

  // Retrieves whether or not the descriptor is ok to send/receive.
  int is_valid() const { return valid_; }

  // Sets the value and assign ownership.
  void PutValue(int value) {
    value_ = value;
    owner_ = true;
    valid_ = false;
  }

  // Takes the value and ownership.
  int TakeValue();

  // Checks (and records) validity of the file descriptor.
  // We disallow directories to avoid potential sandbox escapes.
  // Note this call must be made on a thread where file i/o is allowed.
  void CheckValidity();

 private:
  void Swap(FileDescriptor* other);

  int value_;
  bool owner_;
  bool valid_;
};

using ScopedFileDescriptor =
    scoped_ptr<FileDescriptor, FileDescriptor::Deleter>;

}  // namespace dbus

#endif  // DBUS_FILE_DESCRIPTOR_H_