// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "device/fido/mac/credential_metadata.h"

#include "device/fido/public_key_credential_user_entity.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "url/gurl.h"

namespace device {
namespace fido {
namespace mac {
namespace {

bool UserEqual(const CredentialMetadata::UserEntity& lhs,
               const CredentialMetadata::UserEntity& rhs) {
  return lhs.id == rhs.id && lhs.name == rhs.name &&
         lhs.display_name == rhs.display_name;
}

base::span<const uint8_t> to_bytes(base::StringPiece in) {
  return base::make_span(reinterpret_cast<const uint8_t*>(in.data()),
                         in.size());
}

class CredentialMetadataTest : public ::testing::Test {
 protected:
  CredentialMetadata::UserEntity DefaultUser() {
    return CredentialMetadata::UserEntity(default_id_, "user", "user@acme.com");
  }

  std::vector<uint8_t> SealCredentialId(CredentialMetadata::UserEntity user) {
    return *CredentialMetadata::SealCredentialId(key_, rp_id_, std::move(user));
  }

  CredentialMetadata::UserEntity UnsealCredentialId(
      base::span<const uint8_t> credential_id) {
    return *CredentialMetadata::UnsealCredentialId(key_, rp_id_, credential_id);
  }

  std::string EncodeRpIdAndUserId(base::StringPiece user_id) {
    return *CredentialMetadata::EncodeRpIdAndUserId(key_, rp_id_,
                                                    to_bytes(user_id));
  }
  std::string EncodeRpId() {
    return *CredentialMetadata::EncodeRpId(key_, rp_id_);
  }

  std::string DecodeRpId(const std::string& ct) {
    return *CredentialMetadata::DecodeRpId(key_, ct);
  }

  std::vector<uint8_t> default_id_ = {0, 1, 2, 3};
  std::string rp_id_ = "acme.com";
  std::string key_ = "supersecretsupersecretsupersecre";
  std::string wrong_key_ = "SUPERsecretsupersecretsupersecre";
};

TEST_F(CredentialMetadataTest, CredentialId) {
  std::vector<uint8_t> id = SealCredentialId(DefaultUser());
  EXPECT_EQ(0, (id)[0]);
  EXPECT_EQ(54u, id.size());
  EXPECT_TRUE(UserEqual(UnsealCredentialId(id), DefaultUser()));
}

TEST_F(CredentialMetadataTest, CredentialId_IsRandom) {
  EXPECT_NE(SealCredentialId(DefaultUser()), SealCredentialId(DefaultUser()));
}

TEST_F(CredentialMetadataTest, CredentialId_FailDecode) {
  const auto id = SealCredentialId(DefaultUser());
  // Flipping a bit in version, nonce, or ciphertext will fail credential
  // decryption.
  for (size_t i = 0; i < id.size(); i++) {
    std::vector<uint8_t> new_id(id);
    new_id[i] = new_id[i] ^ 0x01;
    EXPECT_FALSE(CredentialMetadata::UnsealCredentialId(key_, rp_id_, new_id));
  }
}

TEST_F(CredentialMetadataTest, CredentialId_InvalidRp) {
  std::vector<uint8_t> id = SealCredentialId(DefaultUser());
  // The credential id is authenticated with the RP, thus decryption under a
  // different RP fails.
  EXPECT_FALSE(CredentialMetadata::UnsealCredentialId(key_, "notacme.com", id));
}

TEST_F(CredentialMetadataTest, EncodeRpIdAndUserId) {
  EXPECT_EQ(64u, EncodeRpIdAndUserId("user@acme.com").size())
      << EncodeRpIdAndUserId("user@acme.com");

  EXPECT_EQ(EncodeRpIdAndUserId("user"), EncodeRpIdAndUserId("user"));
  EXPECT_NE(EncodeRpIdAndUserId("userA"), EncodeRpIdAndUserId("userB"));
  EXPECT_NE(EncodeRpIdAndUserId("user"),
            *CredentialMetadata::EncodeRpIdAndUserId(key_, "notacme.com",
                                                     to_bytes("user")));
  EXPECT_NE(EncodeRpIdAndUserId("user"),
            *CredentialMetadata::EncodeRpIdAndUserId(wrong_key_, rp_id_,
                                                     to_bytes("user")));
}

TEST_F(CredentialMetadataTest, EncodeRpId) {
  EXPECT_EQ(48u, EncodeRpId().size());

  EXPECT_EQ(EncodeRpId(), EncodeRpId());
  EXPECT_NE(EncodeRpId(), *CredentialMetadata::EncodeRpId(key_, "notacme.com"));
  EXPECT_NE(EncodeRpId(), *CredentialMetadata::EncodeRpId(wrong_key_, rp_id_));
}

TEST_F(CredentialMetadataTest, DecodeRpId) {
  EXPECT_EQ(rp_id_, DecodeRpId(EncodeRpId()));
  EXPECT_NE(rp_id_,
            *CredentialMetadata::DecodeRpId(
                key_, *CredentialMetadata::EncodeRpId(key_, "notacme.com")));
  EXPECT_FALSE(CredentialMetadata::DecodeRpId(wrong_key_, EncodeRpId()));
}

TEST(CredentialMetadata, GenerateRandomSecret) {
  std::string s1 = CredentialMetadata::GenerateRandomSecret();
  EXPECT_EQ(32u, s1.size());
  std::string s2 = CredentialMetadata::GenerateRandomSecret();
  EXPECT_EQ(32u, s2.size());
  EXPECT_NE(s1, s2);
}

TEST(CredentialMetadata, FromPublicKeyCredentialUserEntity) {
  std::vector<uint8_t> user_id = {{1, 2, 3}};
  PublicKeyCredentialUserEntity in(user_id);
  in.SetUserName("username");
  in.SetDisplayName("display name");
  in.SetIconUrl(GURL("http://rp.foo/user.png"));
  CredentialMetadata::UserEntity out =
      CredentialMetadata::UserEntity::FromPublicKeyCredentialUserEntity(
          std::move(in));
  EXPECT_EQ(user_id, out.id);
  EXPECT_EQ("username", out.name);
  EXPECT_EQ("display name", out.display_name);
}

TEST(CredentialMetadata, ToPublicKeyCredentialUserEntity) {
  std::vector<uint8_t> user_id = {{1, 2, 3}};
  CredentialMetadata::UserEntity in(user_id, "username", "display name");
  PublicKeyCredentialUserEntity out = in.ToPublicKeyCredentialUserEntity();
  EXPECT_EQ(user_id, out.user_id());
  EXPECT_EQ("username", out.user_name().value());
  EXPECT_EQ("display name", out.user_display_name().value());
  EXPECT_FALSE(out.user_icon_url().has_value());
}

}  // namespace
}  // namespace mac
}  // namespace fido
}  // namespace device