# ----------------------------------------------------------------------
#
# ejabberd, Copyright (C) 2002-2017   ProcessOne
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# ----------------------------------------------------------------------

defmodule EjabberdCyrsaslTest do
  @author "pawel@process-one.net"

  use ExUnit.Case, async: true

  setup_all do
    :ok = :ejabberd.start_app(:lager)
    :p1_sha.load_nif()
    :mnesia.start
    :ejabberd_mnesia.start
    :ok = start_module(:stringprep)
    start_module(:jid)
    :ejabberd_hooks.start_link
    :ok = :ejabberd_config.start(["domain1"], [])
    {:ok, _} = :xmpp_sasl.start_link
    cyrstate = :xmpp_sasl.server_new("domain1", "domain1", "domain1", :ok, &get_password/1,
                                   &check_password/3, &check_password_digest/5)
    setup_anonymous_mocks()
    {:ok, cyrstate: cyrstate}
  end

  test "Plain text (correct user and pass)", context do
    step1 = :xmpp_sasl.server_start(context[:cyrstate], "PLAIN", <<0,"user1",0,"pass">>)
    assert {:ok, _} = step1
    {:ok, kv} = step1
    assert kv[:authzid] == "user1", "got correct user"
  end

  test "Plain text (correct user wrong pass)", context do
    step1 = :xmpp_sasl.server_start(context[:cyrstate], "PLAIN", <<0,"user1",0,"badpass">>)
    assert step1 == {:error, :not_authorized, "user1"}
  end

  test "Plain text (wrong user wrong pass)", context do
    step1 = :xmpp_sasl.server_start(context[:cyrstate], "PLAIN", <<0,"nouser1",0,"badpass">>)
    assert step1 == {:error, :not_authorized, "nouser1"}
  end

  test "Anonymous", context do
    step1 = :xmpp_sasl.server_start(context[:cyrstate], "ANONYMOUS", "domain1")
    assert {:ok, _} = step1
  end

  test "Digest-MD5 (correct user and pass)", context do
    assert {:ok, _list} = process_digest_md5(context[:cyrstate], "user1", "domain1", "pass")
  end

  test "Digest-MD5 (correct user wrong pass)", context do
    assert {:error, :not_authorized, "user1"} = process_digest_md5(context[:cyrstate], "user1", "domain1", "badpass")
  end

  test "Digest-MD5 (wrong user correct pass)", context do
    assert {:error, :not_authorized, "baduser"} = process_digest_md5(context[:cyrstate], "baduser", "domain1", "pass")
  end

  test "Digest-MD5 (wrong user and pass)", context do
    assert {:error, :not_authorized, "baduser"} = process_digest_md5(context[:cyrstate], "baduser", "domain1", "badpass")
  end

  defp process_digest_md5(cyrstate, user, domain, pass) do
    assert {:continue, init_str, state1} = :xmpp_sasl.server_start(cyrstate, "DIGEST-MD5", "")
    assert [_, nonce] = Regex.run(~r/nonce="(.*?)"/, init_str)
    digest_uri = "xmpp/#{domain}"
    cnonce = "abcd"
    nc = "00000001"
    response_hash = calc_digest_md5(user, domain, pass, nc, nonce, cnonce)
    response = "username=\"#{user}\",realm=\"#{domain}\",nonce=\"#{nonce}\",cnonce=\"#{cnonce}\"," <>
      "nc=\"#{nc}\",qop=auth,digest-uri=\"#{digest_uri}\",response=\"#{response_hash}\"," <>
      "charset=utf-8,algorithm=md5-sess"
    case :xmpp_sasl.server_step(state1, response) do
      {:continue, _calc_str, state2} -> :xmpp_sasl.server_step(state2, "")
      other -> other
    end
  end

  defp calc_digest_md5(user, domain, pass, nc, nonce, cnonce) do
      digest_uri = "xmpp/#{domain}"
      a0 = "#{user}:#{domain}:#{pass}"
      a1 = "#{str_md5(a0)}:#{nonce}:#{cnonce}"
      a2 = "AUTHENTICATE:#{digest_uri}"
      hex_md5("#{hex_md5(a1)}:#{nonce}:#{nc}:#{cnonce}:auth:#{hex_md5(a2)}")
     end

  defp str_md5(str) do
    :erlang.md5(str)
  end

  defp hex_md5(str) do
    :p1_sha.to_hexlist(:erlang.md5(str))
  end

  defp setup_anonymous_mocks() do
    :meck.unload
    mock(:ejabberd_auth_anonymous, :is_sasl_anonymous_enabled,
      fn (_host) ->
        true
      end)
    mock(:ejabberd_auth, :user_exists,
      fn (user, domain) ->
        domain == "domain1" and get_password(user) != {:false, :internal}
      end)
  end

  defp start_module(module) do
    case apply(module, :start, []) do
      :ok -> :ok
      {:error, {:already_started, _}} -> :ok
      other -> other
    end
  end

  defp get_password(user) do
    if user == "user1" or user == "user2" do
      {"pass", :internal}
    else
      {:false, :internal}
    end
  end

  defp check_password(_user, authzid, pass) do
    case get_password(authzid) do
      {^pass, mod} ->
        {true, mod}
      _ ->
        false
    end
  end

  defp check_password_digest(_user, authzid, _pass, digest, digest_gen) do
    case get_password(authzid) do
      {:false, _} ->
        false
      {spass, mod} ->
        v = digest_gen.(spass)
        if v == digest do
          {true, mod}
        else
          false
        end
    end
  end

  defp mock(module, function, fun) do
    try do
      :meck.new(module, [:non_strict])
    catch
      :error, {:already_started, _pid} -> :ok
    end
    :meck.expect(module, function, fun)
  end
end