// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
"use strict";

// Tests that PSM makes the correct determination of the security status of
// loads involving session resumption (i.e. when a TLS handshake bypasses the
// AuthCertificate callback).

do_get_profile();
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
  Ci.nsIX509CertDB
);

registerCleanupFunction(() => {
  Services.prefs.clearUserPref("security.OCSP.enabled");
});

Services.prefs.setIntPref("security.OCSP.enabled", 1);

addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,");
addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,");

// For expired.example.com, the platform will make a connection that will fail.
// Using information gathered at that point, an override will be added and
// another connection will be made. This connection will succeed. At that point,
// as long as the session cache isn't cleared, subsequent new connections should
// use session resumption, thereby bypassing the AuthCertificate hook. We need
// to ensure that the correct security state is propagated to the new connection
// information object.
function add_resume_non_ev_with_override_test() {
  // This adds the override and makes one successful connection.
  add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);

  // This connects again, using session resumption. Note that we don't clear
  // the TLS session cache between these operations (that would defeat the
  // purpose).
  add_connection_test(
    "expired.example.com",
    PRErrorCodeSuccess,
    null,
    transportSecurityInfo => {
      ok(transportSecurityInfo.resumed, "connection should be resumed");
      ok(
        transportSecurityInfo.securityState &
          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
        "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag"
      );
      equal(
        transportSecurityInfo.succeededCertChain.length,
        0,
        "expired.example.com should not have succeededCertChain set"
      );
      equal(
        transportSecurityInfo.failedCertChain.length,
        2,
        "expired.example.com should have failedCertChain set"
      );
      equal(
        transportSecurityInfo.overridableErrorCategory,
        Ci.nsITransportSecurityInfo.ERROR_TIME,
        "expired.example.com should have time overridable error category"
      );
      ok(
        !transportSecurityInfo.isExtendedValidation,
        "expired.example.com should not have isExtendedValidation set"
      );

      let certOverrideService = Cc[
        "@mozilla.org/security/certoverride;1"
      ].getService(Ci.nsICertOverrideService);
      certOverrideService.clearValidityOverride(
        "expired.example.com",
        8443,
        {}
      );
    }
  );
}

// Helper function that adds a test that connects to ev-test.example.com and
// verifies that it validates as EV (or not, if we're running a non-debug
// build). This assumes that an appropriate OCSP responder is running or that
// good responses are cached.
function add_one_ev_test(resumed) {
  add_connection_test(
    "ev-test.example.com",
    PRErrorCodeSuccess,
    null,
    transportSecurityInfo => {
      equal(
        transportSecurityInfo.resumed,
        resumed,
        "connection should be resumed or not resumed as expected"
      );
      ok(
        !(
          transportSecurityInfo.securityState &
          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN
        ),
        "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag"
      );
      equal(
        transportSecurityInfo.succeededCertChain.length,
        3,
        "ev-test.example.com should have succeededCertChain set"
      );
      equal(
        transportSecurityInfo.failedCertChain.length,
        0,
        "ev-test.example.com should not have failedCertChain set"
      );
      equal(
        transportSecurityInfo.overridableErrorCategory,
        Ci.nsITransportSecurityInfo.ERROR_UNSET,
        "ev-test.example.com should not have an overridable error category"
      );
      ok(
        !gEVExpected || transportSecurityInfo.isExtendedValidation,
        "ev-test.example.com should have isExtendedValidation set " +
          "(or this is a non-debug build)"
      );
    }
  );
}

// This test is similar, except with extended validation. We should connect
// successfully, and the certificate should be EV in debug builds. Without
// clearing the session cache, we should connect successfully again, this time
// with session resumption. The certificate should again be EV in debug builds.
function add_resume_ev_test() {
  const SERVER_PORT = 8888;
  let expectedRequestPaths = ["ev-test"];
  let responseTypes = ["good"];
  // Since we cache OCSP responses, we only ever actually serve one set.
  let ocspResponder;
  // If we don't wrap this in an `add_test`, the OCSP responder will be running
  // while we are actually running unrelated testcases, which can disrupt them.
  add_test(() => {
    ocspResponder = startOCSPResponder(
      SERVER_PORT,
      "localhost",
      "bad_certs",
      expectedRequestPaths,
      expectedRequestPaths.slice(),
      null,
      responseTypes
    );
    run_next_test();
  });
  // We should be able to connect and verify the certificate as EV (in debug
  // builds).
  add_one_ev_test(false);
  // We should be able to connect again (using session resumption). In debug
  // builds, the certificate should be noted as EV. Again, it's important that
  // nothing clears the TLS cache in between these two operations.
  add_one_ev_test(true);

  add_test(() => {
    ocspResponder.stop(run_next_test);
  });
}

const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com";

// Helper function that adds a test that connects to a domain that should
// succeed (but isn't EV) and verifies that its succeededCertChain gets set
// appropriately.
function add_one_non_ev_test() {
  add_connection_test(
    GOOD_DOMAIN,
    PRErrorCodeSuccess,
    null,
    transportSecurityInfo => {
      ok(
        !(
          transportSecurityInfo.securityState &
          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN
        ),
        `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`
      );
      ok(
        transportSecurityInfo.succeededCertChain,
        `${GOOD_DOMAIN} should have succeededCertChain set`
      );
      equal(
        transportSecurityInfo.overridableErrorCategory,
        0,
        `${GOOD_DOMAIN} should not have an overridable error category set`
      );
      ok(
        !transportSecurityInfo.isExtendedValidation,
        `${GOOD_DOMAIN} should not have isExtendedValidation set`
      );
    }
  );
}

// This test is similar, except with non-extended validation. We should connect
// successfully, and the certificate should not be EV. Without clearing the
// session cache, we should connect successfully again, this time with session
// resumption. In this case, though, we want to ensure the succeededCertChain is
// set.
function add_resume_non_ev_test() {
  add_one_non_ev_test();
  add_one_non_ev_test();
}

const statsPtr = getSSLStatistics();
const toInt32 = ctypes.Int64.lo;

// Connect to the same domain with two origin attributes and check if any ssl
// session is resumed.
function add_origin_attributes_test(
  originAttributes1,
  originAttributes2,
  resumeExpected
) {
  add_connection_test(
    GOOD_DOMAIN,
    PRErrorCodeSuccess,
    clearSessionCache,
    null,
    null,
    originAttributes1
  );

  let hitsBeforeConnect;
  let missesBeforeConnect;
  let expectedHits = resumeExpected ? 1 : 0;
  let expectedMisses = 1 - expectedHits;

  add_connection_test(
    GOOD_DOMAIN,
    PRErrorCodeSuccess,
    function () {
      // Add the hits and misses before connection.
      let stats = statsPtr.contents;
      hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits);
      missesBeforeConnect = toInt32(stats.sch_sid_cache_misses);
    },
    function () {
      let stats = statsPtr.contents;
      equal(
        toInt32(stats.sch_sid_cache_hits),
        hitsBeforeConnect + expectedHits,
        "Unexpected cache hits"
      );
      equal(
        toInt32(stats.sch_sid_cache_misses),
        missesBeforeConnect + expectedMisses,
        "Unexpected cache misses"
      );
    },
    null,
    originAttributes2
  );
}

function add_resumption_tests() {
  add_resume_ev_test();
  add_resume_non_ev_test();
  add_resume_non_ev_with_override_test();
  add_origin_attributes_test({}, {}, true);
  add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false);
  add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true);
  add_origin_attributes_test(
    { firstPartyDomain: "foo.com" },
    { firstPartyDomain: "bar.com" },
    false
  );
  add_origin_attributes_test(
    { firstPartyDomain: "baz.com" },
    { firstPartyDomain: "baz.com" },
    true
  );
}

function run_test() {
  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
  add_resumption_tests();
  // Enable external session cache and reset the status.
  add_test(function () {
    Services.prefs.setBoolPref("network.ssl_tokens_cache_enabled", true);
    certdb.clearOCSPCache();
    run_next_test();
  });
  // Do tests again.
  add_resumption_tests();
  run_next_test();
}