/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim:set ts=2 sw=2 sts=2 et cindent: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "mozilla/dom/MIDIPermissionRequest.h"
#include "mozilla/dom/Document.h"
#include "mozilla/dom/MIDIAccessManager.h"
#include "mozilla/dom/MIDIOptionsBinding.h"
#include "mozilla/ipc/BackgroundChild.h"
#include "mozilla/ipc/PBackgroundChild.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/RandomNum.h"
#include "mozilla/StaticPrefs_dom.h"
#include "nsIGlobalObject.h"
#include "mozilla/Preferences.h"
#include "nsContentUtils.h"

//-------------------------------------------------
// MIDI Permission Requests
//-------------------------------------------------

using namespace mozilla::dom;

NS_IMPL_CYCLE_COLLECTION_INHERITED(MIDIPermissionRequest,
                                   ContentPermissionRequestBase, mPromise)

NS_IMPL_QUERY_INTERFACE_CYCLE_COLLECTION_INHERITED(MIDIPermissionRequest,
                                                   ContentPermissionRequestBase,
                                                   nsIRunnable)

NS_IMPL_ADDREF_INHERITED(MIDIPermissionRequest, ContentPermissionRequestBase)
NS_IMPL_RELEASE_INHERITED(MIDIPermissionRequest, ContentPermissionRequestBase)

MIDIPermissionRequest::MIDIPermissionRequest(nsPIDOMWindowInner* aWindow,
                                             Promise* aPromise,
                                             const MIDIOptions& aOptions)
    : ContentPermissionRequestBase(
          aWindow->GetDoc()->NodePrincipal(), aWindow,
          ""_ns,  // We check prefs in a custom way here
          "midi"_ns),
      mPromise(aPromise),
      mNeedsSysex(aOptions.mSysex) {
  MOZ_ASSERT(aWindow);
  MOZ_ASSERT(aPromise, "aPromise should not be null!");
  MOZ_ASSERT(aWindow->GetDoc());
  mPrincipal = aWindow->GetDoc()->NodePrincipal();
  MOZ_ASSERT(mPrincipal);
}

NS_IMETHODIMP
MIDIPermissionRequest::GetTypes(nsIArray** aTypes) {
  NS_ENSURE_ARG_POINTER(aTypes);
  nsTArray<nsString> options;

  // The previous implementation made no differences between midi and
  // midi-sysex. The check on the SitePermsAddonProvider pref should be removed
  // at the same time as the old implementation.
  if (mNeedsSysex || !StaticPrefs::dom_sitepermsaddon_provider_enabled()) {
    options.AppendElement(u"sysex"_ns);
  }
  return nsContentPermissionUtils::CreatePermissionArray(mType, options,
                                                         aTypes);
}

NS_IMETHODIMP
MIDIPermissionRequest::Cancel() {
  mCancelTimer = nullptr;

  if (StaticPrefs::dom_sitepermsaddon_provider_enabled()) {
    mPromise->MaybeRejectWithSecurityError(
        "WebMIDI requires a site permission add-on to activate");
  } else {
    // This message is used for the initial XPIProvider-based implementation
    // of Site Permissions.
    // It should be removed as part of Bug 1789718.
    mPromise->MaybeRejectWithSecurityError(
        "WebMIDI requires a site permission add-on to activate — see "
        "https://extensionworkshop.com/documentation/publish/"
        "site-permission-add-on/ for details.");
  }
  return NS_OK;
}

NS_IMETHODIMP
MIDIPermissionRequest::Allow(JS::Handle<JS::Value> aChoices) {
  MOZ_ASSERT(aChoices.isUndefined());
  MIDIAccessManager* mgr = MIDIAccessManager::Get();
  mgr->CreateMIDIAccess(mWindow, mNeedsSysex, mPromise);
  return NS_OK;
}

NS_IMETHODIMP
MIDIPermissionRequest::Run() {
  // If the testing flag is true, skip dialog
  if (Preferences::GetBool("midi.prompt.testing", false)) {
    bool allow =
        Preferences::GetBool("media.navigator.permission.disabled", false);
    if (allow) {
      Allow(JS::UndefinedHandleValue);
    } else {
      Cancel();
    }
    return NS_OK;
  }

  nsCString permName = "midi"_ns;
  // The previous implementation made no differences between midi and
  // midi-sysex. The check on the SitePermsAddonProvider pref should be removed
  // at the same time as the old implementation.
  if (mNeedsSysex || !StaticPrefs::dom_sitepermsaddon_provider_enabled()) {
    permName.Append("-sysex");
  }

  // First, check for an explicit allow/deny. Note that we want to support
  // granting a permission on the base domain and then using it on a subdomain,
  // which is why we use the non-"Exact" variants of these APIs. See bug
  // 1757218.
  if (nsContentUtils::IsSitePermAllow(mPrincipal, permName)) {
    Allow(JS::UndefinedHandleValue);
    return NS_OK;
  }

  if (nsContentUtils::IsSitePermDeny(mPrincipal, permName)) {
    CancelWithRandomizedDelay();
    return NS_OK;
  }

  // If the add-on is not installed, and sitepermsaddon provider not enabled,
  // auto-deny (except for localhost).
  if (StaticPrefs::dom_webmidi_gated() &&
      !StaticPrefs::dom_sitepermsaddon_provider_enabled() &&
      !nsContentUtils::HasSitePerm(mPrincipal, permName) &&
      !mPrincipal->GetIsLoopbackHost()) {
    CancelWithRandomizedDelay();
    return NS_OK;
  }

  // If sitepermsaddon provider is enabled and user denied install,
  // auto-deny (except for localhost, where we use a regular permission flow).
  if (StaticPrefs::dom_sitepermsaddon_provider_enabled() &&
      nsContentUtils::IsSitePermDeny(mPrincipal, "install"_ns) &&
      !mPrincipal->GetIsLoopbackHost()) {
    CancelWithRandomizedDelay();
    return NS_OK;
  }

  // Before we bother the user with a prompt, see if they have any devices. If
  // they don't, just report denial.
  MOZ_ASSERT(NS_IsMainThread());
  mozilla::ipc::PBackgroundChild* actor =
      mozilla::ipc::BackgroundChild::GetOrCreateForCurrentThread();
  if (NS_WARN_IF(!actor)) {
    return NS_ERROR_FAILURE;
  }
  RefPtr<MIDIPermissionRequest> self = this;
  actor->SendHasMIDIDevice(
      [=](bool aHasDevices) {
        MOZ_ASSERT(NS_IsMainThread());

        if (aHasDevices) {
          self->DoPrompt();
        } else {
          nsContentUtils::ReportToConsoleNonLocalized(
              u"Silently denying site request for MIDI access because no devices were detected. You may need to restart your browser after connecting a new device."_ns,
              nsIScriptError::infoFlag, "WebMIDI"_ns, mWindow->GetDoc());
          self->CancelWithRandomizedDelay();
        }
      },
      [=](auto) { self->CancelWithRandomizedDelay(); });

  return NS_OK;
}

// If the user has no MIDI devices, we automatically deny the request. To
// prevent sites from using timing attack to discern the existence of MIDI
// devices, we instrument silent denials with a randomized delay between 3
// and 13 seconds, which is intended to model the time the user might spend
// considering a prompt before denying it.
//
// Note that we set the random component of the delay to zero in automation
// to avoid unnecessarily increasing test end-to-end time.
void MIDIPermissionRequest::CancelWithRandomizedDelay() {
  MOZ_ASSERT(NS_IsMainThread());
  uint32_t baseDelayMS = 3 * 1000;
  uint32_t randomDelayMS =
      xpc::IsInAutomation() ? 0 : RandomUint64OrDie() % (10 * 1000);
  auto delay = TimeDuration::FromMilliseconds(baseDelayMS + randomDelayMS);
  RefPtr<MIDIPermissionRequest> self = this;
  NS_NewTimerWithCallback(
      getter_AddRefs(mCancelTimer), [=](auto) { self->Cancel(); }, delay,
      nsITimer::TYPE_ONE_SHOT, __func__);
}

nsresult MIDIPermissionRequest::DoPrompt() {
  if (NS_FAILED(nsContentPermissionUtils::AskPermission(this, mWindow))) {
    Cancel();
    return NS_ERROR_FAILURE;
  }
  return NS_OK;
}