// Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// This provides some utility functions to do with chaps isolate support.

#include "chaps/isolate.h"

#include <grp.h>
#include <pwd.h>

#include <string>

#include <base/files/file_path.h>
#include <base/files/file_util.h>
#include <brillo/secure_blob.h>

using base::FilePath;
using brillo::SecureBlob;
using std::string;

namespace chaps {

namespace {

const char kIsolateFilePath[] = "/var/lib/chaps/isolates/";

}  // namespace

IsolateCredentialManager::IsolateCredentialManager() {}

IsolateCredentialManager::~IsolateCredentialManager() {}

bool IsolateCredentialManager::GetCurrentUserIsolateCredential(
    SecureBlob* isolate_credential) {
  CHECK(isolate_credential);

  const uid_t uid = getuid();
  long buf_len = sysconf(_SC_GETPW_R_SIZE_MAX);  // NOLINT(runtime/int)
  if (buf_len < 0)
    buf_len = 4096;
  passwd pwd_buf;
  passwd* pwd = nullptr;
  std::vector<char> buf(buf_len);
  if (getpwuid_r(uid, &pwd_buf, buf.data(), buf_len, &pwd) || !pwd) {
    PLOG(ERROR) << "Failed to get user information for current user.";
    return false;
  }

  return GetUserIsolateCredential(pwd->pw_name, isolate_credential);
}

bool IsolateCredentialManager::GetUserIsolateCredential(
    const string& user, SecureBlob* isolate_credential) {
  CHECK(isolate_credential);

  string credential_string;
  const FilePath credential_file = FilePath(kIsolateFilePath).Append(user);
  if (!base::PathExists(credential_file) ||
      !base::ReadFileToString(credential_file, &credential_string)) {
    LOG(INFO) << "Failed to find or read isolate credential for user " << user;
    return false;
  }
  const SecureBlob new_isolate_credential(credential_string);
  if (new_isolate_credential.size() != kIsolateCredentialBytes) {
    LOG(ERROR) << "Isolate credential invalid for user " << user;
    return false;
  }

  *isolate_credential = new_isolate_credential;
  return true;
}

bool IsolateCredentialManager::SaveIsolateCredential(
    const string& user, const SecureBlob& isolate_credential) {
  CHECK_EQ(kIsolateCredentialBytes, isolate_credential.size());

  // Look up user information.
  long buf_len = sysconf(_SC_GETPW_R_SIZE_MAX);  // NOLINT(runtime/int)
  if (buf_len < 0)
    buf_len = 4096;
  passwd pwd_buf;
  passwd* pwd = nullptr;
  std::vector<char> buf(buf_len);
  if (getpwnam_r(user.c_str(), &pwd_buf, buf.data(), buf_len, &pwd) || !pwd) {
    LOG(ERROR) << "Failed to get user information.";
    return false;
  }

  // Write the isolate credential file.
  const FilePath isolate_cred_file = FilePath(kIsolateFilePath).Append(user);
  int bytes_written =
      base::WriteFile(isolate_cred_file,
                      reinterpret_cast<const char*>(isolate_credential.data()),
                      kIsolateCredentialBytes);
  if (bytes_written != static_cast<int>(kIsolateCredentialBytes)) {
    LOG(ERROR) << "Failed to create isolate file for user " << user;
    return false;
  }

  // Change permissions to be readable by (and only by) the user.
  if (chmod(isolate_cred_file.value().c_str(), S_IRUSR)) {
    LOG(ERROR) << "Failed to change permissions of isolate file.";
    return false;
  }
  if (chown(isolate_cred_file.value().c_str(), pwd->pw_uid, pwd->pw_gid)) {
    LOG(ERROR) << "Failed to change ownership of isolate file.";
    return false;
  }

  return true;
}

}  // namespace chaps