/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "mozilla/dom/cache/PrincipalVerifier.h"

#include "mozilla/AppProcessChecker.h"
#include "mozilla/dom/ContentParent.h"
#include "mozilla/dom/cache/ManagerId.h"
#include "mozilla/ipc/BackgroundParent.h"
#include "mozilla/ipc/PBackgroundParent.h"
#include "mozilla/ipc/BackgroundUtils.h"
#include "nsContentUtils.h"
#include "nsIPrincipal.h"
#include "nsIScriptSecurityManager.h"
#include "nsNetUtil.h"

namespace mozilla {
namespace dom {
namespace cache {

using mozilla::ipc::AssertIsOnBackgroundThread;
using mozilla::ipc::BackgroundParent;
using mozilla::ipc::PBackgroundParent;
using mozilla::ipc::PrincipalInfo;
using mozilla::ipc::PrincipalInfoToPrincipal;

// static
already_AddRefed<PrincipalVerifier>
PrincipalVerifier::CreateAndDispatch(Listener* aListener,
                                     PBackgroundParent* aActor,
                                     const PrincipalInfo& aPrincipalInfo)
{
  // We must get the ContentParent actor from the PBackgroundParent.  This
  // only works on the PBackground thread.
  AssertIsOnBackgroundThread();

  RefPtr<PrincipalVerifier> verifier = new PrincipalVerifier(aListener,
                                                               aActor,
                                                               aPrincipalInfo);

  MOZ_ALWAYS_SUCCEEDS(NS_DispatchToMainThread(verifier));

  return verifier.forget();
}

void
PrincipalVerifier::AddListener(Listener* aListener)
{
  AssertIsOnBackgroundThread();
  MOZ_DIAGNOSTIC_ASSERT(aListener);
  MOZ_ASSERT(!mListenerList.Contains(aListener));
  mListenerList.AppendElement(aListener);
}

void
PrincipalVerifier::RemoveListener(Listener* aListener)
{
  AssertIsOnBackgroundThread();
  MOZ_DIAGNOSTIC_ASSERT(aListener);
  MOZ_ALWAYS_TRUE(mListenerList.RemoveElement(aListener));
}

PrincipalVerifier::PrincipalVerifier(Listener* aListener,
                                     PBackgroundParent* aActor,
                                     const PrincipalInfo& aPrincipalInfo)
  : mActor(BackgroundParent::GetContentParent(aActor))
  , mPrincipalInfo(aPrincipalInfo)
  , mInitiatingThread(NS_GetCurrentThread())
  , mResult(NS_OK)
{
  AssertIsOnBackgroundThread();
  MOZ_DIAGNOSTIC_ASSERT(mInitiatingThread);
  MOZ_DIAGNOSTIC_ASSERT(aListener);

  mListenerList.AppendElement(aListener);
}

PrincipalVerifier::~PrincipalVerifier()
{
  // Since the PrincipalVerifier is a Runnable that executes on multiple
  // threads, its a race to see which thread de-refs us last.  Therefore
  // we cannot guarantee which thread we destruct on.

  MOZ_DIAGNOSTIC_ASSERT(mListenerList.IsEmpty());

  // We should always be able to explicitly release the actor on the main
  // thread.
  MOZ_DIAGNOSTIC_ASSERT(!mActor);
}

NS_IMETHODIMP
PrincipalVerifier::Run()
{
  // Executed twice.  First, on the main thread and then back on the
  // originating thread.

  if (NS_IsMainThread()) {
    VerifyOnMainThread();
    return NS_OK;
  }

  CompleteOnInitiatingThread();
  return NS_OK;
}

void
PrincipalVerifier::VerifyOnMainThread()
{
  MOZ_ASSERT(NS_IsMainThread());

  // No matter what happens, we need to release the actor before leaving
  // this method.
  RefPtr<ContentParent> actor;
  actor.swap(mActor);

  nsresult rv;
  RefPtr<nsIPrincipal> principal = PrincipalInfoToPrincipal(mPrincipalInfo,
                                                              &rv);
  if (NS_WARN_IF(NS_FAILED(rv))) {
    DispatchToInitiatingThread(rv);
    return;
  }

  // We disallow null principal and unknown app IDs on the client side, but
  // double-check here.
  if (NS_WARN_IF(principal->GetIsNullPrincipal() ||
                 principal->GetUnknownAppId())) {
    DispatchToInitiatingThread(NS_ERROR_FAILURE);
    return;
  }

  nsCOMPtr<nsIScriptSecurityManager> ssm = nsContentUtils::GetSecurityManager();
  if (NS_WARN_IF(!ssm)) {
    DispatchToInitiatingThread(NS_ERROR_ILLEGAL_DURING_SHUTDOWN);
    return;
  }

  // Verify if a child process uses system principal, which is not allowed
  // to prevent system principal is spoofed.
  if (NS_WARN_IF(actor && ssm->IsSystemPrincipal(principal))) {
    DispatchToInitiatingThread(NS_ERROR_FAILURE);
    return;
  }

  // Verify that a child process claims to own the app for this principal
  if (NS_WARN_IF(actor && !AssertAppPrincipal(actor, principal))) {
    DispatchToInitiatingThread(NS_ERROR_FAILURE);
    return;
  }
  actor = nullptr;

#ifdef DEBUG
  // Sanity check principal origin by using it to construct a URI and security
  // checking it.  Don't do this for the system principal, though, as its origin
  // is a synthetic [System Principal] string.
  if (!ssm->IsSystemPrincipal(principal)) {
    nsAutoCString origin;
    rv = principal->GetOriginNoSuffix(origin);
    if (NS_WARN_IF(NS_FAILED(rv))) {
      DispatchToInitiatingThread(rv);
      return;
    }
    nsCOMPtr<nsIURI> uri;
    rv = NS_NewURI(getter_AddRefs(uri), origin);
    if (NS_WARN_IF(NS_FAILED(rv))) {
      DispatchToInitiatingThread(rv);
      return;
    }
    rv = principal->CheckMayLoad(uri, false, false);
    if (NS_WARN_IF(NS_FAILED(rv))) {
      DispatchToInitiatingThread(rv);
      return;
    }
  }
#endif

  rv = ManagerId::Create(principal, getter_AddRefs(mManagerId));
  if (NS_WARN_IF(NS_FAILED(rv))) {
    DispatchToInitiatingThread(rv);
    return;
  }

  DispatchToInitiatingThread(NS_OK);
}

void
PrincipalVerifier::CompleteOnInitiatingThread()
{
  AssertIsOnBackgroundThread();
  ListenerList::ForwardIterator iter(mListenerList);
  while (iter.HasMore()) {
    iter.GetNext()->OnPrincipalVerified(mResult, mManagerId);
  }

  // The listener must clear its reference in OnPrincipalVerified()
  MOZ_DIAGNOSTIC_ASSERT(mListenerList.IsEmpty());
}

void
PrincipalVerifier::DispatchToInitiatingThread(nsresult aRv)
{
  MOZ_ASSERT(NS_IsMainThread());

  mResult = aRv;

  // The Cache ShutdownObserver does not track all principal verifiers, so we
  // cannot ensure this always succeeds.  Instead, simply warn on failures.
  // This will result in a new CacheStorage object delaying operations until
  // shutdown completes and the browser goes away.  This is as graceful as
  // we can get here.
  nsresult rv = mInitiatingThread->Dispatch(this, nsIThread::DISPATCH_NORMAL);
  if (NS_FAILED(rv)) {
    NS_WARNING("Cache unable to complete principal verification due to shutdown.");
  }
}

} // namespace cache
} // namespace dom
} // namespace mozilla