// Copyright (c) 2009 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/base/ssl_client_auth_cache.h"

#include "base/time.h"
#include "net/base/x509_certificate.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace net {

TEST(SSLClientAuthCacheTest, LookupAddRemove) {
  SSLClientAuthCache cache;

  base::Time start_date = base::Time::Now();
  base::Time expiration_date = start_date + base::TimeDelta::FromDays(1);

  std::string server1("foo1:443");
  scoped_refptr<X509Certificate> cert1(
      new X509Certificate("foo1", "CA", start_date, expiration_date));

  std::string server2("foo2:443");
  scoped_refptr<X509Certificate> cert2(
      new X509Certificate("foo2", "CA", start_date, expiration_date));

  std::string server3("foo3:443");
  scoped_refptr<X509Certificate> cert3(
    new X509Certificate("foo3", "CA", start_date, expiration_date));

  scoped_refptr<X509Certificate> cached_cert;
  // Lookup non-existent client certificate.
  cached_cert = NULL;
  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));

  // Add client certificate for server1.
  cache.Add(server1, cert1);
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
  EXPECT_EQ(cert1, cached_cert);

  // Add client certificate for server2.
  cache.Add(server2, cert2);
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
  EXPECT_EQ(cert1, cached_cert.get());
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
  EXPECT_EQ(cert2, cached_cert);

  // Overwrite the client certificate for server1.
  cache.Add(server1, cert3);
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
  EXPECT_EQ(cert3, cached_cert);
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
  EXPECT_EQ(cert2, cached_cert);

  // Remove client certificate of server1.
  cache.Remove(server1);
  cached_cert = NULL;
  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
  EXPECT_EQ(cert2, cached_cert);

  // Remove non-existent client certificate.
  cache.Remove(server1);
  cached_cert = NULL;
  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
  EXPECT_EQ(cert2, cached_cert);
}

// Check that if the server differs only by port number, it is considered
// a separate server.
TEST(SSLClientAuthCacheTest, LookupWithPort) {
  SSLClientAuthCache cache;

  base::Time start_date = base::Time::Now();
  base::Time expiration_date = start_date + base::TimeDelta::FromDays(1);

  std::string server1("foo:443");
  scoped_refptr<X509Certificate> cert1(
      new X509Certificate("foo", "CA", start_date, expiration_date));

  std::string server2("foo:8443");
  scoped_refptr<X509Certificate> cert2(
      new X509Certificate("foo", "CA", start_date, expiration_date));

  cache.Add(server1, cert1.get());
  cache.Add(server2, cert2.get());

  scoped_refptr<X509Certificate> cached_cert;
  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
  EXPECT_EQ(cert1.get(), cached_cert);
  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
  EXPECT_EQ(cert2.get(), cached_cert);
}

// Check that the a NULL certificate, indicating the user has declined to send
// a certificate, is properly cached.
TEST(SSLClientAuthCacheTest, LookupNullPreference) {
  SSLClientAuthCache cache;
  base::Time start_date = base::Time::Now();
  base::Time expiration_date = start_date + base::TimeDelta::FromDays(1);

  std::string server1("foo:443");
  scoped_refptr<X509Certificate> cert1(
      new X509Certificate("foo", "CA", start_date, expiration_date));

  cache.Add(server1, NULL);

  scoped_refptr<X509Certificate> cached_cert(cert1);
  // Make sure that |cached_cert| is updated to NULL, indicating the user
  // declined to send a certificate to |server1|.
  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
  EXPECT_EQ(NULL, cached_cert.get());

  // Remove the existing cached certificate.
  cache.Remove(server1);
  cached_cert = NULL;
  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));

  // Add a new preference for a specific certificate.
  cache.Add(server1, cert1);
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
  EXPECT_EQ(cert1, cached_cert);

  // Replace the specific preference with a NULL certificate.
  cache.Add(server1, NULL);
  cached_cert = NULL;
  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
  EXPECT_EQ(NULL, cached_cert.get());
}

// Check that the OnUserCertAdded() method removes all cache entries.
TEST(SSLClientAuthCacheTest, OnUserCertAdded) {
  SSLClientAuthCache cache;
  base::Time start_date = base::Time::Now();
  base::Time expiration_date = start_date + base::TimeDelta::FromDays(1);

  std::string server1("foo:443");
  scoped_refptr<X509Certificate> cert1(
      new X509Certificate("foo", "CA", start_date, expiration_date));

  cache.Add(server1, cert1);

  std::string server2("foo2:443");
  cache.Add(server2, NULL);

  scoped_refptr<X509Certificate> cached_cert;

  // Demonstrate the set up is correct.
  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
  EXPECT_EQ(cert1, cached_cert);

  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
  EXPECT_EQ(NULL, cached_cert.get());

  cache.OnUserCertAdded(NULL);

  // Check that we no longer have entries for either server.
  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));
  EXPECT_FALSE(cache.Lookup(server2, &cached_cert));
}

}  // namespace net