// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "components/enterprise/browser/controller/browser_dm_token_storage.h"

#include <stddef.h>

#include <algorithm>
#include <memory>
#include <string>
#include <utility>

#include "base/base64.h"
#include "base/functional/bind.h"
#include "base/functional/callback.h"
#include "base/functional/callback_helpers.h"
#include "base/logging.h"
#include "base/no_destructor.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "base/syslog_logging.h"
#include "build/build_config.h"
#include "components/enterprise/browser/controller/chrome_browser_cloud_management_controller.h"
#include "components/policy/core/common/policy_logger.h"

namespace policy {

namespace {

constexpr char kInvalidTokenValue[] = "INVALID_DM_TOKEN";

DMToken CreateValidToken(const std::string& dm_token) {
  DCHECK_NE(dm_token, kInvalidTokenValue);
  DCHECK(!dm_token.empty());
  return DMToken::CreateValidToken(dm_token);
}

DMToken CreateInvalidToken() {
  return DMToken::CreateInvalidToken();
}

DMToken CreateEmptyToken() {
  return DMToken::CreateEmptyToken();
}

}  // namespace

// static
BrowserDMTokenStorage* BrowserDMTokenStorage::storage_for_testing_ = nullptr;

BrowserDMTokenStorage* BrowserDMTokenStorage::Get() {
  if (storage_for_testing_)
    return storage_for_testing_;

  static base::NoDestructor<BrowserDMTokenStorage> storage;
  return storage.get();
}

// static
void BrowserDMTokenStorage::SetDelegate(std::unique_ptr<Delegate> delegate) {
  auto* storage = BrowserDMTokenStorage::Get();

  if (!delegate || storage->delegate_) {
    return;
  }

  BrowserDMTokenStorage::Get()->delegate_ = std::move(delegate);
}

BrowserDMTokenStorage::BrowserDMTokenStorage() : dm_token_(CreateEmptyToken()) {
  DETACH_FROM_SEQUENCE(sequence_checker_);

  // We don't call InitIfNeeded() here so that the global instance can be
  // created early during startup if needed. The tokens and client ID are read
  // from the system as part of the first retrieve or store operation.
}

BrowserDMTokenStorage::~BrowserDMTokenStorage() {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
}

std::string BrowserDMTokenStorage::RetrieveClientId() {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);

  InitIfNeeded();
  return client_id_;
}

std::string BrowserDMTokenStorage::RetrieveEnrollmentToken() {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);

  InitIfNeeded();
  return enrollment_token_;
}

void BrowserDMTokenStorage::StoreDMToken(const std::string& dm_token,
                                         StoreCallback callback) {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
  DCHECK(!store_callback_);
  InitIfNeeded();

  store_callback_ = std::move(callback);

  if (dm_token.empty()) {
    dm_token_ = CreateEmptyToken();
    DeleteDMToken();
  } else if (dm_token == kInvalidTokenValue) {
    dm_token_ = CreateInvalidToken();
    SaveDMToken(kInvalidTokenValue);
  } else {
    dm_token_ = CreateValidToken(dm_token);
    SaveDMToken(dm_token_.value());
  }
}

void BrowserDMTokenStorage::InvalidateDMToken(StoreCallback callback) {
  StoreDMToken(kInvalidTokenValue, std::move(callback));
}

void BrowserDMTokenStorage::ClearDMToken(StoreCallback callback) {
  StoreDMToken("", std::move(callback));
}

DMToken BrowserDMTokenStorage::RetrieveDMToken() {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);

  InitIfNeeded();
  return dm_token_;
}

void BrowserDMTokenStorage::OnDMTokenStored(bool success) {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
  DCHECK(store_callback_);

  if (!store_callback_.is_null())
    std::move(store_callback_).Run(success);
}

bool BrowserDMTokenStorage::ShouldDisplayErrorMessageOnFailure() {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);

  InitIfNeeded();
  return should_display_error_message_on_failure_;
}

void BrowserDMTokenStorage::InitIfNeeded() {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
  DCHECK(delegate_) << "DM storage delegate has not been set. If this is a "
                       "test, you may need to add an instance of "
                       "FakeBrowserDMTokenStorage to the test fixture.";

  if (is_initialized_) {
    // TODO(crbug.com/40893625): Ideally we would execute this initialization
    // based on an event we listen to. However, because this may happen so
    // early, we don't have any place where we can hook this. We should find
    // a better solution in the future.
    if (is_init_enrollment_token_skipped_) {
      is_init_enrollment_token_skipped_ = !delegate_->CanInitEnrollmentToken();
      enrollment_token_ = delegate_->InitEnrollmentToken();
    }
    return;
  }

  is_initialized_ = true;

  // The enrollment token initialization may not be possible on the first call
  // to `InitIfNeeded` on all platforms. `CanInitEnrollmentToken` will return
  // false if this was the case to try initializing the token on the next call
  // to `InitIfNeeded` and avoid returning an empty token when
  // `RetrieveEnnrollmentToken' is called. It returns true on platforms that do
  // not have this problem.
  is_init_enrollment_token_skipped_ = !delegate_->CanInitEnrollmentToken();

  // When CBCM is not enabled, set the DM token to empty directly withtout
  // actually read it.
  if (!ChromeBrowserCloudManagementController::IsEnabled()) {
    dm_token_ = CreateEmptyToken();
    return;
  }

  // Only supported in official builds.
  client_id_ = delegate_->InitClientId();
  DVLOG(1) << "Client ID = " << client_id_;
  if (client_id_.empty())
    return;

  // checks if client ID is greater than 64 characters
  if (client_id_.length() > 64) {
    SYSLOG(ERROR) << "Chrome browser cloud management client ID should"
                     "not be greater than 64 characters long.";
    client_id_.clear();
    return;
  }

  // checks if client ID includes an illegal character
  if (std::ranges::any_of(client_id_, [](char ch) {
        return ch == ' ' || !base::IsAsciiPrintable(ch);
      })) {
    SYSLOG(ERROR)
        << "Chrome browser cloud management client ID should not"
           " contain a space, new line, or any nonprintable character.";
    client_id_.clear();
    return;
  }

  enrollment_token_ = delegate_->InitEnrollmentToken();
  DVLOG(1) << "Enrollment token = " << enrollment_token_;

  std::string init_dm_token = delegate_->InitDMToken();
  if (init_dm_token.empty()) {
    dm_token_ = CreateEmptyToken();
    DVLOG(1) << "DM Token = empty";
  } else if (init_dm_token == kInvalidTokenValue) {
    dm_token_ = CreateInvalidToken();
    DVLOG(1) << "DM Token = invalid";
  } else {
    dm_token_ = CreateValidToken(init_dm_token);
    DVLOG(1) << "DM Token = " << dm_token_.value();
  }

  should_display_error_message_on_failure_ =
      delegate_->InitEnrollmentErrorOption();
}

void BrowserDMTokenStorage::SaveDMToken(const std::string& token) {
  auto task = delegate_->SaveDMTokenTask(token, RetrieveClientId());
  auto reply = base::BindOnce(&BrowserDMTokenStorage::OnDMTokenStored,
                              weak_factory_.GetWeakPtr());
  delegate_->SaveDMTokenTaskRunner()->PostTaskAndReplyWithResult(
      FROM_HERE, std::move(task), std::move(reply));
}

void BrowserDMTokenStorage::DeleteDMToken() {
  auto task = delegate_->DeleteDMTokenTask(RetrieveClientId());
  auto reply = base::BindOnce(&BrowserDMTokenStorage::OnDMTokenStored,
                              weak_factory_.GetWeakPtr());
  delegate_->SaveDMTokenTaskRunner()->PostTaskAndReplyWithResult(
      FROM_HERE, std::move(task), std::move(reply));
}

}  // namespace policy