/*
* Copyright (C) 2009-2010 Mamadou Diop.
*
* Contact: Mamadou Diop <diopmamadou(at)doubango.org>
*	
* This file is part of Open Source Doubango Framework.
*
* DOUBANGO is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*	
* DOUBANGO is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*	
* You should have received a copy of the GNU General Public License
* along with DOUBANGO.
*
*/
/**@file thttp_auth.c
 * @brief HTTP basic/digest authetication (RFC 2617) implementations.
 *
 * @author Mamadou Diop <diopmamadou(at)doubango.org>
 *
 * @date Created: Sat Nov 8 16:54:58 2009 mdiop
 */
#include "tinyhttp/auth/thttp_auth.h"

#include "tsk_string.h"
#include "tsk_base64.h"
#include "tsk_buffer.h"
#include "tsk_memory.h"

#include <string.h>

/**@defgroup thttp_auth_group HTTP basic/digest authentication (RFC 2617)
*/

/**@ingroup thttp_auth_group
 *
 * Generates HTTP-basic response as per RFC 2617.
 *
 * @param [in,out]	userid		The user-id. 
 * @param [in,out]	password	The user-password.
 * @param [in,out]	response	A pointer to the response. It will be up to the caller to free the newly allocated buffer. 
 *
 * @return	The size of the response. 
**/
tsk_size_t thttp_auth_basic_response(const char* userid, const char* password, char** response)
{
	tsk_size_t ret;

	/* RFC 2617 - 2 Basic Authentication Scheme
	
	To receive authorization, the client sends the userid and password,
	separated by a single colon (":") character, within a base64 [7]
	encoded string in the credentials.
	*/
	
	char *res = 0;
	tsk_sprintf(&res, "%s:%s", userid, password);
	ret = tsk_base64_encode((const uint8_t*)res, tsk_strlen(res), response);
	TSK_FREE(res);

	return ret;
}


/**@ingroup thttp_auth_group
 * Generates digest HA1 value as per RFC 2617 subclause 3.2.2.2. 
 *
 *
 * @param [in,out]	username	The user's name (unquoted) in the specified @a realm. 
 * @param [in,out]	realm		The realm. (unquoted) 
 * @param [in,out]	password	The user's password. 
 * @param [in,out]	ha1			A pointer to the result. 
 *
 * @return	Zero if succeed and non-zero error code otherwise. 
**/
int thttp_auth_digest_HA1(const char* username, const char* realm, const char* password, tsk_md5string_t* ha1)
{
	int ret;

	/* RFC 2617 - 3.2.2.2 A1
		A1       = unq(username-value) ":" unq(realm-value) ":" passwd
	*/
	char *a1 = 0;
	tsk_sprintf(&a1, "%s:%s:%s", username, realm, password);	
	ret = tsk_md5compute(a1, tsk_strlen(a1), ha1);
	TSK_FREE(a1);
	
	return ret;
}

/**@ingroup thttp_auth_group
 *
 * Generates digest HA1 value for 'MD5-sess' algo as per RFC 2617 subclause 3.2.2.2.
 *
 *
 * @param [in,out]	username	The user's name (unquoted) in the specified @a realm.
 * @param [in,out]	realm		The realm (unquoted). 
 * @param [in,out]	password	The user's password.  
 * @param [in,out]	nonce		The nonce (unquoted).
 * @param [in,out]	cnonce		The client nonce (unquoted).
 * @param [in,out]	ha1sess		A pointer to the result. 
 *
 * @return	Zero if succeed and non-zero error code otherwise. 
**/
int thttp_auth_digest_HA1sess(const char* username, const char* realm, const char* password, const char* nonce, const char* cnonce, tsk_md5string_t* ha1sess)
{
	int ret;

	/* RFC 2617 - 3.2.2.2 A1
			A1       = H( unq(username-value) ":" unq(realm-value)
                     ":" passwd )
                     ":" unq(nonce-value) ":" unq(cnonce-value)
	*/

	char *a1sess = 0;
	tsk_sprintf(&a1sess, "%s:%s:%s:%s:%s", username, realm, password, nonce, cnonce);	
	ret = tsk_md5compute(a1sess, tsk_strlen(a1sess), ha1sess);
	TSK_FREE(a1sess);

	return ret;
}

/**@ingroup thttp_auth_group
 * Generates digest HA2 value as per RFC 2617 subclause 3.2.2.3. 
 *
 *
 * @param [in,out]	method		The HTTP/SIP method name. 
 * @param [in,out]	url			The HTTP URL or SIP URI of the request. 
 * @param [in,out]	entity_body	The entity body. 
 * @param [in,out]	qop			The Quality Of Protection.
 * @param [in,out]	ha2			A pointer to the response. 
 *
 * @return	Zero if succeed and non-zero error code otherwise. 
**/
int thttp_auth_digest_HA2(const char* method, const char* url, const tsk_buffer_t* entity_body, const char* qop, tsk_md5string_t* ha2)
{
	int ret;
	/* RFC 2617 - 3.2.2.3 A2

	If the "qop" directive's value is "auth" or is unspecified, then A2
	is:
	A2       = Method ":" digest-url-value

	If the "qop" value is "auth-int", then A2 is:
	A2       = Method ":" digest-url-value ":" H(entity-body)
	*/

	char *a2 = 0;

	if(!qop || tsk_strempty(qop) || tsk_striequals(qop, "auth")){
		tsk_sprintf(&a2, "%s:%s", method, url);
	}
	else if(tsk_striequals(qop, "auth-int"))
	{
		if(entity_body && entity_body->data){
			tsk_md5string_t hEntity;
			if((ret = tsk_md5compute(entity_body->data, entity_body->size, &hEntity))){
				goto bail;
			}
			tsk_sprintf(&a2, "%s:%s:%s", method, url, hEntity);
		}
		else{
			tsk_sprintf(&a2, "%s:%s:%s", method, url, TSK_MD5_EMPTY);
		}
	}

	ret = tsk_md5compute(a2, tsk_strlen(a2), ha2);

bail:
	 TSK_FREE(a2);

	 return ret;
}


/**@ingroup thttp_auth_group
 *
 * Generates HTTP digest response as per RFC 2617 subclause 3.2.2.1.
 *
 * @param [in,out]	ha1			HA1 string generated using  @ref thttp_auth_digest_HA1 or @ref thttp_auth_digest_HA1sess.
 * @param [in,out]	nonce		The nonce value. 
 * @param [in,out]	noncecount	The nonce count.
 * @param [in,out]	cnonce		The client nounce (unquoted).
 * @param [in,out]	qop			The Quality Of Protection (unquoted).
 * @param [in,out]	ha2			HA2 string generated using @ref thttp_auth_digest_HA2.
 * @param [in,out]	response	A pointer to the response.
 *
 * @return	Zero if succeed and non-zero error code otherwise. 
**/
int thttp_auth_digest_response(const tsk_md5string_t *ha1, const char* nonce, const nonce_count_t noncecount, const char* cnonce, 
							   const char* qop, const tsk_md5string_t* ha2, tsk_md5string_t* response)
{
	int ret;

	/* RFC 2617 3.2.2.1 Request-Digest

	============ CASE 1 ============
	If the "qop" value is "auth" or "auth-int":
	request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
	":" nc-value
	":" unq(cnonce-value)
	":" unq(qop-value)
	":" H(A2)
	) <">
	============ CASE 2 ============
	If the "qop" directive is not present (this construction is for
	compatibility with RFC 2069):
	request-digest  =
	<"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) >
	<">
	*/

	char *res = 0;

	if(tsk_striequals(qop, "auth") || tsk_striequals(qop, "auth-int")){
		/* CASE 1 */
		tsk_sprintf(&res, "%s:%s:%s:%s:%s:%s", *ha1, nonce, noncecount, cnonce, qop, *ha2);
	}
	else{
		/* CASE 2 */
		tsk_sprintf(&res, "%s:%s:%s", *ha1, nonce, *ha2);
	}

	ret = tsk_md5compute(res, tsk_strlen(res), response);
	TSK_FREE(res);

	 return ret;
}