/* Copyright (C) 2014, 2016 mod_auth_gssapi contributors - See COPYING for (C) terms */

#include "mod_auth_gssapi.h"

#include "asn1c/GSSSessionData.h"

APLOG_USE_MODULE(auth_gssapi);

static APR_OPTIONAL_FN_TYPE(ap_session_load) *mag_sess_load_fn = NULL;

static APR_OPTIONAL_FN_TYPE(ap_session_get) *mag_sess_get_fn = NULL;

static APR_OPTIONAL_FN_TYPE(ap_session_set) *mag_sess_set_fn = NULL;

void mag_post_config_session(void)

{

    mag_sess_load_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_load);

    mag_sess_get_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_get);

    mag_sess_set_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_set);

}

static apr_status_t mag_session_load(request_rec *req, session_rec **sess)

{

    if (mag_sess_load_fn) {

        return mag_sess_load_fn(req, sess);

    }

    return DECLINED;

}

static apr_status_t mag_session_get(request_rec *req, session_rec *sess,

                                    const char *key, const char **value)

{

    if (mag_sess_get_fn) {

        return mag_sess_get_fn(req, sess, key, value);

    }

    return DECLINED;

}

static apr_status_t mag_session_set(request_rec *req, session_rec *sess,

                                    const char *key, const char *value)

{

    if (mag_sess_set_fn) {

        return mag_sess_set_fn(req, sess, key, value);

    }

    return DECLINED;

}

static bool encode_GSSSessionData(apr_pool_t *mempool,

                                  GSSSessionData_t *gsessdata,

                                  unsigned char **buf, int *len)

{

    asn_enc_rval_t rval;

    unsigned char *buffer = NULL;

    size_t buflen;

    bool ret = false;

    /* dry run to compute the size */

    rval = der_encode(&asn_DEF_GSSSessionData, gsessdata, NULL, NULL);

    if (rval.encoded == -1) goto done;

    buflen = rval.encoded;

    buffer = apr_pcalloc(mempool, buflen);

    /* now for real */

    rval = der_encode_to_buffer(&asn_DEF_GSSSessionData,

                                gsessdata, buffer, buflen);

    if (rval.encoded == -1) goto done;

    *buf = buffer;

    *len = buflen;

    ret = true;

done:

    return ret;

}

static GSSSessionData_t *decode_GSSSessionData(void *buf, size_t len)

{

    GSSSessionData_t *gsessdata = NULL;

    asn_dec_rval_t rval;

    rval = ber_decode(NULL, &asn_DEF_GSSSessionData,

                      (void **)&gsessdata, buf, len);

    if (rval.code == RC_OK) {

        return gsessdata;

    }

    return NULL;

}

#define MAG_BEARER_KEY "MagBearerToken"

void mag_check_session(struct mag_req_cfg *cfg, struct mag_conn **conn)

{

    request_rec *req = cfg->req;

    struct mag_conn *mc;

    apr_status_t rc;

    session_rec *sess = NULL;

    const char *sessval = NULL;

    int declen;

    struct databuf ctxbuf = { 0 };

    struct databuf cipherbuf = { 0 };

    GSSSessionData_t *gsessdata;

    time_t expiration;

    rc = mag_session_load(req, &sess;;

    if (rc != OK || sess == NULL) {

        ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,

                      "Sessions not available, no cookies!");

        return;

    }

    mc = *conn;

    if (!mc) {

        *conn = mc = mag_new_conn_ctx(req->pool);

        mc->is_preserved = true;

    }

    rc = mag_session_get(req, sess, MAG_BEARER_KEY, &sessval);

    if (rc != OK) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,

                      "Failed to get session data!");

        return;

    }

    if (!sessval) {

        /* no session established, just return */

        return;

    }

    if (!cfg->mag_skey) {

        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,

                      "Session key not available, no cookies!");

        /* we do not have a key, just return */

        return;

    }

    /* decode it */

    declen = apr_base64_decode_len(sessval);

    cipherbuf.value = apr_palloc(req->pool, declen);

    if (!cipherbuf.value) return;

    cipherbuf.length = (int)apr_base64_decode((char *)cipherbuf.value, sessval);

    rc = UNSEAL_BUFFER(req->pool, cfg->mag_skey, &cipherbuf, &ctxbuf);

    if (rc != OK) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,

                      "Failed to unseal session data!");

        return;

    }

    gsessdata = decode_GSSSessionData(ctxbuf.value, ctxbuf.length);

    if (!gsessdata) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,

                      "Failed to unpack session data!");

        return;

    }

    /* booleans */

    if (gsessdata->established != 0) mc->established = true;

    if (gsessdata->delegated != 0) mc->delegated = true;

    /* get time */

    expiration = gsessdata->expiration;

    if (expiration < time(NULL)) {

        /* credentials fully expired, return nothing */

        mc->established = false;

        goto done;

    }

    /* user name */

    mc->user_name = apr_pstrndup(mc->pool,

                                 (char *)gsessdata->username.buf,

                                 gsessdata->username.size);

    if (!mc->user_name) goto done;

    /* gssapi name */

    mc->gss_name = apr_pstrndup(mc->pool,

                                (char *)gsessdata->gssname.buf,

                                gsessdata->gssname.size);

    if (!mc->gss_name) goto done;

    mc->basic_hash.length = gsessdata->basichash.size;

    mc->basic_hash.value = apr_palloc(mc->pool, mc->basic_hash.length);

    memcpy(mc->basic_hash.value,

           gsessdata->basichash.buf, gsessdata->basichash.size);

    /* ccname */

    mc->ccname = apr_pstrndup(mc->pool,

                              (char *)gsessdata->ccname.buf,

                              gsessdata->ccname.size);

    if (!mc->ccname) goto done;

    /* OK we have a valid token */

    mc->established = true;

done:

    ASN_STRUCT_FREE(asn_DEF_GSSSessionData, gsessdata);

}

void mag_attempt_session(struct mag_req_cfg *cfg, struct mag_conn *mc)

{

    request_rec *req = cfg->req;

    session_rec *sess = NULL;

    struct databuf plainbuf = { 0 };

    struct databuf cipherbuf = { 0 };

    struct databuf ctxbuf = { 0 };

    GSSSessionData_t gsessdata = { 0 };

    apr_status_t rc;

    bool ret;

    /* we save the session only if the authentication is established */

    if (!mc->established) return;

    rc = mag_session_load(req, &sess;;

    if (rc != OK || sess == NULL) {

        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,

                      "Sessions not available, can't send cookies!");

        return;

    }

    if (!cfg->mag_skey) {

        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,

                      "Session key not available, aborting.");

        return;

    }

    gsessdata.established = mc->established?1:0;

    gsessdata.delegated = mc->delegated?1:0;

    if (sess->expiry != 0) {

        mc->expiration = mc->expiration < apr_time_sec(sess->expiry) ?

                         mc->expiration : apr_time_sec(sess->expiry);

    }

    gsessdata.expiration = mc->expiration;

    if (OCTET_STRING_fromString(&gsessdata.username, mc->user_name) != 0)

        goto done;

    if (OCTET_STRING_fromString(&gsessdata.gssname, mc->gss_name) != 0)

        goto done;

    if (OCTET_STRING_fromBuf(&gsessdata.basichash,

                             (const char *)mc->basic_hash.value,

                             mc->basic_hash.length) != 0)

        goto done;

    /* NULL ccname here just means default ccache */

    if (mc->ccname &&

        OCTET_STRING_fromString(&gsessdata.ccname, mc->ccname) != 0) {

        goto done;

    }

    ret = encode_GSSSessionData(req->pool, &gsessdata,

                                &plainbuf.value, &plainbuf.length);

    if (ret == false) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,

                      "Failed to pack session data!");

        goto done;

    }

    rc = SEAL_BUFFER(req->pool, cfg->mag_skey, &plainbuf, &cipherbuf);

    if (rc != OK) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,

                      "Failed to seal session data!");

        goto done;

    }

    ctxbuf.length = apr_base64_encode_len(cipherbuf.length);

    ctxbuf.value = apr_pcalloc(req->pool, ctxbuf.length);

    if (!ctxbuf.value) goto done;

    ctxbuf.length = apr_base64_encode((char *)ctxbuf.value,

                                      (char *)cipherbuf.value,

                                      cipherbuf.length);

    rc = mag_session_set(req, sess, MAG_BEARER_KEY, (char *)ctxbuf.value);

    if (rc != OK) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,

                      "Failed to set session data!");

    }

done:

    ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GSSSessionData, &gsessdata);

}

static int mag_basic_hmac(struct seal_key *key, unsigned char *mac,

                          gss_buffer_desc user, gss_buffer_desc pwd)

{

    struct databuf hmacbuf = { mac, 0 };

    int data_size = user.length + pwd.length + 1;

    unsigned char data[data_size];

    struct databuf databuf = { data, data_size };

    memcpy(data, user.value, user.length);

    data[user.length] = '\0';

    memcpy(&data[user.length + 1], pwd.value, pwd.length);

    return HMAC_BUFFER(key, &databuf, &hmacbuf);

}

static int mag_get_mac_size(struct mag_req_cfg *cfg)

{

    if (!cfg->mag_skey) {

        ap_log_perror(APLOG_MARK, APLOG_INFO, 0, cfg->cfg->pool,

                      "Session key not available, aborting!");

        return 0;

    }

    return get_mac_size(cfg->mag_skey);

}

bool mag_basic_check(struct mag_req_cfg *cfg, struct mag_conn *mc,

                     gss_buffer_desc user, gss_buffer_desc pwd)

{

    int mac_size = mag_get_mac_size(cfg);

    unsigned char mac[mac_size];

    int ret, i, j;

    bool res = false;

    if (mac_size == 0) return false;

    if (mc->basic_hash.value == NULL) return false;

    ret = mag_basic_hmac(cfg->mag_skey, mac, user, pwd);

    if (ret != 0) goto done;

    for (i = 0, j = 0; i < mac_size; i++) {

        if (mc->basic_hash.value[i] != mac[i]) j++;

    }

    if (j == 0) res = true;

done:

    if (res == false) {

        mc->basic_hash.value = NULL;

        mc->basic_hash.length = 0;

    }

    return res;

}

void mag_basic_cache(struct mag_req_cfg *cfg, struct mag_conn *mc,

                     gss_buffer_desc user, gss_buffer_desc pwd)

{

    int mac_size = mag_get_mac_size(cfg);

    unsigned char mac[mac_size];

    int ret;

    ret = mag_basic_hmac(cfg->mag_skey, mac, user, pwd);

    if (ret != 0) return;

    mc->basic_hash.length = mac_size;

    mc->basic_hash.value = apr_palloc(mc->pool, mac_size);

    memcpy(mc->basic_hash.value, mac, mac_size);

}