// Copyright (c) 2017 GitHub, Inc.
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.

#include "shell/browser/ui/certificate_trust.h"

#include <memory>
#include <string>
#include <utility>

#import <Cocoa/Cocoa.h>
#import <SecurityInterface/SFCertificateTrustPanel.h>

#include "base/strings/sys_string_conversions.h"
#include "net/cert/cert_database.h"
#include "net/cert/x509_util_apple.h"
#include "shell/browser/native_window.h"

@interface TrustDelegate : NSObject {
 @private
  std::unique_ptr<gin_helper::Promise<void>> promise_;
  SFCertificateTrustPanel* panel_;
  scoped_refptr<net::X509Certificate> cert_;
  SecTrustRef trust_;
  CFArrayRef cert_chain_;
  SecPolicyRef sec_policy_;
}

- (id)initWithPromise:(gin_helper::Promise<void>)promise
                panel:(SFCertificateTrustPanel*)panel
                 cert:(const scoped_refptr<net::X509Certificate>&)cert
                trust:(SecTrustRef)trust
            certChain:(CFArrayRef)certChain
            secPolicy:(SecPolicyRef)secPolicy;

- (void)panelDidEnd:(NSWindow*)sheet
         returnCode:(int)returnCode
        contextInfo:(void*)contextInfo;

@end

@implementation TrustDelegate

- (void)dealloc {
  CFRelease(trust_);
  CFRelease(cert_chain_);
  CFRelease(sec_policy_);
}

- (id)initWithPromise:(gin_helper::Promise<void>)promise
                panel:(SFCertificateTrustPanel*)panel
                 cert:(const scoped_refptr<net::X509Certificate>&)cert
                trust:(SecTrustRef)trust
            certChain:(CFArrayRef)certChain
            secPolicy:(SecPolicyRef)secPolicy {
  if ((self = [super init])) {
    promise_ = std::make_unique<gin_helper::Promise<void>>(std::move(promise));
    panel_ = panel;
    cert_ = cert;
    trust_ = trust;
    cert_chain_ = certChain;
    sec_policy_ = secPolicy;
  }

  return self;
}

- (void)panelDidEnd:(NSWindow*)sheet
         returnCode:(int)returnCode
        contextInfo:(void*)contextInfo {
  auto* cert_db = net::CertDatabase::GetInstance();
  // This forces Chromium to reload the certificate since it might be trusted
  // now.
  cert_db->NotifyObserversTrustStoreChanged();

  promise_->Resolve();
}

@end

namespace certificate_trust {

v8::Local<v8::Promise> ShowCertificateTrust(
    electron::NativeWindow* parent_window,
    const scoped_refptr<net::X509Certificate>& cert,
    const std::string& message) {
  v8::Isolate* isolate = electron::JavascriptEnvironment::GetIsolate();
  gin_helper::Promise<void> promise(isolate);
  v8::Local<v8::Promise> handle = promise.GetHandle();

  auto* sec_policy = SecPolicyCreateBasicX509();
  auto cert_chain =
      net::x509_util::CreateSecCertificateArrayForX509Certificate(cert.get());
  SecTrustRef trust = nullptr;
  SecTrustCreateWithCertificates(cert_chain.get(), sec_policy, &trust);

  NSWindow* window = parent_window
                         ? parent_window->GetNativeWindow().GetNativeNSWindow()
                         : nil;
  auto msg = base::SysUTF8ToNSString(message);

  auto panel = [[SFCertificateTrustPanel alloc] init];
  auto delegate = [[TrustDelegate alloc] initWithPromise:std::move(promise)
                                                   panel:panel
                                                    cert:cert
                                                   trust:trust
                                               certChain:cert_chain.release()
                                               secPolicy:sec_policy];
  [panel beginSheetForWindow:window
               modalDelegate:delegate
              didEndSelector:@selector(panelDidEnd:returnCode:contextInfo:)
                 contextInfo:nil
                       trust:trust
                     message:msg];

  return handle;
}

}  // namespace certificate_trust