/*
    * Copyright (C) 2018, Thomas Wolf <thomas.wolf@paranor.ch> and others
    *
    * This program and the accompanying materials are made available under the
    * terms of the Eclipse Distribution License v. 1.0 which is available at
    * https://www.eclipse.org/org/documents/edl-v10.php.
    *
    * SPDX-License-Identifier: BSD-3-Clause
    */
  package org.eclipse.jgit.internal.transport.sshd.auth;
  
  import static java.nio.charset.StandardCharsets.UTF_8;
  
  import java.net.Authenticator;
  import java.net.Authenticator.RequestorType;
  import java.net.InetSocketAddress;
  import java.net.PasswordAuthentication;
  import java.nio.ByteBuffer;
  import java.nio.CharBuffer;
  import java.security.AccessController;
  import java.security.PrivilegedAction;
  import java.util.Arrays;
  import java.util.concurrent.CancellationException;
  
  import org.eclipse.jgit.internal.transport.sshd.SshdText;
  import org.eclipse.jgit.transport.SshConstants;
  
  /**
   * An abstract implementation of a username-password authentication. It can be
   * given an initial known username-password pair; if so, this will be tried
   * first. Subsequent rounds will then try to obtain a user name and password via
   * the global {@link Authenticator}.
   *
   * @param <ParameterType>
   *            defining the parameter type for the authentication
   * @param <TokenType>
   *            defining the token type for the authentication
   */
  public abstract class BasicAuthentication<ParameterType, TokenType>
  		extends AbstractAuthenticationHandler<ParameterType, TokenType> {
  
  	/** The current user name. */
  	protected String user;
  
  	/** The current password. */
  	protected byte[] password;
  
  	/**
  	 * Creates a new {@link BasicAuthentication} to authenticate with the given
  	 * {@code proxy}.
  	 *
  	 * @param proxy
  	 *            {@link InetSocketAddress} of the proxy to connect to
  	 * @param initialUser
  	 *            initial user name to try; may be {@code null}
  	 * @param initialPassword
  	 *            initial password to try, may be {@code null}
  	 */
  	public BasicAuthentication(InetSocketAddress proxy, String initialUser,
  			char[] initialPassword) {
  		super(proxy);
  		this.user = initialUser;
  		this.password = convert(initialPassword);
  	}
  
  	private byte[] convert(char[] pass) {
  		if (pass == null) {
  			return new byte[0];
  		}
  		ByteBuffer bytes = UTF_8.encode(CharBuffer.wrap(pass));
  		byte[] pwd = new byte[bytes.remaining()];
  		bytes.get(pwd);
  		if (bytes.hasArray()) {
  			Arrays.fill(bytes.array(), (byte) 0);
  		}
  		Arrays.fill(pass, '\000');
  		return pwd;
  	}
  
  	/**
  	 * Clears the {@link #password}.
  	 */
  	protected void clearPassword() {
  		if (password != null) {
  			Arrays.fill(password, (byte) 0);
  		}
  		password = new byte[0];
  	}
  
  	@Override
  	public final void close() {
  		clearPassword();
  		done = true;
  	}
  
  	@Override
  	public final void start() throws Exception {
  		if (user != null && !user.isEmpty()
  				|| password != null && password.length > 0) {
 			return;
 		}
 		askCredentials();
 	}
 
 	@Override
 	public void process() throws Exception {
 		askCredentials();
 	}
 
 	/**
 	 * Asks for credentials via the global {@link Authenticator}.
 	 */
 	protected void askCredentials() {
 		clearPassword();
 		PasswordAuthentication auth = AccessController.doPrivileged(
 				(PrivilegedAction<PasswordAuthentication>) () -> Authenticator
 						.requestPasswordAuthentication(proxy.getHostString(),
 								proxy.getAddress(), proxy.getPort(),
 								SshConstants.SSH_SCHEME,
 								SshdText.get().proxyPasswordPrompt, "Basic", //$NON-NLS-1$
 								null, RequestorType.PROXY));
 		if (auth == null) {
 			user = ""; //$NON-NLS-1$
 			throw new CancellationException(
 					SshdText.get().authenticationCanceled);
 		}
 		user = auth.getUserName();
 		password = convert(auth.getPassword());
 	}
 }