// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chrome/installer/util/user_experiment.h"

#include <windows.h>
#include <sddl.h>
#include <wtsapi32.h>
#include <vector>

#include "base/command_line.h"
#include "base/files/file_path.h"
#include "base/path_service.h"
#include "base/process/launch.h"
#include "base/rand_util.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_split.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "base/win/scoped_handle.h"
#include "base/win/windows_version.h"
#include "chrome/common/chrome_paths.h"
#include "chrome/common/chrome_result_codes.h"
#include "chrome/common/chrome_switches.h"
#include "chrome/grit/chromium_strings.h"
#include "chrome/installer/util/browser_distribution.h"
#include "chrome/installer/util/google_update_constants.h"
#include "chrome/installer/util/google_update_settings.h"
#include "chrome/installer/util/helper.h"
#include "chrome/installer/util/install_util.h"
#include "chrome/installer/util/product.h"
#include "content/public/common/result_codes.h"

#pragma comment(lib, "wtsapi32.lib")

namespace installer {

namespace {

// The following strings are the possible outcomes of the toast experiment
// as recorded in the |client| field.
const wchar_t kToastExpControlGroup[] =        L"01";
const wchar_t kToastExpCancelGroup[] =         L"02";
const wchar_t kToastExpUninstallGroup[] =      L"04";
const wchar_t kToastExpTriesOkGroup[] =        L"18";
const wchar_t kToastExpTriesErrorGroup[] =     L"28";
const wchar_t kToastActiveGroup[] =            L"40";
const wchar_t kToastUDDirFailure[] =           L"40";
const wchar_t kToastExpBaseGroup[] =           L"80";

// Substitute the locale parameter in uninstall URL with whatever
// Google Update tells us is the locale. In case we fail to find
// the locale, we use US English.
base::string16 LocalizeUrl(const wchar_t* url) {
  base::string16 language;
  if (!GoogleUpdateSettings::GetLanguage(&language))
    language = L"en-US";  // Default to US English.
  return base::ReplaceStringPlaceholders(url, language.c_str(), NULL);
}

base::string16 GetWelcomeBackUrl() {
  const wchar_t kWelcomeUrl[] = L"http://www.google.com/chrome/intl/$1/"
                                L"welcomeback-new.html";
  return LocalizeUrl(kWelcomeUrl);
}

// Converts FILETIME to hours. FILETIME times are absolute times in
// 100 nanosecond units. For example 5:30 pm of June 15, 2009 is 3580464.
int FileTimeToHours(const FILETIME& time) {
  const ULONGLONG k100sNanoSecsToHours = 10000000LL * 60 * 60;
  ULARGE_INTEGER uli = {{time.dwLowDateTime, time.dwHighDateTime}};
  return static_cast<int>(uli.QuadPart / k100sNanoSecsToHours);
}

// Returns the directory last write time in hours since January 1, 1601.
// Returns -1 if there was an error retrieving the directory time.
int GetDirectoryWriteTimeInHours(const wchar_t* path) {
  // To open a directory you need to pass FILE_FLAG_BACKUP_SEMANTICS.
  DWORD share = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE;
  base::win::ScopedHandle file(::CreateFileW(path, 0, share, NULL,
      OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL));
  if (!file.IsValid())
    return -1;

  FILETIME time;
  return ::GetFileTime(file.Get(), NULL, NULL, &time) ?
      FileTimeToHours(time) : -1;
}

// Returns the time in hours since the last write to the user data directory.
// A return value of 14 means that the directory was last written 14 hours ago.
// Returns -1 if there was an error retrieving the directory.
int GetUserDataDirectoryWriteAgeInHours() {
  base::FilePath user_data_dir;
  if (!PathService::Get(chrome::DIR_USER_DATA, &user_data_dir))
    return -1;
  int dir_time = GetDirectoryWriteTimeInHours(user_data_dir.value().c_str());
  if (dir_time < 0)
    return dir_time;
  FILETIME time;
  GetSystemTimeAsFileTime(&time);
  int now_time = FileTimeToHours(time);
  if (dir_time >= now_time)
    return 0;
  return (now_time - dir_time);
}

// Launches setup.exe (located at |setup_path|) with |cmd_line|.
// If system_level_toast is true, appends --system-level-toast.
// If handle to experiment result key was given at startup, re-add it.
// Does not wait for the process to terminate.
// |cmd_line| may be modified as a result of this call.
bool LaunchSetup(base::CommandLine* cmd_line, bool system_level_toast) {
  const base::CommandLine& current_cmd_line =
      *base::CommandLine::ForCurrentProcess();

  // Propagate --verbose-logging to the invoked setup.exe.
  if (current_cmd_line.HasSwitch(switches::kVerboseLogging))
    cmd_line->AppendSwitch(switches::kVerboseLogging);

  // Re-add the system level toast flag.
  if (system_level_toast) {
    cmd_line->AppendSwitch(switches::kSystemLevel);
    cmd_line->AppendSwitch(switches::kSystemLevelToast);

    // Re-add the toast result key. We need to do this because Setup running as
    // system passes the key to Setup running as user, but that child process
    // does not perform the actual toasting, it launches another Setup (as user)
    // to do so. That is the process that needs the key.
    std::string key(switches::kToastResultsKey);
    std::string toast_key = current_cmd_line.GetSwitchValueASCII(key);
    if (!toast_key.empty()) {
      cmd_line->AppendSwitchASCII(key, toast_key);

      // Use handle inheritance to make sure the duplicated toast results key
      // gets inherited by the child process.
      base::LaunchOptions options;
      options.inherit_handles = true;
      base::Process process = base::LaunchProcess(*cmd_line, options);
      return process.IsValid();
    }
  }

  base::Process process = base::LaunchProcess(*cmd_line, base::LaunchOptions());
  return process.IsValid();
}

// For System level installs, setup.exe lives in the system temp, which
// is normally c:\windows\temp. In many cases files inside this folder
// are not accessible for execution by regular user accounts.
// This function changes the permissions so that any authenticated user
// can launch |exe| later on. This function should only be called if the
// code is running at the system level.
bool FixDACLsForExecute(const base::FilePath& exe) {
  // The general strategy to is to add an ACE to the exe DACL the quick
  // and dirty way: a) read the DACL b) convert it to sddl string c) add the
  // new ACE to the string d) convert sddl string back to DACL and finally
  // e) write new dacl.
  char buff[1024];
  DWORD len = sizeof(buff);
  PSECURITY_DESCRIPTOR sd = reinterpret_cast<PSECURITY_DESCRIPTOR>(buff);
  if (!::GetFileSecurityW(exe.value().c_str(), DACL_SECURITY_INFORMATION,
                          sd, len, &len)) {
    return false;
  }
  wchar_t* sddl = 0;
  if (!::ConvertSecurityDescriptorToStringSecurityDescriptorW(sd,
      SDDL_REVISION_1, DACL_SECURITY_INFORMATION, &sddl, NULL))
    return false;
  base::string16 new_sddl(sddl);
  ::LocalFree(sddl);
  sd = NULL;
  // See MSDN for the  security descriptor definition language (SDDL) syntax,
  // in our case we add "A;" generic read 'GR' and generic execute 'GX' for
  // the nt\authenticated_users 'AU' group, that becomes:
  const wchar_t kAllowACE[] = L"(A;;GRGX;;;AU)";
  // We should check that there are no special ACES for the group we
  // are interested, which is nt\authenticated_users.
  if (base::string16::npos != new_sddl.find(L";AU)"))
    return false;
  // Specific ACEs (not inherited) need to go to the front. It is ok if we
  // are the very first one.
  size_t pos_insert = new_sddl.find(L"(");
  if (base::string16::npos == pos_insert)
    return false;
  // All good, time to change the dacl.
  new_sddl.insert(pos_insert, kAllowACE);
  if (!::ConvertStringSecurityDescriptorToSecurityDescriptorW(new_sddl.c_str(),
      SDDL_REVISION_1, &sd, NULL))
    return false;
  bool rv = ::SetFileSecurityW(exe.value().c_str(), DACL_SECURITY_INFORMATION,
                               sd) == TRUE;
  ::LocalFree(sd);
  return rv;
}

// This function launches setup as the currently logged-in interactive
// user that is the user whose logon session is attached to winsta0\default.
// It assumes that currently we are running as SYSTEM in a non-interactive
// windowstation.
// The function fails if there is no interactive session active, basically
// the computer is on but nobody has logged in locally.
// Remote Desktop sessions do not count as interactive sessions; running this
// method as a user logged in via remote desktop will do nothing.
bool LaunchSetupAsConsoleUser(base::CommandLine* cmd_line) {
  // Convey to the invoked setup.exe that it's operating on a system-level
  // installation.
  cmd_line->AppendSwitch(switches::kSystemLevel);

  // Propagate --verbose-logging to the invoked setup.exe.
  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
          switches::kVerboseLogging))
    cmd_line->AppendSwitch(switches::kVerboseLogging);

  // Get the Google Update results key, and pass it on the command line to
  // the child process.
  int key = GoogleUpdateSettings::DuplicateGoogleUpdateSystemClientKey();
  cmd_line->AppendSwitchASCII(switches::kToastResultsKey,
                              base::IntToString(key));

  if (base::win::GetVersion() > base::win::VERSION_XP) {
    // Make sure that in Vista and Above we have the proper DACLs so
    // the interactive user can launch it.
    if (!FixDACLsForExecute(cmd_line->GetProgram()))
      NOTREACHED();
  }

  DWORD console_id = ::WTSGetActiveConsoleSessionId();
  if (console_id == 0xFFFFFFFF) {
    PLOG(ERROR) << __FUNCTION__ << " failed to get active session id";
    return false;
  }
  HANDLE user_token;
  if (!::WTSQueryUserToken(console_id, &user_token)) {
    PLOG(ERROR) << __FUNCTION__ << " failed to get user token for console_id "
                << console_id;
    return false;
  }
  // Note: Handle inheritance must be true in order for the child process to be
  // able to use the duplicated handle above (Google Update results).
  base::LaunchOptions options;
  options.as_user = user_token;
  options.inherit_handles = true;
  options.empty_desktop_name = true;
  VLOG(1) << __FUNCTION__ << " launching " << cmd_line->GetCommandLineString();
  base::Process process = base::LaunchProcess(*cmd_line, options);
  ::CloseHandle(user_token);
  VLOG(1) << __FUNCTION__ << "   result: " << process.IsValid();
  return process.IsValid();
}

// A helper function that writes to HKLM if the handle was passed through the
// command line, but HKCU otherwise. |experiment_group| is the value to write
// and |last_write| is used when writing to HKLM to determine whether to close
// the handle when done.
void SetClient(const base::string16& experiment_group, bool last_write) {
  static int reg_key_handle = -1;
  if (reg_key_handle == -1) {
    // If a specific Toast Results key handle (presumably to our HKLM key) was
    // passed in to the command line (such as for system level installs), we use
    // it. Otherwise, we write to the key under HKCU.
    const base::CommandLine& cmd_line = *base::CommandLine::ForCurrentProcess();
    if (cmd_line.HasSwitch(switches::kToastResultsKey)) {
      // Get the handle to the key under HKLM.
      base::StringToInt(
          cmd_line.GetSwitchValueNative(switches::kToastResultsKey),
          &reg_key_handle);
    } else {
      reg_key_handle = 0;
    }
  }

  if (reg_key_handle) {
    // Use it to write the experiment results.
    GoogleUpdateSettings::WriteGoogleUpdateSystemClientKey(
        reg_key_handle, google_update::kRegClientField, experiment_group);
    if (last_write) {
      CloseHandle(
          reinterpret_cast<HANDLE>(static_cast<uintptr_t>(reg_key_handle)));
    }
  } else {
    // Write to HKCU.
    GoogleUpdateSettings::SetClient(experiment_group);
  }
}

}  // namespace

bool CreateExperimentDetails(int flavor, ExperimentDetails* experiment) {
  struct FlavorDetails {
    int heading_id;
    int flags;
  };
  // Maximum number of experiment flavors we support.
  static const int kMax = 4;
  // This struct determines which experiment flavors we show for each locale and
  // brand.
  //
  // Plugin infobar experiment:
  // The experiment in 2011 used PIxx codes.
  //
  // Inactive user toast experiment:
  // The experiment in Dec 2009 used TGxx and THxx.
  // The experiment in Feb 2010 used TKxx and TLxx.
  // The experiment in Apr 2010 used TMxx and TNxx.
  // The experiment in Oct 2010 used TVxx TWxx TXxx TYxx.
  // The experiment in Feb 2011 used SJxx SKxx SLxx SMxx.
  // The experiment in Mar 2012 used ZAxx ZBxx ZCxx.
  // The experiment in Jan 2013 uses DAxx.

  static const struct UserExperimentSpecs {
    const wchar_t* locale;  // Locale to show this experiment for (* for all).
    const wchar_t* brands;  // Brand codes show this experiment for (* for all).
    int control_group;      // Size of the control group, in percentages.
    const wchar_t* prefix;  // The two letter experiment code. The second letter
                            // will be incremented with the flavor.
    FlavorDetails flavors[kMax];
  } kExperiments[] = {
    // The first match from top to bottom is used so this list should be ordered
    // most-specific rule first.
    { L"*", L"GGRV",  // All locales, GGRV is enterprise.
      0,              // 0 percent control group.
      L"EA",          // Experiment is EAxx, EBxx, etc.
      // No flavors means no experiment.
      { { 0, 0 },
        { 0, 0 },
        { 0, 0 },
        { 0, 0 }
      }
    },
    { L"*", L"*",     // All locales, all brands.
      5,              // 5 percent control group.
      L"DA",          // Experiment is DAxx.
      // One single flavor.
      { { IDS_TRY_TOAST_HEADING3, kToastUiMakeDefault },
        { 0, 0 },
        { 0, 0 },
        { 0, 0 }
      }
    }
  };

  base::string16 locale;
  GoogleUpdateSettings::GetLanguage(&locale);
  if (locale.empty() || (locale == L"en"))
    locale = L"en-US";

  base::string16 brand;
  if (!GoogleUpdateSettings::GetBrand(&brand))
    brand.clear();  // Could still be viable for catch-all rules

  for (int i = 0; i < arraysize(kExperiments); ++i) {
    base::string16 experiment_locale = kExperiments[i].locale;
    if (experiment_locale != locale && experiment_locale != L"*")
      continue;

    for (const base::string16& cur : base::SplitString(
             kExperiments[i].brands, L",",
             base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) {
      if (cur != brand && cur != L"*")
        continue;
      // We have found our match.
      const UserExperimentSpecs& match = kExperiments[i];
      // Find out how many flavors we have. Zero means no experiment.
      int num_flavors = 0;
      while (match.flavors[num_flavors].heading_id) { ++num_flavors; }
      if (!num_flavors)
        return false;

      if (flavor < 0)
        flavor = base::RandInt(0, num_flavors - 1);
      experiment->flavor = flavor;
      experiment->heading = match.flavors[flavor].heading_id;
      experiment->control_group = match.control_group;
      const wchar_t prefix[] = {
          match.prefix[0], static_cast<wchar_t>(match.prefix[1] + flavor), 0};
      experiment->prefix = prefix;
      experiment->flags = match.flavors[flavor].flags;
      return true;
    }
  }

  return false;
}

// Currently we only have one experiment: the inactive user toast. Which only
// applies for users doing upgrades.

// There are three scenarios when this function is called:
// 1- Is a per-user-install and it updated: perform the experiment
// 2- Is a system-install and it updated : relaunch as the interactive user
// 3- It has been re-launched from the #2 case. In this case we enter
//    this function with |system_install| true and a REENTRY_SYS_UPDATE status.
void LaunchBrowserUserExperiment(const base::CommandLine& base_cmd_line,
                                 InstallStatus status,
                                 bool system_level) {
  if (system_level) {
    if (NEW_VERSION_UPDATED == status) {
      base::CommandLine cmd_line(base_cmd_line);
      cmd_line.AppendSwitch(switches::kSystemLevelToast);
      // We need to relaunch as the interactive user.
      LaunchSetupAsConsoleUser(&cmd_line);
      return;
    }
  } else {
    if (status != NEW_VERSION_UPDATED && status != REENTRY_SYS_UPDATE) {
      // We are not updating or in re-launch. Exit.
      return;
    }
  }

  // The |flavor| value ends up being processed by TryChromeDialogView to show
  // different experiments.
  ExperimentDetails experiment;
  if (!CreateExperimentDetails(-1, &experiment)) {
    VLOG(1) << "Failed to get experiment details.";
    return;
  }
  int flavor = experiment.flavor;
  base::string16 base_group = experiment.prefix;

  base::string16 brand;
  if (GoogleUpdateSettings::GetBrand(&brand) && (brand == L"CHXX")) {
    // Testing only: the user automatically qualifies for the experiment.
    VLOG(1) << "Experiment qualification bypass";
  } else {
    // Check that the user was not already drafted in this experiment.
    base::string16 client;
    GoogleUpdateSettings::GetClient(&client);
    if (client.size() > 2) {
      if (base_group == client.substr(0, 2)) {
        VLOG(1) << "User already participated in this experiment";
        return;
      }
    }
    const bool experiment_enabled = false;
    if (!experiment_enabled) {
      VLOG(1) << "Toast experiment is disabled.";
      return;
    }

    // Check browser usage inactivity by the age of the last-write time of the
    // relevant chrome user data directory.
    const int kThirtyDays = 30 * 24;
    const int dir_age_hours = GetUserDataDirectoryWriteAgeInHours();
    if (dir_age_hours < 0) {
      // This means that we failed to find the user data dir. The most likely
      // cause is that this user has not ever used chrome at all which can
      // happen in a system-level install.
      SetClient(base_group + kToastUDDirFailure, true);
      return;
    } else if (dir_age_hours < kThirtyDays) {
      // An active user, so it does not qualify.
      VLOG(1) << "Chrome used in last " << dir_age_hours << " hours";
      SetClient(base_group + kToastActiveGroup, true);
      return;
    }
    // Check to see if this user belongs to the control group.
    double control_group = 1.0 * (100 - experiment.control_group) / 100;
    if (base::RandDouble() > control_group) {
      SetClient(base_group + kToastExpControlGroup, true);
      VLOG(1) << "User is control group";
      return;
    }
  }

  VLOG(1) << "User drafted for toast experiment " << flavor;
  SetClient(base_group + kToastExpBaseGroup, false);
  // User level: The experiment needs to be performed in a different process
  // because google_update expects the upgrade process to be quick and nimble.
  // System level: We have already been relaunched, so we don't need to be
  // quick, but we relaunch to follow the exact same codepath.
  base::CommandLine cmd_line(base_cmd_line);
  cmd_line.AppendSwitchASCII(switches::kInactiveUserToast,
                             base::IntToString(flavor));
  cmd_line.AppendSwitchASCII(switches::kExperimentGroup,
                             base::UTF16ToASCII(base_group));
  LaunchSetup(&cmd_line, system_level);
}

// User qualifies for the experiment. To test, use --try-chrome-again=|flavor|
// as a parameter to chrome.exe.
void InactiveUserToastExperiment(int flavor,
                                 const base::string16& experiment_group,
                                 const Product& product,
                                 const base::FilePath& application_path) {
  // Add the 'welcome back' url for chrome to show.
  base::CommandLine options(base::CommandLine::NO_PROGRAM);
  options.AppendSwitchNative(::switches::kTryChromeAgain,
      base::IntToString16(flavor));
  // Prepend the url with a space.
  base::string16 url(GetWelcomeBackUrl());
  options.AppendArg("--");
  options.AppendArgNative(url);
  // The command line should now have the url added as:
  // "chrome.exe -- <url>"
  DCHECK_NE(base::string16::npos,
            options.GetCommandLineString().find(L" -- " + url));

  // Launch chrome now. It will show the toast UI.
  int32 exit_code = 0;
  if (!product.LaunchChromeAndWait(application_path, options, &exit_code))
    return;

  // The chrome process has exited, figure out what happened.
  const wchar_t* outcome = NULL;
  switch (exit_code) {
    case content::RESULT_CODE_NORMAL_EXIT:
      outcome = kToastExpTriesOkGroup;
      break;
    case chrome::RESULT_CODE_NORMAL_EXIT_CANCEL:
      outcome = kToastExpCancelGroup;
      break;
    case chrome::RESULT_CODE_NORMAL_EXIT_EXP2:
      outcome = kToastExpUninstallGroup;
      break;
    default:
      outcome = kToastExpTriesErrorGroup;
  }
  // Write to the |client| key for the last time.
  SetClient(experiment_group + outcome, true);

  if (outcome != kToastExpUninstallGroup)
    return;
  // The user wants to uninstall. This is a best effort operation. Note that
  // we waited for chrome to exit so the uninstall would not detect chrome
  // running.
  bool system_level_toast = base::CommandLine::ForCurrentProcess()->HasSwitch(
      switches::kSystemLevelToast);

  base::CommandLine cmd(InstallUtil::GetChromeUninstallCmd(
      system_level_toast, product.distribution()->GetType()));
  base::LaunchProcess(cmd, base::LaunchOptions());
}

}  // namespace installer