// Copyright (c) 2008 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_HTTP_HTTP_AUTH_CACHE_H_
#define NET_HTTP_HTTP_AUTH_CACHE_H_

#include <list>
#include <string>

#include "base/ref_counted.h"
#include "googleurl/src/gurl.h"
#include "net/http/http_auth_handler.h"
// This is needed for the FRIEND_TEST() macro.
#include "testing/gtest/include/gtest/gtest_prod.h"

namespace net {

// TODO(eroman): Can we change the key from (origin, realm) to
// (origin, realm, auth_scheme)?

// HttpAuthCache stores HTTP authentication identities and challenge info.
// For each realm the cache stores a HttpAuthCache::Entry, which holds:
//   - the realm name
//   - the origin server {scheme, host, port}
//   - the last identity used (username/password)
//   - the last auth handler used
//   - the list of paths which used this realm
// Entries can be looked up by either (origin, realm) or (origin, path).
class HttpAuthCache {
 public:
  class Entry;

  // Find the realm entry on server |origin| for realm |realm|.
  //   |origin| - the {scheme, host, port} of the server.
  //   |realm|  - case sensitive realm string.
  //   returns  - the matched entry or NULL.
  Entry* LookupByRealm(const GURL& origin, const std::string& realm);

  // Find the realm entry on server |origin| whose protection space includes
  // |path|. This uses the assumption in RFC 2617 section 2 that deeper
  // paths lie in the same protection space.
  //   |origin| - the {scheme, host, port} of the server.
  //   |path|   - absolute path of the resource, or empty string in case of
  //              proxy auth (which does not use the concept of paths).
  //   returns  - the matched entry or NULL.
  Entry* LookupByPath(const GURL& origin, const std::string& path);

  // Add a realm entry on server |origin| for realm |handler->realm()|, If an
  // entry for this realm already exists, update it rather than replace it --
  // this  preserves the realm's paths list.
  //   |origin|   - the {scheme, host, port} of the server.
  //   |handler|  - handler for the challenge.
  //   |username| - login information for the realm.
  //   |password| - login information for the realm.
  //   |path|     - absolute path for a resource contained in the protection
  //                space; this will be added to the list of known paths.
  //   returns    - the entry that was just added/updated.
  Entry* Add(const GURL& origin,
             HttpAuthHandler* handler,
             const std::wstring& username,
             const std::wstring& password,
             const std::string& path);

  // Remove realm entry on server |origin| for realm |realm| if one exists
  // AND if the cached identity matches (|username|, |password|).
  //   |origin|   - the {scheme, host, port} of the server.
  //   |realm|    - case sensitive realm string.
  //   |username| - condition to match.
  //   |password| - condition to match.
  //   returns    - true if an entry was removed.
  bool Remove(const GURL& origin,
              const std::string& realm,
              const std::wstring& username,
              const std::wstring& password);

  // Prevent unbounded memory growth. These are safeguards for abuse; it is
  // not expected that the limits will be reached in ordinary usage.
  // This also defines the worst-case lookup times (which grow linearly
  // with number of elements in the cache).
  enum { kMaxNumPathsPerRealmEntry = 10 };
  enum { kMaxNumRealmEntries = 10 };

 private:
  typedef std::list<Entry> EntryList;
  EntryList entries_;
};

// An authentication realm entry.
class HttpAuthCache::Entry {
 public:
  const GURL& origin() const {
    return origin_;
  }

  // The case-sensitive realm string of the challenge.
  const std::string realm() const {
    return handler_->realm();
  }

  // The handler for the challenge.
  HttpAuthHandler* handler() const {
    return handler_.get();
  }

  // The login username.
  const std::wstring& username() const {
    return username_;
  }

  // The login password.
  const std::wstring& password() const {
    return password_;
  }

 private:
  friend class HttpAuthCache;
  FRIEND_TEST(HttpAuthCacheTest, AddPath);
  FRIEND_TEST(HttpAuthCacheTest, AddToExistingEntry);

  Entry() {}

  // Adds a path defining the realm's protection space. If the path is
  // already contained in the protection space, is a no-op.
  void AddPath(const std::string& path);

  // Returns true if |dir| is contained within the realm's protection space.
  bool HasEnclosingPath(const std::string& dir);

  // |origin_| contains the {scheme, host, port} of the server.
  GURL origin_;

  // Identity.
  std::wstring username_;
  std::wstring password_;

  // Auth handler for the challenge.
  scoped_refptr<HttpAuthHandler> handler_;

  // List of paths that define the realm's protection space.
  typedef std::list<std::string> PathList;
  PathList paths_;
};

} // namespace net

#endif  // NET_HTTP_HTTP_AUTH_CACHE_H_