// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "remoting/host/user_authenticator.h"

#include <Security/Security.h>

#include <string>

#include "base/basictypes.h"
#include "base/mac/mac_logging.h"

namespace remoting {

namespace {

class UserAuthenticatorMac : public UserAuthenticator {
 public:
  UserAuthenticatorMac() {}
  virtual ~UserAuthenticatorMac() {}
  virtual bool Authenticate(const std::string& username,
                            const std::string& password);

 private:
  DISALLOW_COPY_AND_ASSIGN(UserAuthenticatorMac);
};

const char kAuthorizationRightName[] = "system.login.tty";

bool UserAuthenticatorMac::Authenticate(const std::string& username,
                                        const std::string& password) {
  // The authorization right being requested.  This particular right allows
  // testing of a username/password, as if the user were logging on to the
  // system locally.
  AuthorizationItem right;
  right.name = kAuthorizationRightName;
  right.valueLength = 0;
  right.value = NULL;
  right.flags = 0;
  AuthorizationRights rights;
  rights.count = 1;
  rights.items = &right;

  // Passing the username/password as an "environment" parameter causes these
  // to be submitted to the Security Framework, instead of the interactive
  // password prompt appearing on the host system.  Valid on OS X 10.4 and
  // later versions.
  AuthorizationItem environment_items[2];
  environment_items[0].name = kAuthorizationEnvironmentUsername;
  environment_items[0].valueLength = username.size();
  environment_items[0].value = const_cast<char*>(username.data());
  environment_items[0].flags = 0;
  environment_items[1].name = kAuthorizationEnvironmentPassword;
  environment_items[1].valueLength = password.size();
  environment_items[1].value = const_cast<char*>(password.data());
  environment_items[1].flags = 0;
  AuthorizationEnvironment environment;
  environment.count = 2;
  environment.items = environment_items;

  OSStatus status = AuthorizationCreate(&rights, &environment,
                                        kAuthorizationFlagExtendRights,
                                        NULL);
  switch (status) {
    case errAuthorizationSuccess:
      return true;

    case errAuthorizationDenied:
      return false;

    default:
      OSSTATUS_LOG(ERROR, status) << "AuthorizationCreate";
      return false;
  }
}

}  // namespace

// static
UserAuthenticator* UserAuthenticator::Create() {
  return new UserAuthenticatorMac();
}

}  // namespace remoting