/*
 * SPDX-FileCopyrightText: syuilo and other misskey contributors
 * SPDX-License-Identifier: AGPL-3.0-only
 */

process.env.NODE_ENV = 'test';

import * as assert from 'assert';
import * as crypto from 'node:crypto';
import cbor from 'cbor';
import * as OTPAuth from 'otpauth';
import { loadConfig } from '@/config.js';
import { api, signup, startServer } from '../utils.js';
import type {
	AuthenticationResponseJSON,
	AuthenticatorAssertionResponseJSON,
	AuthenticatorAttestationResponseJSON,
	PublicKeyCredentialCreationOptionsJSON,
	PublicKeyCredentialRequestOptionsJSON,
	RegistrationResponseJSON,
} from '@simplewebauthn/typescript-types';
import type { INestApplicationContext } from '@nestjs/common';
import type * as misskey from 'misskey-js';

describe('2要素認証', () => {
	let app: INestApplicationContext;
	let alice: misskey.entities.SignupResponse;

	const config = loadConfig();
	const password = 'test';
	const username = 'alice';

	// https://datatracker.ietf.org/doc/html/rfc8152
	// 各値の定義は上記規格に基づく。鍵ペアは適当に生成したやつ
	const coseKtyEc2 = 2;
	const coseKid = 'meriadoc.brandybuck@buckland.example';
	const coseAlgEs256 = -7;
	const coseEc2CrvP256 = 1;
	const coseEc2X = '4932eaacc657565705e4287e7870ce3aad55545d99d35a98a472dc52880cfc8f';
	const coseEc2Y = '5ca68303bf2c0433473e3d5cb8586bc2c8c43a4945a496fce8dbeda8b23ab0b1';

	// private key only for testing
	const pemToSign = '-----BEGIN EC PRIVATE KEY-----\n' +
		'MHcCAQEEIHqe/keuXyolbXzgLOu+YFJjDBGWVgXc3QCXfyqwDPf2oAoGCCqGSM49\n' +
		'AwEHoUQDQgAESTLqrMZXVlcF5Ch+eHDOOq1VVF2Z01qYpHLcUogM/I9cpoMDvywE\n' +
		'M0c+PVy4WGvCyMQ6SUWklvzo2+2osjqwsQ==\n' +
		'-----END EC PRIVATE KEY-----\n';

	const otpToken = (secret: string): string => {
		return OTPAuth.TOTP.generate({
			secret: OTPAuth.Secret.fromBase32(secret),
			digits: 6,
		});
	};

	const rpIdHash = (): Buffer => {
		return crypto.createHash('sha256')
			.update(Buffer.from(config.host, 'utf-8'))
			.digest();
	};

	const keyDoneParam = (param: {
		token: string,
		keyName: string,
		credentialId: Buffer,
		creationOptions: PublicKeyCredentialCreationOptionsJSON,
	}): {
		token: string,
		password: string,
		name: string,
		credential: RegistrationResponseJSON,
	} => {
		// A COSE encoded public key
		const credentialPublicKey = cbor.encode(new Map<number, unknown>([
			[-1, coseEc2CrvP256],
			[-2, Buffer.from(coseEc2X, 'hex')],
			[-3, Buffer.from(coseEc2Y, 'hex')],
			[1, coseKtyEc2],
			[2, coseKid],
			[3, coseAlgEs256],
		]));

		// AuthenticatorAssertionResponse.authenticatorData
		// https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/authenticatorData
		const credentialIdLength = Buffer.allocUnsafe(2);
		credentialIdLength.writeUInt16BE(param.credentialId.length, 0);
		const authData = Buffer.concat([
			rpIdHash(), // rpIdHash(32)
			Buffer.from([0x45]), // flags(1)
			Buffer.from([0x00, 0x00, 0x00, 0x00]), // signCount(4)
			Buffer.from([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]), // AAGUID(16)
			credentialIdLength,
			param.credentialId,
			credentialPublicKey,
		]);

		return {
			password,
			token: param.token,
			name: param.keyName,
			credential: <RegistrationResponseJSON>{
				id: param.credentialId.toString('base64url'),
				rawId: param.credentialId.toString('base64url'),
				response: <AuthenticatorAttestationResponseJSON>{
					clientDataJSON: Buffer.from(JSON.stringify({
						type: 'webauthn.create',
						challenge: param.creationOptions.challenge,
						origin: config.scheme + '://' + config.host,
						androidPackageName: 'org.mozilla.firefox',
					}), 'utf-8').toString('base64url'),
					attestationObject: cbor.encode({
						fmt: 'none',
						attStmt: {},
						authData,
					}).toString('base64url'),
				},
				clientExtensionResults: {},
				type: 'public-key',
			},
		};
	};

	const signinParam = (): {
		username: string,
		password: string,
		'g-recaptcha-response'?: string | null,
		'hcaptcha-response'?: string | null,
	} => {
		return {
			username,
			password,
			'g-recaptcha-response': null,
			'hcaptcha-response': null,
		};
	};

	const signinWithSecurityKeyParam = (param: {
		keyName: string,
		credentialId: Buffer,
		requestOptions: PublicKeyCredentialRequestOptionsJSON,
	}): {
		username: string,
		password: string,
		credential: AuthenticationResponseJSON,
		'g-recaptcha-response'?: string | null,
		'hcaptcha-response'?: string | null,
	} => {
		// AuthenticatorAssertionResponse.authenticatorData
		// https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/authenticatorData
		const authenticatorData = Buffer.concat([
			rpIdHash(),
			Buffer.from([0x05]), // flags(1)
			Buffer.from([0x00, 0x00, 0x00, 0x01]), // signCount(4)
		]);
		const clientDataJSONBuffer = Buffer.from(JSON.stringify({
			type: 'webauthn.get',
			challenge: param.requestOptions.challenge,
			origin: config.scheme + '://' + config.host,
			androidPackageName: 'org.mozilla.firefox',
		}), 'utf-8');
		const hashedclientDataJSON = crypto.createHash('sha256')
			.update(clientDataJSONBuffer)
			.digest();
		const privateKey = crypto.createPrivateKey(pemToSign);
		const signature = crypto.createSign('SHA256')
			.update(Buffer.concat([authenticatorData, hashedclientDataJSON]))
			.sign(privateKey);
		return {
			username,
			password,
			credential: <AuthenticationResponseJSON>{
				id: param.credentialId.toString('base64url'),
				rawId: param.credentialId.toString('base64url'),
				response: <AuthenticatorAssertionResponseJSON>{
					clientDataJSON: clientDataJSONBuffer.toString('base64url'),
					authenticatorData: authenticatorData.toString('base64url'),
					signature: signature.toString('base64url'),
				},
				clientExtensionResults: {},
				type: 'public-key',
			},
			'g-recaptcha-response': null,
			'hcaptcha-response': null,
		};
	};

	beforeAll(async () => {
		app = await startServer();
		alice = await signup({ username, password });
	}, 1000 * 60 * 2);

	afterAll(async () => {
		await app.close();
	});

	test('が設定でき、OTPでログインできる。', async () => {
		const registerResponse = await api('/i/2fa/register', {
			password,
		}, alice);
		assert.strictEqual(registerResponse.status, 200);
		assert.notEqual(registerResponse.body.qr, undefined);
		assert.notEqual(registerResponse.body.url, undefined);
		assert.notEqual(registerResponse.body.secret, undefined);
		assert.strictEqual(registerResponse.body.label, username);
		assert.strictEqual(registerResponse.body.issuer, config.host);

		const doneResponse = await api('/i/2fa/done', {
			token: otpToken(registerResponse.body.secret),
		}, alice);
		assert.strictEqual(doneResponse.status, 200);

		const usersShowResponse = await api('/users/show', {
			username,
		}, alice);
		assert.strictEqual(usersShowResponse.status, 200);
		assert.strictEqual(usersShowResponse.body.twoFactorEnabled, true);

		const signinResponse = await api('/signin', {
			...signinParam(),
			token: otpToken(registerResponse.body.secret),
		});
		assert.strictEqual(signinResponse.status, 200);
		assert.notEqual(signinResponse.body.i, undefined);

		// 後片付け
		await api('/i/2fa/unregister', {
			password,
			token: otpToken(registerResponse.body.secret),
		}, alice);
	});

	test('が設定でき、セキュリティキーでログインできる。', async () => {
		const registerResponse = await api('/i/2fa/register', {
			password,
		}, alice);
		assert.strictEqual(registerResponse.status, 200);

		const doneResponse = await api('/i/2fa/done', {
			token: otpToken(registerResponse.body.secret),
		}, alice);
		assert.strictEqual(doneResponse.status, 200);

		const registerKeyResponse = await api('/i/2fa/register-key', {
			password,
			token: otpToken(registerResponse.body.secret),
		}, alice);
		assert.strictEqual(registerKeyResponse.status, 200);
		assert.notEqual(registerKeyResponse.body.rp, undefined);
		assert.notEqual(registerKeyResponse.body.challenge, undefined);

		const keyName = 'example-key';
		const credentialId = crypto.randomBytes(0x41);
		const keyDoneResponse = await api('/i/2fa/key-done', keyDoneParam({
			token: otpToken(registerResponse.body.secret),
			keyName,
			credentialId,
			creationOptions: registerKeyResponse.body,
		}), alice);
		assert.strictEqual(keyDoneResponse.status, 200);
		assert.strictEqual(keyDoneResponse.body.id, credentialId.toString('base64url'));
		assert.strictEqual(keyDoneResponse.body.name, keyName);

		const usersShowResponse = await api('/users/show', {
			username,
		});
		assert.strictEqual(usersShowResponse.status, 200);
		assert.strictEqual(usersShowResponse.body.securityKeys, true);

		const signinResponse = await api('/signin', {
			...signinParam(),
		});
		assert.strictEqual(signinResponse.status, 200);
		assert.strictEqual(signinResponse.body.i, undefined);
		assert.notEqual(signinResponse.body.challenge, undefined);
		assert.notEqual(signinResponse.body.allowCredentials, undefined);
		assert.strictEqual(signinResponse.body.allowCredentials[0].id, credentialId.toString('base64url'));

		const signinResponse2 = await api('/signin', signinWithSecurityKeyParam({
			keyName,
			credentialId,
			requestOptions: signinResponse.body,
		}));
		assert.strictEqual(signinResponse2.status, 200);
		assert.notEqual(signinResponse2.body.i, undefined);

		// 後片付け
		await api('/i/2fa/unregister', {
			password,
			token: otpToken(registerResponse.body.secret),
		}, alice);
	});

	test('が設定でき、セキュリティキーでパスワードレスログインできる。', async () => {
		const registerResponse = await api('/i/2fa/register', {
			password,
		}, alice);
		assert.strictEqual(registerResponse.status, 200);

		const doneResponse = await api('/i/2fa/done', {
			token: otpToken(registerResponse.body.secret),
		}, alice);
		assert.strictEqual(doneResponse.status, 200);

		const registerKeyResponse = await api('/i/2fa/register-key', {
			token: otpToken(registerResponse.body.secret),
			password,
		}, alice);
		assert.strictEqual(registerKeyResponse.status, 200);

		const keyName = 'example-key';
		const credentialId = crypto.randomBytes(0x41);
		const keyDoneResponse = await api('/i/2fa/key-done', keyDoneParam({
			token: otpToken(registerResponse.body.secret),
			keyName,
			credentialId,
			creationOptions: registerKeyResponse.body,
		}), alice);
		assert.strictEqual(keyDoneResponse.status, 200);

		const passwordLessResponse = await api('/i/2fa/password-less', {
			value: true,
		}, alice);
		assert.strictEqual(passwordLessResponse.status, 204);

		const usersShowResponse = await api('/users/show', {
			username,
		});
		assert.strictEqual(usersShowResponse.status, 200);
		assert.strictEqual(usersShowResponse.body.usePasswordLessLogin, true);

		const signinResponse = await api('/signin', {
			...signinParam(),
			password: '',
		});
		assert.strictEqual(signinResponse.status, 200);
		assert.strictEqual(signinResponse.body.i, undefined);

		const signinResponse2 = await api('/signin', {
			...signinWithSecurityKeyParam({
				keyName,
				credentialId,
				requestOptions: signinResponse.body,
			}),
			password: '',
		});
		assert.strictEqual(signinResponse2.status, 200);
		assert.notEqual(signinResponse2.body.i, undefined);

		// 後片付け
		await api('/i/2fa/unregister', {
			password,
			token: otpToken(registerResponse.body.secret),
		}, alice);
	});

	test('が設定でき、設定したセキュリティキーの名前を変更できる。', async () => {
		const registerResponse = await api('/i/2fa/register', {
			password,
		}, alice);
		assert.strictEqual(registerResponse.status, 200);

		const doneResponse = await api('/i/2fa/done', {
			token: otpToken(registerResponse.body.secret),
		}, alice);
		assert.strictEqual(doneResponse.status, 200);

		const registerKeyResponse = await api('/i/2fa/register-key', {
			token: otpToken(registerResponse.body.secret),
			password,
		}, alice);
		assert.strictEqual(registerKeyResponse.status, 200);

		const keyName = 'example-key';
		const credentialId = crypto.randomBytes(0x41);
		const keyDoneResponse = await api('/i/2fa/key-done', keyDoneParam({
			token: otpToken(registerResponse.body.secret),
			keyName,
			credentialId,
			creationOptions: registerKeyResponse.body,
		}), alice);
		assert.strictEqual(keyDoneResponse.status, 200);

		const renamedKey = 'other-key';
		const updateKeyResponse = await api('/i/2fa/update-key', {
			name: renamedKey,
			credentialId: credentialId.toString('base64url'),
		}, alice);
		assert.strictEqual(updateKeyResponse.status, 200);

		const iResponse = await api('/i', {
		}, alice);
		assert.strictEqual(iResponse.status, 200);
		const securityKeys = iResponse.body.securityKeysList.filter((s: { id: string; }) => s.id === credentialId.toString('base64url'));
		assert.strictEqual(securityKeys.length, 1);
		assert.strictEqual(securityKeys[0].name, renamedKey);
		assert.notEqual(securityKeys[0].lastUsed, undefined);

		// 後片付け
		await api('/i/2fa/unregister', {
			password,
			token: otpToken(registerResponse.body.secret),
		}, alice);
	});

	test('が設定でき、設定したセキュリティキーを削除できる。', async () => {
		const registerResponse = await api('/i/2fa/register', {
			password,
		}, alice);
		assert.strictEqual(registerResponse.status, 200);

		const doneResponse = await api('/i/2fa/done', {
			token: otpToken(registerResponse.body.secret),
		}, alice);
		assert.strictEqual(doneResponse.status, 200);

		const registerKeyResponse = await api('/i/2fa/register-key', {
			token: otpToken(registerResponse.body.secret),
			password,
		}, alice);
		assert.strictEqual(registerKeyResponse.status, 200);

		const keyName = 'example-key';
		const credentialId = crypto.randomBytes(0x41);
		const keyDoneResponse = await api('/i/2fa/key-done', keyDoneParam({
			token: otpToken(registerResponse.body.secret),
			keyName,
			credentialId,
			creationOptions: registerKeyResponse.body,
		}), alice);
		assert.strictEqual(keyDoneResponse.status, 200);

		// テストの実行順によっては複数残ってるので全部消す
		const iResponse = await api('/i', {
		}, alice);
		assert.strictEqual(iResponse.status, 200);
		for (const key of iResponse.body.securityKeysList) {
			const removeKeyResponse = await api('/i/2fa/remove-key', {
				token: otpToken(registerResponse.body.secret),
				password,
				credentialId: key.id,
			}, alice);
			assert.strictEqual(removeKeyResponse.status, 200);
		}

		const usersShowResponse = await api('/users/show', {
			username,
		});
		assert.strictEqual(usersShowResponse.status, 200);
		assert.strictEqual(usersShowResponse.body.securityKeys, false);

		const signinResponse = await api('/signin', {
			...signinParam(),
			token: otpToken(registerResponse.body.secret),
		});
		assert.strictEqual(signinResponse.status, 200);
		assert.notEqual(signinResponse.body.i, undefined);

		// 後片付け
		await api('/i/2fa/unregister', {
			password,
			token: otpToken(registerResponse.body.secret),
		}, alice);
	});

	test('が設定でき、設定解除できる。(パスワードのみでログインできる。)', async () => {
		const registerResponse = await api('/i/2fa/register', {
			password,
		}, alice);
		assert.strictEqual(registerResponse.status, 200);

		const doneResponse = await api('/i/2fa/done', {
			token: otpToken(registerResponse.body.secret),
		}, alice);
		assert.strictEqual(doneResponse.status, 200);

		const usersShowResponse = await api('/users/show', {
			username,
		});
		assert.strictEqual(usersShowResponse.status, 200);
		assert.strictEqual(usersShowResponse.body.twoFactorEnabled, true);

		const unregisterResponse = await api('/i/2fa/unregister', {
			token: otpToken(registerResponse.body.secret),
			password,
		}, alice);
		assert.strictEqual(unregisterResponse.status, 204);

		const signinResponse = await api('/signin', {
			...signinParam(),
		});
		assert.strictEqual(signinResponse.status, 200);
		assert.notEqual(signinResponse.body.i, undefined);

		// 後片付け
		await api('/i/2fa/unregister', {
			password,
			token: otpToken(registerResponse.body.secret),
		}, alice);
	});
});