# Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import json

from autotest_lib.client.common_lib.cros import site_eap_certs
from autotest_lib.client.common_lib.cros.network import xmlrpc_datatypes
from autotest_lib.client.common_lib.cros.network import xmlrpc_security_types
from autotest_lib.server.cros.network import hostap_config


def __get_altsubject_match_positive_test_cases(outer_auth_type,
                                               inner_auth_type):
    configurations = []
    # Pass every subject alternative name included in the alternative subject
    # match of the server certificate.
    for subject_alternative_name in (
        site_eap_certs.server_cert_3_altsubject_match):
        eap_config = xmlrpc_security_types.Tunneled1xConfig(
            site_eap_certs.ca_cert_3,
            site_eap_certs.server_cert_3,
            site_eap_certs.server_private_key_3,
            site_eap_certs.ca_cert_3,
            'testuser',
            'password',
            inner_protocol=inner_auth_type,
            outer_protocol=outer_auth_type,
            altsubject_match=[json.dumps(subject_alternative_name)])
        ap_config = hostap_config.HostapConfig(
            frequency=2412,
            mode=hostap_config.HostapConfig.MODE_11G,
            security_config=eap_config)
        assoc_params = xmlrpc_datatypes.AssociationParameters(
            security_config=eap_config)
        configurations.append((ap_config, assoc_params))
    # Pass multiple DNS subject alternative names (SANs) as altsubject_match.
    # - One DNS SAN which does not match any of the DNS SANs of the server
    #   certificate.
    # - Another one which matches one of the DNS SANs of the server certificate.
    # The connection should be established, i.e. having multiple entries in
    # 'altsubject_match' is treated as OR, not AND.
    # For more information about how wpa_supplicant uses altsubject_match field
    # please refer to:
    # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
    eap_config = xmlrpc_security_types.Tunneled1xConfig(
        site_eap_certs.ca_cert_3,
        site_eap_certs.server_cert_3,
        site_eap_certs.server_private_key_3,
        site_eap_certs.ca_cert_3,
        'testuser',
        'password',
        inner_protocol=inner_auth_type,
        outer_protocol=outer_auth_type,
        altsubject_match=[
            '{"Type":"DNS","Value":"wrong_dns.com"}',
            '{"Type":"DNS","Value":"www.example.com"}'
        ])
    ap_config = hostap_config.HostapConfig(
        frequency=2412,
        mode=hostap_config.HostapConfig.MODE_11G,
        security_config=eap_config)
    assoc_params = xmlrpc_datatypes.AssociationParameters(
        security_config=eap_config)
    configurations.append((ap_config, assoc_params))
    return configurations


def get_positive_8021x_test_cases(outer_auth_type, inner_auth_type):
    """Return a test case asserting that outer/inner auth works.

    @param inner_auth_type one of
            xmlrpc_security_types.Tunneled1xConfig.LAYER1_TYPE*
    @param inner_auth_type one of
            xmlrpc_security_types.Tunneled1xConfig.LAYER2_TYPE*
    @return list of ap_config, association_params tuples for
            network_WiFi_SimpleConnect.

    """
    configurations = []
    eap_config = xmlrpc_security_types.Tunneled1xConfig(
            site_eap_certs.ca_cert_1,
            site_eap_certs.server_cert_1,
            site_eap_certs.server_private_key_1,
            site_eap_certs.ca_cert_1,
            'testuser',
            'password',
            inner_protocol=inner_auth_type,
            outer_protocol=outer_auth_type)
    ap_config = hostap_config.HostapConfig(
            frequency=2412,
            mode=hostap_config.HostapConfig.MODE_11G,
            security_config=eap_config)
    assoc_params = xmlrpc_datatypes.AssociationParameters(
            security_config=eap_config)
    configurations.append((ap_config, assoc_params))
    configurations += __get_altsubject_match_positive_test_cases(
            outer_auth_type, inner_auth_type)
    return configurations


def get_negative_8021x_test_cases(outer_auth_type, inner_auth_type):
    """Build a set of test cases for TTLS/PEAP authentication.

    @param inner_auth_type one of
            xmlrpc_security_types.Tunneled1xConfig.LAYER1_TYPE*
    @param inner_auth_type one of
            xmlrpc_security_types.Tunneled1xConfig.LAYER2_TYPE*
    @return list of ap_config, association_params tuples for
            network_WiFi_SimpleConnect.

    """
    configurations = []
    # Bad passwords won't work.
    eap_config = xmlrpc_security_types.Tunneled1xConfig(
            site_eap_certs.ca_cert_1,
            site_eap_certs.server_cert_1,
            site_eap_certs.server_private_key_1,
            site_eap_certs.ca_cert_1,
            'testuser',
            'password',
            inner_protocol=inner_auth_type,
            outer_protocol=outer_auth_type,
            client_password='wrongpassword')
    ap_config = hostap_config.HostapConfig(
            frequency=2412,
            mode=hostap_config.HostapConfig.MODE_11G,
            security_config=eap_config)
    assoc_params = xmlrpc_datatypes.AssociationParameters(
            security_config=eap_config,
            expect_failure=True)
    configurations.append((ap_config, assoc_params))
    # If use the wrong CA on the client, it won't trust the server credentials.
    eap_config = xmlrpc_security_types.Tunneled1xConfig(
            site_eap_certs.ca_cert_1,
            site_eap_certs.server_cert_1,
            site_eap_certs.server_private_key_1,
            site_eap_certs.ca_cert_2,
            'testuser',
            'password',
            inner_protocol=inner_auth_type,
            outer_protocol=outer_auth_type)
    ap_config = hostap_config.HostapConfig(
            frequency=2412,
            mode=hostap_config.HostapConfig.MODE_11G,
            security_config=eap_config)
    assoc_params = xmlrpc_datatypes.AssociationParameters(
            security_config=eap_config,
            expect_failure=True)
    configurations.append((ap_config, assoc_params))
    # And if the server's credentials are good but expired, we also reject it.
    eap_config = xmlrpc_security_types.Tunneled1xConfig(
            site_eap_certs.ca_cert_1,
            site_eap_certs.server_expired_cert,
            site_eap_certs.server_expired_key,
            site_eap_certs.ca_cert_1,
            'testuser',
            'password',
            inner_protocol=inner_auth_type,
            outer_protocol=outer_auth_type)
    ap_config = hostap_config.HostapConfig(
            frequency=2412,
            mode=hostap_config.HostapConfig.MODE_11G,
            security_config=eap_config)
    assoc_params = xmlrpc_datatypes.AssociationParameters(
            security_config=eap_config,
            expect_failure=True)
    configurations.append((ap_config, assoc_params))
    # A subject alternative name (SAN) which does not match any of the server
    # certificate SANs is used.
    # The connection should not be established, i.e. if the subject alternative
    # name match field is set, the server certificate is only accepted if it
    # contains one of its entries.
    eap_config = xmlrpc_security_types.Tunneled1xConfig(
            site_eap_certs.ca_cert_3,
            site_eap_certs.server_cert_3,
            site_eap_certs.server_private_key_3,
            site_eap_certs.ca_cert_3,
            'testuser',
            'password',
            inner_protocol=inner_auth_type,
            outer_protocol=outer_auth_type,
            altsubject_match=['{"Type":"DNS","Value":"wrong_dns.com"}'])
    ap_config = hostap_config.HostapConfig(
            frequency=2412,
            mode=hostap_config.HostapConfig.MODE_11G,
            security_config=eap_config)
    assoc_params = xmlrpc_datatypes.AssociationParameters(
            security_config=eap_config,
            expect_failure=True)
    configurations.append((ap_config, assoc_params))
    return configurations