// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "base/strings/utf_string_conversions.h"
#include "base/test/bind.h"
#include "build/build_config.h"
#include "chrome/browser/browser_features.h"
#include "chrome/browser/external_protocol/external_protocol_handler.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/browser/shell_integration.h"
#include "chrome/browser/ui/browser.h"
#include "chrome/browser/ui/tabs/tab_strip_model_observer.h"
#include "chrome/test/base/in_process_browser_test.h"
#include "chrome/test/base/ui_test_utils.h"
#include "components/policy/core/common/policy_pref_names.h"
#include "components/prefs/pref_service.h"
#include "content/public/browser/browser_context.h"
#include "content/public/test/browser_test.h"
#include "content/public/test/browser_test_utils.h"
#include "content/public/test/fenced_frame_test_util.h"
#include "content/public/test/navigation_handle_observer.h"
#include "content/public/test/test_navigation_observer.h"

class ExternalProtocolHandlerBrowserTest : public InProcessBrowserTest {
 public:
  content::WebContents* web_content() {
    return browser()->tab_strip_model()->GetActiveWebContents();
  }
};

class ExternalProtocolHandlerSandboxBrowserTest
    : public ExternalProtocolHandlerBrowserTest {
 public:
  ExternalProtocolHandlerSandboxBrowserTest() {
    features_.InitAndEnableFeature(features::kSandboxExternalProtocolBlocked);
  }

  void SetUpOnMainThread() override {
    ExternalProtocolHandlerBrowserTest::SetUpOnMainThread();
    AllowCustomProtocol();
  }

  // On Linux, external protocols calls are delegated to the OS without
  // additional security check. On Windows and Mac (possibly more), it runs
  // additional security check and ask the user, without displaying a message in
  // the console. Adopt Linux's behavior for the purpose of this test suite.
  void AllowCustomProtocol() {
    base::Value::List allow_list;
    allow_list.Append("custom:*");
    browser()->profile()->GetPrefs()->Set(policy::policy_prefs::kUrlAllowlist,
                                          base::Value(std::move(allow_list)));
  }

  content::RenderFrameHost* CreateIFrame(content::RenderFrameHost* document,
                                         std::string iframe_sandbox) {
    EXPECT_TRUE(content::ExecJs(
        document, "const iframe = document.createElement('iframe');" +
                      iframe_sandbox +
                      "iframe.src = '/empty.html';"
                      "document.body.appendChild(iframe)"));

    EXPECT_TRUE(content::WaitForLoadStop(web_content()));
    return ChildFrameAt(document, 0);
  }

  // Navigate to an external protocol from an iframe or fenced frame. Returns
  // whether the navigation was allowed by sandbox. `sandbox` is used to define
  // the sub frame's sandbox flag.
  bool AllowedBySandbox(content::RenderFrameHost* child_document,
                        bool has_user_gesture = false) {
    EXPECT_TRUE(child_document);

    // When not blocked by sandbox, Linux displays |allowed_msg_1| and
    // Windows/Mac |allowed_msg_2|. That's because Linux do not provide API to
    // query for the supported protocols before launching the external
    // application.
    const char allowed_msg_1[] =
        "Launched external handler for 'custom:custom'.";
    const char allowed_msg_2[] =
        "Failed to launch 'custom:custom' because the scheme does not have a "
        "registered handler.";
    const char blocked_msg[] =
        "Navigation to external protocol blocked by sandbox, because it "
        "doesn't contain any of: "
        "'allow-top-navigation-to-custom-protocols', "
        "'allow-top-navigation-by-user-activation', "
        "'allow-top-navigation', or "
        "'allow-popups'. See "
        "https://chromestatus.com/feature/5680742077038592 and "
        "https://chromeenterprise.google/policies/"
        "#SandboxExternalProtocolBlocked";
    content::WebContentsConsoleObserver observer(web_content());
    observer.SetFilter(base::BindLambdaForTesting(
        [&](const content::WebContentsConsoleObserver::Message& message) {
          std::string value = base::UTF16ToUTF8(message.message);
          return value == allowed_msg_1 || value == allowed_msg_2 ||
                 value == blocked_msg;
        }));

    EXPECT_TRUE(content::ExecJs(
        child_document, "location.href = 'custom:custom';",
        has_user_gesture ? content::EXECUTE_SCRIPT_DEFAULT_OPTIONS
                         : content::EXECUTE_SCRIPT_NO_USER_GESTURE));

    EXPECT_TRUE(observer.Wait());
    std::string message = observer.GetMessageAt(0u);

    return message == allowed_msg_1 || message == allowed_msg_2;
  }

  base::test::ScopedFeatureList features_;
};

// Observe that the tab is created then automatically closed.
class TabAddedRemovedObserver : public TabStripModelObserver {
 public:
  explicit TabAddedRemovedObserver(TabStripModel* tab_strip_model) {
    tab_strip_model->AddObserver(this);
  }

  void OnTabStripModelChanged(
      TabStripModel* tab_strip_model,
      const TabStripModelChange& change,
      const TabStripSelectionChange& selection) override {
    if (change.type() == TabStripModelChange::kInserted) {
      inserted_ = true;
      return;
    }
    if (change.type() == TabStripModelChange::kRemoved) {
      EXPECT_TRUE(inserted_);
      removed_ = true;
      loop_.Quit();
      return;
    }
    NOTREACHED();
  }

  void Wait() {
    if (inserted_ && removed_)
      return;
    loop_.Run();
  }

 private:
  bool inserted_ = false;
  bool removed_ = false;
  base::RunLoop loop_;
};

// Flaky on Mac: https://crbug.com/1143762:
#if BUILDFLAG(IS_MAC)
#define MAYBE_AutoCloseTabOnNonWebProtocolNavigation DISABLED_AutoCloseTabOnNonWebProtocolNavigation
#else
#define MAYBE_AutoCloseTabOnNonWebProtocolNavigation AutoCloseTabOnNonWebProtocolNavigation
#endif
IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerBrowserTest,
                       MAYBE_AutoCloseTabOnNonWebProtocolNavigation) {
  TabAddedRemovedObserver observer(browser()->tab_strip_model());
  ASSERT_EQ(browser()->tab_strip_model()->count(), 1);
  ASSERT_TRUE(
      ExecJs(web_content(), "window.open('mailto:test@site.test', '_blank');"));
  observer.Wait();
  EXPECT_EQ(browser()->tab_strip_model()->count(), 1);
}

// Flaky on Mac: https://crbug.com/1143762:
#if BUILDFLAG(IS_MAC)
#define MAYBE_ProtocolLaunchEmitsConsoleLog \
  DISABLED_ProtocolLaunchEmitsConsoleLog
#else
#define MAYBE_ProtocolLaunchEmitsConsoleLog ProtocolLaunchEmitsConsoleLog
#endif
IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerBrowserTest,
                       MAYBE_ProtocolLaunchEmitsConsoleLog) {
  content::WebContentsConsoleObserver observer(web_content());
  // Wait for either "Launched external handler..." or "Failed to launch..."; the former will pass
  // the test, while the latter will fail it more quickly than waiting for a timeout.
  observer.SetPattern("*aunch*'mailto:test@site.test'*");
  ASSERT_TRUE(
      ExecJs(web_content(), "window.open('mailto:test@site.test', '_self');"));
  ASSERT_TRUE(observer.Wait());
  ASSERT_EQ(1u, observer.messages().size());
  EXPECT_EQ("Launched external handler for 'mailto:test@site.test'.",
            observer.GetMessageAt(0u));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerBrowserTest,
                       ProtocolFailureEmitsConsoleLog) {
// Only on Mac and Windows is there a way for Chromium to know whether a
// protocol handler is registered ahead of time.
#if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_WIN)
  content::WebContentsConsoleObserver observer(web_content());
  observer.SetPattern("Failed to launch 'does.not.exist:failure'*");
  ASSERT_TRUE(
      ExecJs(web_content(), "window.open('does.not.exist:failure', '_self');"));
  ASSERT_TRUE(observer.Wait());
  ASSERT_EQ(1u, observer.messages().size());
#endif
}

// External protocol are allowed when iframe's sandbox contains one of:
// - allow-popups
// - allow-top-navigation
// - allow-top-navigation-by-user-activation + UserGesture
IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxBrowserTest, Sandbox) {
  EXPECT_TRUE(
      AllowedBySandbox(CreateIFrame(web_content()->GetPrimaryMainFrame(), "")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxBrowserTest, SandboxAll) {
  EXPECT_FALSE(
      AllowedBySandbox(CreateIFrame(web_content()->GetPrimaryMainFrame(),
                                    "iframe.sandbox = 'allow-scripts';")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxBrowserTest,
                       SandboxAllowPopups) {
  EXPECT_TRUE(AllowedBySandbox(
      CreateIFrame(web_content()->GetPrimaryMainFrame(),
                   "iframe.sandbox = 'allow-scripts allow-popups';")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxBrowserTest,
                       SandboxAllowTopNavigationToCustomProtocols) {
  EXPECT_TRUE(AllowedBySandbox(
      CreateIFrame(web_content()->GetPrimaryMainFrame(),
                   "iframe.sandbox = 'allow-scripts "
                   "allow-top-navigation-to-custom-protocols';")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxBrowserTest,
                       SandboxAllowTopNavigation) {
  EXPECT_TRUE(AllowedBySandbox(
      CreateIFrame(web_content()->GetPrimaryMainFrame(),
                   "iframe.sandbox = 'allow-scripts allow-top-navigation';")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxBrowserTest,
                       SandboxAllowTopNavigationByUserActivation) {
  EXPECT_FALSE(AllowedBySandbox(
      CreateIFrame(web_content()->GetPrimaryMainFrame(),
                   "iframe.sandbox = 'allow-scripts "
                   "allow-top-navigation-by-user-activation';"),
      /*user-gesture=*/false));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxBrowserTest,
                       SandboxAllowTopNavigationByUserActivationWithGesture) {
  EXPECT_TRUE(AllowedBySandbox(
      CreateIFrame(web_content()->GetPrimaryMainFrame(),
                   "iframe.sandbox = 'allow-scripts "
                   "allow-top-navigation-by-user-activation';"),
      /*user-gesture=*/true));
}

namespace {

class AlwaysBlockedExternalProtocolHandlerDelegate
    : public ExternalProtocolHandler::Delegate {
 public:
  AlwaysBlockedExternalProtocolHandlerDelegate() {
    ExternalProtocolHandler::SetDelegateForTesting(this);
  }
  ~AlwaysBlockedExternalProtocolHandlerDelegate() override {
    ExternalProtocolHandler::SetDelegateForTesting(nullptr);
  }

  scoped_refptr<shell_integration::DefaultSchemeClientWorker> CreateShellWorker(
      const GURL& url) override {
    NOTREACHED();
  }
  ExternalProtocolHandler::BlockState GetBlockState(const std::string& scheme,
                                                    Profile* profile) override {
    return ExternalProtocolHandler::BLOCK;
  }
  void BlockRequest() override {}
  void RunExternalProtocolDialog(
      const GURL& url,
      content::WebContents* web_contents,
      ui::PageTransition page_transition,
      bool has_user_gesture,
      const std::optional<url::Origin>& initiating_origin,
      const std::u16string& program_name) override {
    NOTREACHED();
  }
  void LaunchUrlWithoutSecurityCheck(
      const GURL& url,
      content::WebContents* web_contents) override {
    NOTREACHED();
  }
  void FinishedProcessingCheck() override {}
};

}  // namespace

// Tests (by forcing a particular scheme to be blocked, regardless of platform)
// that the console message is attributed to a subframe if one was responsible.
IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerBrowserTest,
                       ProtocolLaunchEmitsConsoleLogInCorrectFrame) {
  AlwaysBlockedExternalProtocolHandlerDelegate always_blocked;
  content::RenderFrameHost* main_rfh = ui_test_utils::NavigateToURL(
      browser(), GURL("data:text/html,<iframe srcdoc=\"Hello!\"></iframe>"));
  ASSERT_TRUE(main_rfh);
  content::RenderFrameHost* originating_rfh = ChildFrameAt(main_rfh, 0);

  content::WebContentsConsoleObserver observer(
      content::WebContents::FromRenderFrameHost(originating_rfh));
  observer.SetPattern("*aunch*'willfailtolaunch://foo'*");
  observer.SetFilter(base::BindRepeating(
      [](content::RenderFrameHost* expected_rfh,
         const content::WebContentsConsoleObserver::Message& message) {
        return message.source_frame == expected_rfh;
      },
      originating_rfh));

  ASSERT_TRUE(
      ExecJs(originating_rfh, "location.href = 'willfailtolaunch://foo';"));
  ASSERT_TRUE(observer.Wait());
  ASSERT_EQ(1u, observer.messages().size());
  EXPECT_EQ("Not allowed to launch 'willfailtolaunch://foo'.",
            observer.GetMessageAt(0u));
}

class ExternalProtocolHandlerSandboxFencedFrameBrowserTest
    : public ExternalProtocolHandlerSandboxBrowserTest {
 public:
  void SetUpOnMainThread() override {
    ExternalProtocolHandlerSandboxBrowserTest::SetUpOnMainThread();
    ASSERT_TRUE(embedded_test_server()->Start());
  }

  content::RenderFrameHost* CreateFencedFrame() {
    return fenced_frame_test_helper().CreateFencedFrame(
        web_content()->GetPrimaryMainFrame(),
        embedded_test_server()->GetURL("/fenced_frames/title1.html"));
  }

  content::test::FencedFrameTestHelper& fenced_frame_test_helper() {
    return fenced_frame_test_helper_;
  }

  content::test::FencedFrameTestHelper fenced_frame_test_helper_;
};

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
                       SandboxAllWithoutGesture) {
  EXPECT_TRUE(AllowedBySandbox(CreateFencedFrame(), /*user-gesture=*/false));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
                       SandboxAllWithGesture) {
  EXPECT_TRUE(AllowedBySandbox(CreateFencedFrame(), /*user-gesture=*/true));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
                       SandboxInFencedFrame) {
  EXPECT_TRUE(AllowedBySandbox(CreateIFrame(CreateFencedFrame(), "")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
                       SandboxAllInFencedFrame) {
  EXPECT_FALSE(AllowedBySandbox(
      CreateIFrame(CreateFencedFrame(), "iframe.sandbox = 'allow-scripts';")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
                       SandboxAllowPopupsInFencedFrame) {
  EXPECT_TRUE(AllowedBySandbox(CreateIFrame(
      CreateFencedFrame(), "iframe.sandbox = 'allow-scripts allow-popups';")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
                       SandboxAllowTopNavigationInFencedFrame) {
  EXPECT_TRUE(AllowedBySandbox(
      CreateIFrame(CreateFencedFrame(),
                   "iframe.sandbox = 'allow-scripts allow-top-navigation';")));
}

IN_PROC_BROWSER_TEST_F(
    ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
    SandboxAllowTopNavigationToCustomProtocolsInFencedFrame) {
  EXPECT_TRUE(AllowedBySandbox(
      CreateIFrame(CreateFencedFrame(),
                   "iframe.sandbox = 'allow-scripts "
                   "allow-top-navigation-to-custom-protocols';")));
}

IN_PROC_BROWSER_TEST_F(ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
                       SandboxAllowTopNavigationByUserActivationInFencedFrame) {
  EXPECT_FALSE(AllowedBySandbox(
      CreateIFrame(CreateFencedFrame(),
                   "iframe.sandbox = 'allow-scripts "
                   "allow-top-navigation-by-user-activation';"),
      /*user-gesture=*/false));
}

IN_PROC_BROWSER_TEST_F(
    ExternalProtocolHandlerSandboxFencedFrameBrowserTest,
    SandboxAllowTopNavigationByUserActivationWithGestureInFencedFrame) {
  EXPECT_TRUE(AllowedBySandbox(
      CreateIFrame(web_content()->GetPrimaryMainFrame(),
                   "iframe.sandbox = 'allow-scripts "
                   "allow-top-navigation-by-user-activation';"),
      /*user-gesture=*/true));
}