package at.gv.egiz.eaaf.core.impl.utils;

import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.List;

import javax.annotation.Nonnull;

public class EaafObjectInputStream extends ObjectInputStream {

  private List<String> allowedClassNames;
  
  /**
   * Object input-stream with internal class validation.
   * 
   * @param is Inputstream to deserialize.
   * @param classNames Whitelisted classnames 
   * @throws IOException In case of an error
   */ 
  public EaafObjectInputStream(@Nonnull InputStream is, @Nonnull List<String> classNames) throws IOException {
    super(is);
    this.allowedClassNames = classNames;
    
  }

  //Only deserialize instances of our expected class
  @Override
  protected Class<?> resolveClass(ObjectStreamClass desc)
      throws IOException, ClassNotFoundException {
    if (!allowedClassNames.contains(desc.getName())) {
      throw new InvalidClassException("Unauthorized deserialization attempt: {}",desc.getName());
      
    }
    return super.resolveClass(desc);
  }
}