/*
 * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
 * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
 * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
 * compliance with the Licence. You may obtain a copy of the Licence at:
 * https://joinup.ec.europa.eu/news/understanding-eupl-v12
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the Licence
 * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 * or implied. See the Licence for the specific language governing permissions and limitations under
 * the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text file for details on the
 * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
 * works that you distribute must include a readable copy of the "NOTICE" text file.
*/

package at.gv.egiz.eaaf.modules.pvp2.impl.binding;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;

import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler;
import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder;
import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder;
import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface;
import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidPvpRequestException;
import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
import at.gv.egiz.eaaf.modules.pvp2.exception.SamlBindingException;
import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder;
import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafSaml2HttpRedirectDeflateSignatureSecurityHandler;
import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain;
import net.shibboleth.utilities.java.support.net.URIComparator;
import net.shibboleth.utilities.java.support.primitive.NonnullSupplier;

public class RedirectBinding extends AbstractBinding implements IDecoder, IEncoder {

  private static final Logger log = LoggerFactory.getLogger(RedirectBinding.class);

  @Override
  public void encodeRequest(final HttpServletRequest req, final HttpServletResponse resp,
      final RequestAbstractType request, final String targetLocation, final String relayState,
      final EaafX509Credential credentials, final IRequest pendingReq)
      throws Pvp2Exception {

    try {
      log.debug("create SAML RedirectBinding response");
      final HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
      encoder.setHttpServletResponseSupplier(() -> resp);

      final MessageContext messageContext = buildBasicMessageContext(encoder, request);

      // set endpoint url
      messageContext.addSubcontext(injectEndpointInfos(request, targetLocation));

      // inject signing context
      messageContext.addSubcontext(injectSigningInfos(credentials));

      // set relayState of exists
      SAMLBindingSupport.setRelayState(messageContext, relayState);

      // encode message
      encoder.initialize();
      encoder.encode();

    } catch (final Exception e) {
      log.warn("Can not encode SAML2 Redirect-Binding request", e);
      throw new SamlBindingException("internal.pvp.95",
          new Object[] { PvpConstants.REDIRECT, "encoding", e.getMessage() },
          e);

    }

  }

  @Override
  public void encodeResponse(final HttpServletRequest req, final HttpServletResponse resp,
      final StatusResponseType response, final String targetLocation, final String relayState,
      final EaafX509Credential credentials, final IRequest pendingReq)
      throws Pvp2Exception {

    try {
      log.debug("create SAML RedirectBinding response");

      final HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
      encoder.setHttpServletResponseSupplier(() -> resp);

      final MessageContext messageContext = buildBasicMessageContext(encoder, response);

      // set endpoint url
      messageContext.addSubcontext(injectEndpointInfos(response, targetLocation));

      // inject signing context
      messageContext.addSubcontext(injectSigningInfos(credentials));

      // set relayState of exists
      SAMLBindingSupport.setRelayState(messageContext, relayState);

      // encode message
      encoder.initialize();
      encoder.encode();

    } catch (final Exception e) {
      log.warn("Can not encode SAML2 Redirect-Binding request", e);
      throw new SamlBindingException("internal.pvp.95",
          new Object[] { PvpConstants.REDIRECT, "encoding", e.getMessage() },
          e);

    }

  }

  @Override
  public InboundMessageInterface decode(final HttpServletRequest req,
      final HttpServletResponse resp, final IPvp2MetadataProvider metadataProvider,
      QName peerEntityRole, final URIComparator comparator)
      throws Pvp2Exception {

    final EaafHttpRedirectDeflateDecoder decode = new EaafHttpRedirectDeflateDecoder(req);
    final MessageContext messageContext = internalMessageDecode(decode, PvpConstants.REDIRECT);

    final SAMLBindingContext bindingContext = messageContext.getSubcontext(SAMLBindingContext.class, true);
    if (!bindingContext.hasBindingSignature()) {
      log.info("SAML Redirect-Binding message contains no signature. Message will be rejected");
      throw new InvalidPvpRequestException("internal.pvp.02", null);

    }

    // inject informations into message context that are required for further
    // processing
    injectInboundMessageContexts(messageContext, metadataProvider, peerEntityRole);
    final PvpSamlMessageHandlerChain messageValidatorChain =
        buildMessageValidationChain(req, metadataProvider);

    log.trace("Message validation (Signature, ...) on binding-level starts ... ");
    performMessageValidation(messageValidatorChain, messageContext);

    log.trace("Message validation successful");
    return performMessageDecodePostProcessing(messageContext, true);

  }

  @Override
  public boolean handleDecode(final String action, final HttpServletRequest req) {
    return (action.equals(PvpConstants.REDIRECT) || action.equals(PvpConstants.SINGLELOGOUT))
        && req.getMethod().equals("GET");
  }

  @Override
  public String getSaml2BindingName() {
    return SAMLConstants.SAML2_REDIRECT_BINDING_URI;

  }

  private PvpSamlMessageHandlerChain buildMessageValidationChain(HttpServletRequest req,
      IPvp2MetadataProvider metadataProvider) {
    final PvpSamlMessageHandlerChain messageValidatorChain = new PvpSamlMessageHandlerChain();
    final EaafSaml2HttpRedirectDeflateSignatureSecurityHandler redirectBindingSignaturHandler =
        new EaafSaml2HttpRedirectDeflateSignatureSecurityHandler(metadataProvider);
    redirectBindingSignaturHandler.setHttpServletRequestSupplier(NonnullSupplier.of(req));

    messageValidatorChain.addHandler(new CheckMessageVersionHandler());
    messageValidatorChain.addHandler(redirectBindingSignaturHandler);
    messageValidatorChain.addHandler(new MessageLifetimeSecurityHandler());

    /*
     * TODO: maybe we add it in a later version Because: - AuthnRequest replay
     * should not be a problem on IDP side - Response replay will be not possible,
     * because EAAF PVP implements countermeasure based on one-time tokens for each
     * request
     *
     */
    // final MessageReplaySecurityHandler replaySecurityHandler = new
    // MessageReplaySecurityHandler();
    // final StorageService replayCacheStorage = null;
    // final ReplayCache replayCache = new ReplayCache();
    // replayCache.setId("Message replay cache");
    // replayCache.setStrict(true);
    // replayCache.setStorage(replayCacheStorage);
    // replaySecurityHandler.setReplayCache(replayCache );
    // messageValidatorChain.addHandler(replaySecurityHandler);

    return messageValidatorChain;

  }
}