/*
 * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
 * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
 * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
 * compliance with the Licence. You may obtain a copy of the Licence at:
 * https://joinup.ec.europa.eu/news/understanding-eupl-v12
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the Licence
 * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 * or implied. See the Licence for the specific language governing permissions and limitations under
 * the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text file for details on the
 * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
 * works that you distribute must include a readable copy of the "NOTICE" text file.
*/

package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;

import java.util.HashMap;
import java.util.Map;

import javax.annotation.Nonnull;
import javax.xml.XMLConstants;

import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.xmlsec.DecryptionConfiguration;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.SignatureSigningConfiguration;
import org.opensaml.xmlsec.SignatureValidationConfiguration;

import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute;
import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller;
import lombok.extern.slf4j.Slf4j;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.xml.BasicParserPool;
import net.shibboleth.utilities.java.support.xml.ParserPool;

/**
 * EAAF specific OpenSAML Initializer.
 *
 * @author tlenz
 *
 */
@Slf4j
public class EaafOpenSaml3xInitializer extends InitializationService {

  /**
   * EAAF specific OpenSAML3.x initialization.
   *
   * @throws InitializationException          In case of an error
   * @throws ComponentInitializationException In case of an OpenSAML3
   *                                          initialization error
   */
  public static synchronized void eaafInitialize() throws InitializationException,
      ComponentInitializationException {
    log.debug("Initializing OpenSAML 4.x ... ");
    initialize();

    log.debug("Injecting EAAF-specific configuration into OpenSAML 4.x ... ");
    injectEaafSecurityProperty();
    injectEaafExtenstions();

    XMLObjectProviderRegistrySupport.setParserPool(eaafSecuredBasicParserPool());

    log.info("OpenSAML 4.x with EAAF extensions initialized");

  }

  private static void injectEaafSecurityProperty() {
    ConfigurationService.register(EncryptionConfiguration.class,
        EaafDefaultSecurityConfigurationBootstrap.buildEaafEncryptionConfiguration());

    ConfigurationService.register(DecryptionConfiguration.class,
        EaafDefaultSecurityConfigurationBootstrap.buildEaaftDecryptionConfiguration());

    ConfigurationService.register(SignatureSigningConfiguration.class,
        EaafDefaultSecurityConfigurationBootstrap.buildEaafSignatureSigningConfiguration());

    ConfigurationService.register(SignatureValidationConfiguration.class,
        EaafDefaultSecurityConfigurationBootstrap.buildEaafSignatureValidationConfiguration());

  }

  private static void injectEaafExtenstions() {
    XMLObjectProviderRegistrySupport.registerObjectProvider(
        EaafRequestedAttribute.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributeBuilder(),
        new EaafRequestedAttributeMarshaller(), new EaafRequestedAttributeUnmarshaller());

    XMLObjectProviderRegistrySupport.registerObjectProvider(
        EaafRequestedAttributes.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributesBuilder(),
        new EaafRequestedAttributesMarshaller(), new EaafRequestedAttributesUnmarshaller());

  }

  /**
   * Build a secured OpenSAML 3.x XML parser-pool.
   *
   * @return {@link ParserPool}
   * @throws ComponentInitializationException In case of an initialization error
   */
  @Nonnull
  private static ParserPool eaafSecuredBasicParserPool() throws ComponentInitializationException {
    // Get parser pool manager
    final BasicParserPool ppMgr = new BasicParserPool();
    // Note: this is necessary due to an unresolved Xerces deferred DOM issue/bug
    ppMgr.setBuilderFeatures(getSecureDocumentBuilderFeatures());
    ppMgr.setNamespaceAware(true);
    ppMgr.setIgnoreComments(true);
    ppMgr.setExpandEntityReferences(false);
    ppMgr.setXincludeAware(false);
    ppMgr.initialize();
    return ppMgr;
  }

  @Nonnull
  private static Map<String, Boolean> getSecureDocumentBuilderFeatures() {
    final Map<String, Boolean> features = new HashMap<>();
    features.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);

    // Ignore the external DTD completely
    // Note: this is for Xerces only:
    features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", Boolean.FALSE);
    // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all
    // XML entity attacks are prevented
    // Xerces 2 only -
    // http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
    features.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);

    // If you can't completely disable DTDs, then at least do the following:
    // Xerces 1 -
    // http://xerces.apache.org/xerces-j/features.html#external-general-entities
    // Xerces 2 -
    // http://xerces.apache.org/xerces2-j/features.html#external-general-entities
    features.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);

    // Xerces 1 -
    // http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
    // Xerces 2 -
    // http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
    features.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);

    return features;
  }

}