/*
 * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
 * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
 * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
 * compliance with the Licence. You may obtain a copy of the Licence at:
 * https://joinup.ec.europa.eu/news/understanding-eupl-v12
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the Licence
 * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 * or implied. See the Licence for the specific language governing permissions and limitations under
 * the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text file for details on the
 * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
 * works that you distribute must include a readable copy of the "NOTICE" text file.
*/

package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

import javax.annotation.Nullable;

import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException;

import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public abstract class AbstractMetadataSignatureFilter implements MetadataFilter {
  private static final Logger log = LoggerFactory.getLogger(AbstractMetadataSignatureFilter.class);

  @Override
  public XMLObject filter(@Nullable final XMLObject metadata) throws SignatureValidationException {
    try {
      if (metadata instanceof EntitiesDescriptor) {
        final EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
        if (entitiesDescriptor.getSignature() == null) {
          throw new Pvp2MetadataException("pvp2.26",
              new Object[] { "Root element of metadata file has to be signed" });
        }
        processEntitiesDescriptor(entitiesDescriptor);

        if (entitiesDescriptor.getEntityDescriptors().size() == 0) {
          throw new Pvp2MetadataException("pvp2.26",
              new Object[] { "No valid entity in metadata " + entitiesDescriptor.getName() });
        }

      } else if (metadata instanceof EntityDescriptor) {
        final EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
        processEntityDescriptorr(entityDescriptor);

      } else {
        throw new Pvp2MetadataException("pvp2.26",
            new Object[] { "Invalid Metadata file Root element is unknown" });
      }

      log.info("Metadata signature policy check done OK");
    } catch (final EaafException e) {
      log.warn("Metadata signature policy check FAILED.", e);
      throw new SignatureValidationException(e);

    }

    return metadata;

  }

  /**
   * Signature verification of a SAML2 EntityDescriptor element.
   *
   * @param desc EntityDescriptor
   * @throws Pvp2MetadataException if the signature is not valid or can not
   *                               verified
   */
  protected abstract void verify(EntityDescriptor desc) throws Pvp2MetadataException;

  /**
   * Signature verification of a SAML2 EntitiesDescriptor element.
   *
   * @param desc EntitiesDescriptor
   * @throws Pvp2MetadataException if the signature is not valid or can not
   *                               verified
   */
  protected abstract void verify(EntitiesDescriptor desc) throws Pvp2MetadataException;

  /**
   * Verify a EntityDescriptor element of an EntitiesDescriptor.
   *
   * @param entity EntityDescriptor to verify
   * @param desc   Full EntitiesDescriptor that contains the EntityDescriptor
   * @throws Pvp2MetadataException In case of an verification error
   */
  protected abstract void verify(EntityDescriptor entity, EntitiesDescriptor desc)
      throws Pvp2MetadataException;

  private void processEntityDescriptorr(final EntityDescriptor desc) throws EaafException {
    verify(desc);

  }

  private void processEntitiesDescriptor(final EntitiesDescriptor desc) throws EaafException {
    final Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator();

    if (desc.getSignature() != null) {
      verify(desc);

    }

    while (entID.hasNext()) {
      processEntitiesDescriptor(entID.next());
    }

    final Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator();
    final List<EntityDescriptor> verifiedEntIT = new ArrayList<>();

    // check every Entity
    while (entIT.hasNext()) {
      final EntityDescriptor entity = entIT.next();
      log.debug("Validate metadata for entityID: " + entity.getEntityID() + " ..... ");
      try {
        verify(entity, desc);

        // add entity to verified entity-list
        verifiedEntIT.add(entity);
        log.debug("Metadata for entityID: " + entity.getEntityID() + " valid");

      } catch (final Exception e) {
        // remove entity of signature can not be verified.
        log.info("Entity " + entity.getEntityID() + " is removed from metadata " + desc.getName()
            + ". Entity verification error: " + e.getMessage());

      }

    }

    // set only verified entity elements
    desc.getEntityDescriptors().clear();
    desc.getEntityDescriptors().addAll(verifiedEntIT);
  }

}