/*
 * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
 * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
 * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
 * compliance with the Licence. You may obtain a copy of the Licence at:
 * https://joinup.ec.europa.eu/news/understanding-eupl-v12
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the Licence
 * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 * or implied. See the Licence for the specific language governing permissions and limitations under
 * the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text file for details on the
 * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
 * works that you distribute must include a readable copy of the "NOTICE" text file.
*/

package at.gv.egiz.eaaf.modules.pvp2.impl.verification;

import javax.xml.namespace.QName;
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;

import org.apache.commons.lang3.StringUtils;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.common.xml.SAMLSchemaBuilder;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.security.SecurityPolicyRule;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;

/**
 * Signature Policy for SAML2 redirect-binding.
 *
 * @author tlenz
 *
 */
public abstract class AbstractRequestSignedSecurityPolicyRule implements SecurityPolicyRule {

  private static final Logger log =
      LoggerFactory.getLogger(AbstractRequestSignedSecurityPolicyRule.class);

  private SignatureTrustEngine trustEngine = null;
  private QName peerEntityRole = null;

  /**
   * Role initializer.
   *
   * @param peerEntityRole
   *
   */
  public AbstractRequestSignedSecurityPolicyRule(final SignatureTrustEngine trustEngine,
      final QName peerEntityRole) {
    this.trustEngine = trustEngine;
    this.peerEntityRole = peerEntityRole;

  }

  /**
   * Reload the PVP metadata for a given entity.
   *
   * @param entityID for which the metadata should be refreshed.
   * @return true if the refresh was successful, otherwise false
   */
  protected abstract boolean refreshMetadataProvider(String entityID);

  protected abstract SignableSAMLObject getSignedSamlObject(XMLObject inboundData);

  /*
   * (non-Javadoc)
   *
   * @see
   * org.opensaml.ws.security.SecurityPolicyRule#evaluate(org.opensaml.ws.message.
   * MessageContext)
   */
  @Override
  public void evaluate(final MessageContext context) throws SecurityPolicyException {
    try {
      verifySignature(context);

    } catch (final SecurityPolicyException e) {
      if (StringUtils.isEmpty(context.getInboundMessageIssuer())) {
        throw e;

      }
      log.debug("PVP2X message validation FAILED. Reload metadata for entityID: "
          + context.getInboundMessageIssuer());
      if (!refreshMetadataProvider(context.getInboundMessageIssuer())) {
        throw e;
      } else {
        log.trace("PVP2X metadata reload finished. Check validate message again.");
        verifySignature(context);

      }
      log.trace("Second PVP2X message validation finished");

    }

  }

  private void verifySignature(final MessageContext context) throws SecurityPolicyException {
    final SignableSAMLObject samlObj = getSignedSamlObject(context.getInboundMessage());
    if (samlObj != null && samlObj.getSignature() != null) {

      final SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
      try {
        profileValidator.validate(samlObj.getSignature());
        performSchemaValidation(samlObj.getDOM());

      } catch (final ValidationException e) {
        log.warn("Signature is not conform to SAML signature profile", e);
        throw new SecurityPolicyException("Signature is not conform to SAML signature profile");

      } catch (final SchemaValidationException e) {
        log.warn("Signature is not conform to SAML signature profile", e);
        throw new SecurityPolicyException("Signature is not conform to SAML signature profile");

      }

      final CriteriaSet criteriaSet = new CriteriaSet();
      criteriaSet.add(new EntityIDCriteria(context.getInboundMessageIssuer()));
      criteriaSet.add(new MetadataCriteria(peerEntityRole, SAMLConstants.SAML20P_NS));
      criteriaSet.add(new UsageCriteria(UsageType.SIGNING));

      try {
        if (!trustEngine.validate(samlObj.getSignature(), criteriaSet)) {
          throw new SecurityPolicyException("Signature validation FAILED.");

        }
        log.debug("PVP message signature valid.");

      } catch (final org.opensaml.xml.security.SecurityException e) {
        log.info("PVP2x message signature validation FAILED. Message:" + e.getMessage());
        throw new SecurityPolicyException("Signature validation FAILED.");

      }

    } else {
      throw new SecurityPolicyException("PVP Message is not signed.");

    }

  }

  private void performSchemaValidation(final Element source) throws SchemaValidationException {

    String err = null;
    try {
      final Schema test = SAMLSchemaBuilder.getSAML11Schema();
      final Validator val = test.newValidator();
      val.validate(new DOMSource(source));
      log.debug("Schema validation check done OK");
      return;

    } catch (final SAXException e) {
      err = e.getMessage();
      if (log.isDebugEnabled() || log.isTraceEnabled()) {
        log.warn("Schema validation FAILED with exception:", e);
      } else {
        log.warn("Schema validation FAILED with message: " + e.getMessage());
      }

    } catch (final Exception e) {
      err = e.getMessage();
      if (log.isDebugEnabled() || log.isTraceEnabled()) {
        log.warn("Schema validation FAILED with exception:", e);
      } else {
        log.warn("Schema validation FAILED with message: " + e.getMessage());
      }

    }

    throw new SchemaValidationException("pvp2.22", new Object[] { err });

  }

}