package at.asitplus.eidas.specific.connector.test.saml2;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.List;
import java.util.Timer;

import javax.xml.transform.TransformerException;

import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.io.ResourceLoader;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.annotation.DirtiesContext.ClassMode;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.util.Base64Utils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint;
import at.asitplus.eidas.specific.connector.provider.PvpEndPointCredentialProvider;
import at.asitplus.eidas.specific.connector.provider.PvpMetadataProvider;
import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.IRequestStorage;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.OpenSaml3ResourceAdapter;
import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.xml.XMLParserException;

@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration({
    "/applicationContext.xml",
    "/spring/SpringTest_connector.beans.xml",
    "/eaaf_core.beans.xml",
    "/eaaf_pvp.beans.xml",
    "/eaaf_pvp_idp.beans.xml",
    "/spring/SpringTest-context_simple_storage.xml" })
@ActiveProfiles(profiles = {"deprecatedConfig"})
@WebAppConfiguration
@DirtiesContext(classMode = ClassMode.BEFORE_CLASS)
public class Pvp2SProfileEndPointTest {


  @Autowired private Pvp2SProfileEndpoint controller;
  @Autowired private PvpEndPointCredentialProvider credentialProvider;
  @Autowired private PvpMetadataProvider metadataProvider;
  @Autowired private ResourceLoader resourceLoader;
  @Autowired private IRequestStorage storage;
  
  private static CertificateFactory fact;
    
  
  private MockHttpServletRequest httpReq;
  private MockHttpServletResponse httpResp;

  
  /**
   * jUnit class initializer.
   * @throws ComponentInitializationException In case of an error
   * @throws InitializationException In case of an error
   * @throws CertificateException 
   * 
   */
  @BeforeClass
  public static void classInitializer() throws InitializationException, 
      ComponentInitializationException, CertificateException  {
    final String current = new java.io.File(".").toURI().toString();
    System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_1.properties");
    
    EaafOpenSaml3xInitializer.eaafInitialize();
    
    fact = CertificateFactory.getInstance("X.509");
    
  }
  
  /**
   * jUnit test set-up.
   * @throws EaafException 
   * 
   */
  @Before
  public void initialize() throws EaafException {
    httpReq = new MockHttpServletRequest("POST", "https://localhost/ms_connector");
    httpResp = new MockHttpServletResponse();
    RequestContextHolder.resetRequestAttributes();
    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp));
    
  }
  
  @Test
  public void authnReqWrongEndpoint() throws EaafException, XMLParserException, UnmarshallingException, 
      UnsupportedEncodingException, TransformerException, IOException, MarshallingException, 
      ComponentInitializationException {
    //initialize test
    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
        XMLObjectProviderRegistrySupport.getParserPool(),
        Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_3.xml"));
    authnReq.setIssueInstant(Instant.now());    
    RequestAbstractType signedAuthnReq = 
        Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true);           
    String b64 = Base64Utils.encodeToString(DomUtils.serializeNode(
          XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8"));    
    httpReq.setParameter("SAMLRequest", b64);
            
    final org.springframework.core.io.Resource resource = resourceLoader.getResource(
        "classpath:/data/metadata_valid.xml");
    Timer timer = new Timer("PVP metadata-resolver refresh");
    ResourceBackedMetadataResolver fileSystemResolver = 
        new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource));
    fileSystemResolver.setId("test");
    fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
    fileSystemResolver.initialize();                    
    metadataProvider.addMetadataResolverIntoChain(fileSystemResolver);
    
    
    //request SAML2 authentication
    try {
      controller.pvpIdpPostRequest(httpReq, httpResp);
      Assert.fail("wrong AuthnRequest not detected");
      
    }catch (EaafException e) {
      Assert.assertEquals("wrong errorId", "pvp2.22", e.getErrorId());      
      
    }   
  }
  
  @Test
  public void authnReqWrongSigned() throws EaafException, XMLParserException, UnmarshallingException, 
      UnsupportedEncodingException, TransformerException, IOException, MarshallingException, 
      ComponentInitializationException {
    //initialize test
    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
        XMLObjectProviderRegistrySupport.getParserPool(),
        Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml"));
    authnReq.setIssueInstant(Instant.now());    
    RequestAbstractType signedAuthnReq = 
        Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true);           
    String b64 = Base64Utils.encodeToString(DomUtils.serializeNode(
          XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8"));    
    httpReq.setParameter("SAMLRequest", b64);
            
    final org.springframework.core.io.Resource resource = resourceLoader.getResource(
        "classpath:/data/metadata_valid.xml");
    Timer timer = new Timer("PVP metadata-resolver refresh");
    ResourceBackedMetadataResolver fileSystemResolver = 
        new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource));
    fileSystemResolver.setId("test");
    fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
    fileSystemResolver.initialize();                    
    metadataProvider.addMetadataResolverIntoChain(fileSystemResolver);
    
    
    //request SAML2 authentication
    try {
      controller.pvpIdpPostRequest(httpReq, httpResp);
      Assert.fail("wrong AuthnRequest not detected");
      
    }catch (EaafException e) {
      Assert.assertEquals("wrong errorId", "pvp2.21", e.getErrorId());      
      
    }   
  }
  
  @Test
  public void authnReqMetadataExpired() throws EaafException, XMLParserException, UnmarshallingException, 
      UnsupportedEncodingException, TransformerException, IOException, MarshallingException, 
      ComponentInitializationException {
    //initialize test
    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
        XMLObjectProviderRegistrySupport.getParserPool(),
        Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml"));
    authnReq.setIssueInstant(Instant.now());    
    RequestAbstractType signedAuthnReq = 
        Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true);           
    String b64 = Base64Utils.encodeToString(DomUtils.serializeNode(
          XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8"));    
    httpReq.setParameter("SAMLRequest", b64);
            
    final org.springframework.core.io.Resource resource = resourceLoader.getResource(
        "classpath:/data/metadata_expired.xml");
    Timer timer = new Timer("PVP metadata-resolver refresh");
    ResourceBackedMetadataResolver fileSystemResolver = 
        new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource));
    fileSystemResolver.setId("test");
    fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
    fileSystemResolver.initialize();                    
    metadataProvider.addMetadataResolverIntoChain(fileSystemResolver);
    
    
    //request SAML2 authentication
    try {
      controller.pvpIdpPostRequest(httpReq, httpResp);
      Assert.fail("wrong AuthnRequest not detected");
      
    }catch (EaafException e) {
      Assert.assertEquals("wrong errorId", "pvp2.21", e.getErrorId());      
      
    }   
  }
  
  @Test
  public void authnReqValid() throws EaafException, XMLParserException, UnmarshallingException, 
      UnsupportedEncodingException, TransformerException, IOException, MarshallingException, 
      ComponentInitializationException {
    //initialize test
    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
        XMLObjectProviderRegistrySupport.getParserPool(),
        Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml"));
    authnReq.setIssueInstant(Instant.now());    
    RequestAbstractType signedAuthnReq = 
        Saml2Utils.signSamlObject(authnReq, credentialProvider.getMessageSigningCredential(), true);           
    String b64 = Base64Utils.encodeToString(DomUtils.serializeNode(
          XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8"));    
    httpReq.setParameter("SAMLRequest", b64);
            
    final org.springframework.core.io.Resource resource = resourceLoader.getResource(
        "classpath:/data/metadata_valid.xml");
    Timer timer = new Timer("PVP metadata-resolver refresh");
    ResourceBackedMetadataResolver fileSystemResolver = 
        new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource));
    fileSystemResolver.setId("test");
    fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
    fileSystemResolver.initialize();                    
    metadataProvider.addMetadataResolverIntoChain(fileSystemResolver);
    
    
    //request SAML2 authentication
    controller.pvpIdpPostRequest(httpReq, httpResp);
    
    
    //validate state
    Assert.assertEquals("http statuscode", 200, httpResp.getStatus());
    Assert.assertEquals("Wrong http ContentType", "text/html;charset=UTF-8", httpResp.getContentType());
    
    String html = httpResp.getContentAsString();
    Assert.assertNotNull("html result is null", html);
    Assert.assertFalse("html result is empty", html.isEmpty());    
    Assert.assertTrue("Wrong page", html.contains("action=\"/myHomeCountry\""));
       
    String pattern = "<input  type=\"hidden\" name=\"pendingid\"  value=\"";
    int pendingIdStart = html.indexOf(pattern) + pattern.length();
    int pendingIdEnd = html.indexOf("\"", pendingIdStart);    
    String pendingReqId = html.substring(pendingIdStart, pendingIdEnd);    
    Assert.assertFalse("pendingReqId is empty", pendingReqId.isEmpty());
    
    IRequest pendingReq = storage.getPendingRequest(pendingReqId);
    Assert.assertNotNull("pendingReq", pendingReq);    
    Assert.assertNotNull("piiTransId", pendingReq.getUniquePiiTransactionIdentifier());
    Assert.assertNotNull("piiTransId", pendingReq.getUniqueTransactionIdentifier());
    
    Assert.assertEquals("wrong OA Id", "https://demo.egiz.gv.at/demoportal-openID_demo", 
        pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class));
    Assert.assertEquals("wrong bPK Target", "urn:publicid:gv.at:cdid+BF", 
        pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
   
        
  }
  
  @Test
  public void checkSaml2Metadata() throws EaafException, UnsupportedEncodingException, XMLParserException, 
      UnmarshallingException, CertificateException, SignatureException {
    
    //request SAML2 Metadata
    controller.pvpMetadataRequest(httpReq, httpResp);
    
    //validate state
    Assert.assertEquals("http statuscode", 200, httpResp.getStatus());
    Assert.assertEquals("Wrong http ContentType", "application/xml", httpResp.getContentType());
    
    String html = httpResp.getContentAsString();
    Assert.assertNotNull("html result is null", html);
    Assert.assertFalse("html result is empty", html.isEmpty());    
    

    final EntityDescriptor entity = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream(
        XMLObjectProviderRegistrySupport.getParserPool(),
        new ByteArrayInputStream(html.getBytes("UTF-8")));

    Assert.assertNotNull("Unmarshalling failed", entity);
    Assert.assertNotNull("EntityId is null", entity.getEntityID());

    Assert.assertNotNull("Signature is null", entity.getSignature());
    final SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator();
    sigValidator.validate(entity.getSignature());

    final Credential cred = new BasicX509Credential((X509Certificate) fact.generateCertificate(
        Pvp2SProfileEndPointTest.class.getResourceAsStream("/config/keys/Metadata.pem")));
    SignatureValidator.validate(entity.getSignature(), cred);
    
    Assert.assertEquals("wrong entityId", "http://localhost/pvp/metadata", entity.getEntityID());
    Assert.assertNotNull("IDPSSODescr", entity.getRoleDescriptors(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
    Assert.assertNotNull("SPSSODescr", entity.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    Assert.assertEquals("SPSSODescr. size", 0, 
        entity.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).size());
    
    List<RoleDescriptor> idp = entity.getRoleDescriptors(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
    Assert.assertEquals("IDP descr. size", 1, idp.size());
    Assert.assertEquals("IDP descr. endpoints", 2, idp.get(0).getEndpoints().size());
    Assert.assertEquals("IDP descr. keyDescr", 1, idp.get(0).getKeyDescriptors().size());
        
  }
  
}