package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.utils;

import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;

import org.apache.commons.lang3.RandomStringUtils;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.lang.JoseException;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateIdentityLinkTask;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils.JwsResult;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
import at.gv.egiz.eaaf.core.impl.data.Pair;

@RunWith(SpringJUnit4ClassRunner.class)
@PrepareForTest(CreateIdentityLinkTask.class)
@DirtiesContext(classMode = DirtiesContext.ClassMode.BEFORE_CLASS)
@ContextConfiguration(locations = {
    "/SpringTest-context_tasks_test.xml",
    "/SpringTest-context_basic_mapConfig.xml"})
public class JoseUtilsTest {
  
  @Autowired private EaafKeyStoreFactory keyStoreFactory;
  
  private static final List<String> AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList(
      Arrays.asList(
          AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256,
          AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512,
          AlgorithmIdentifiers.RSA_PSS_USING_SHA256,
          AlgorithmIdentifiers.RSA_PSS_USING_SHA512));

  
  @Test
  public void missingKey() throws EaafException, JoseException, KeyStoreException, IOException {
    
    KeyStoreConfiguration config = new KeyStoreConfiguration();
    config.setFriendlyName("jUnittest");
    config.setKeyStoreType(KeyStoreType.JKS);
    config.setSoftKeyStoreFilePath("../data/junit.jks");
    config.setSoftKeyStorePassword("password");
    
    Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(config);
    String payLoad = RandomStringUtils.randomAlphanumeric(100);
    
    //check signing
    try {
      JoseUtils.createSignature(keyStore, "notExist", "password".toCharArray(), payLoad , true, "jUnitTest");
      Assert.fail("missing Key not detected");
      
    } catch (EaafException e) {      
      Assert.assertEquals("ErrorId", "internal.keystore.09", e.getErrorId());
      
    }
  }
  
  @Test
  public void createRsaSignature() throws EaafException, JoseException, KeyStoreException, IOException {
    
    KeyStoreConfiguration config = new KeyStoreConfiguration();
    config.setFriendlyName("jUnittest");
    config.setKeyStoreType(KeyStoreType.JKS);
    config.setSoftKeyStoreFilePath("../data/junit.jks");
    config.setSoftKeyStorePassword("password");
    
    Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(config);
    String payLoad = RandomStringUtils.randomAlphanumeric(100);
    
    //check signing
    String result = JoseUtils.createSignature(keyStore, "meta", "password".toCharArray(), payLoad , true, "jUnitTest");
   
    Assert.assertNotNull("signed message", result);
    Assert.assertFalse("signed msg empty", result.isEmpty());
    

    //validate
    List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore.getFirst());
    final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT,
        AUTH_ALGORITHM_WHITELIST_SIGNING
            .toArray(new String[AUTH_ALGORITHM_WHITELIST_SIGNING.size()]));
    JwsResult verify = JoseUtils.validateSignature(result, trustedCerts, constraints);
    
    Assert.assertTrue("sig. verify", verify.isValid());
    Assert.assertEquals("payload", payLoad, verify.getPayLoad());
        
  }
  
  @Test
  public void createEccSignature() throws EaafException, JoseException, KeyStoreException, IOException {
    
    KeyStoreConfiguration config = new KeyStoreConfiguration();
    config.setFriendlyName("jUnittest");
    config.setKeyStoreType(KeyStoreType.JKS);
    config.setSoftKeyStoreFilePath("../data/junit.jks");
    config.setSoftKeyStorePassword("password");
    
    Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(config);
    String payLoad = RandomStringUtils.randomAlphanumeric(100);
    
    //check signing
    String result = JoseUtils.createSignature(keyStore, "sig", "password".toCharArray(), payLoad , true, "jUnitTest");
   
    Assert.assertNotNull("signed message", result);
    Assert.assertFalse("signed msg empty", result.isEmpty());
    

    //validate
    List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore.getFirst());
    final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT,
        AUTH_ALGORITHM_WHITELIST_SIGNING
            .toArray(new String[AUTH_ALGORITHM_WHITELIST_SIGNING.size()]));
    JwsResult verify = JoseUtils.validateSignature(result, trustedCerts, constraints);
    
    Assert.assertTrue("sig. verify", verify.isValid());
    Assert.assertEquals("payload", payLoad, verify.getPayLoad());
        
  }
  
}