package at.gv.egovernment.moa.id.auth.validator;

import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
import at.gv.egovernment.moa.util.Constants;

/**
 * 
 * This class is used to validate an {@link CreateXMLSignatureResponse} 
 * returned by the security layer.
 * This class implements the Singleton pattern.
 * @author Stefan Knirsch
 * @version $Id$
 */
public class CreateXMLSignatureResponseValidator {
     
 /** Singleton instance. <code>null</code>, if none has been created. */
  private static CreateXMLSignatureResponseValidator instance;

  /**
   * Constructor for a singleton CreateXMLSignatureResponseValidator.
   * @return an instance of CreateXMLSignatureResponseValidator
   * @throws ValidateException if no instance can be created
   */
   public static synchronized CreateXMLSignatureResponseValidator getInstance() 
   throws ValidateException {
   if (instance == null) {
      instance = new CreateXMLSignatureResponseValidator();
    }
    return instance;
  } 
  
  
  /**
   * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse}
   * @param createXMLSignatureResponse
   * @param gbTarget
   * @param oaURL
   * @throws ValidateException
   */
  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session)
  	throws ValidateException {
      
      // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
    
    String gbTarget = session.getTarget();
    String oaURL = session.getPublicOAURLPrefix(); 
    boolean businessService = session.getBusinessService();
    
    IdentityLink identityLink = session.getIdentityLink();
    
    String issuer = createXMLSignatureResponse.getSamlAssertion().getAttribute("Issuer");    
    if (issuer == null) {
      // should not happen, because parser would dedect this
      throw new ValidateException("validator.32", null);
    }
    String name = identityLink.getName();
    if (!issuer.equals(name)) {
      throw new ValidateException("validator.33", new Object[] {issuer, name});
    }
    
       
    SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();

    boolean foundOA = false;
    boolean foundGB = false;
    boolean foundWBPK = false;
    
    for (int i = 0; i < samlAttributes.length; i++) {
      SAMLAttribute samlAttribute = samlAttributes[i];
      if (samlAttribute.getName().equals("Geschaeftsbereich")) { 
        if (businessService) {
          throw new ValidateException("validator.26", null);
        }
        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
          foundGB = true;             
          if (!gbTarget.equals((String)samlAttribute.getValue())) {
            throw new ValidateException("validator.13", null); 
          }             
        } else {
          throw new ValidateException("validator.12", null);
        }
      }
      if (samlAttribute.getName().equals("OA")) {
        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
          foundOA = true;            
          if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch             
            throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); 
          }             
        } else {
          throw new ValidateException("validator.15", null);
        }
      }
      if (samlAttribute.getName().equals("Geburtsdatum")) { 
        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
          String samlDateOfBirth = (String)samlAttribute.getValue();
          String dateOfBirth = identityLink.getDateOfBirth();
          if (!samlDateOfBirth.equals(dateOfBirth)) {
            throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
          }
        } else {
          throw new ValidateException("validator.35", null);
        }
      }
      if (samlAttribute.getName().equals("wbPK")) { 
        if (!businessService) {
          throw new ValidateException("validator.27", null);
        }
        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
          foundWBPK = true;
          try {
            Element attrValue = (Element)samlAttribute.getValue();
            String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
            String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
            if (!value.equals(identityLink.getIdentificationValue())) {
              throw new ValidateException("validator.28", null); 
            }
            if (!type.equals(identityLink.getIdentificationType())) {
              throw new ValidateException("validator.28", null); 
            }
          } catch (Exception ex) {
            throw new ValidateException("validator.29", null);
          }
        } else {
          throw new ValidateException("validator.30", null);
        }         
      }
    } 
    
    if (!foundOA) throw new ValidateException("validator.14", null); 
    if (businessService) {
      if (!foundWBPK) throw new ValidateException("validator.31", null);
    } else {
      if (!foundGB) throw new ValidateException("validator.11", null);
    }
  
     //Check if dsig:Signature exists
    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
    if (nl.getLength() != 1) {
      throw new ValidateException("validator.05", null);
    }
  }
}