/*
 * Copyright 2014 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 */
package at.gv.egovernment.moa.id.configuration.auth.pvp2;

import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.runtime.RuntimeConstants;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCredentialResolverFactory;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
import org.opensaml.xml.security.trust.TrustedCredentialTrustEngine;
import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.AbstractSignableXMLObject;
import org.opensaml.xml.signature.SignableXMLObject;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.configuration.exception.PVP2Exception;
import at.gv.egovernment.moa.id.configuration.utils.SAML2Utils;

/**
 * @author tlenz
 *
 */
public class PVP2Utils {

	private static final Logger log = LoggerFactory
			.getLogger(PVP2Utils.class);
	
	public static void postBindingEncoder(HttpServletRequest req, HttpServletResponse resp,
			SignableSAMLObject pvp2Req, X509Credential authcredential, String targetLocation, String relayState) throws PVP2Exception {
		try {
			VelocityEngine engine = new VelocityEngine();
			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
			engine.setProperty("classpath.resource.loader.class",
					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
			engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
					"org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
			engine.init();

			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
					"templates/pvp_postbinding_template.html");
			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
					resp, true);
			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
			SingleSignOnService service = new SingleSignOnServiceBuilder()
				.buildObject();
			service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
			service.setLocation(targetLocation);
		
			context.setOutboundSAMLMessageSigningCredential(authcredential);
			context.setPeerEntityEndpoint(service);
			context.setOutboundSAMLMessage(pvp2Req);
			context.setOutboundMessageTransport(responseAdapter);
			context.setRelayState(relayState);
			
			encoder.encode(context);
			
		} catch (MessageEncodingException e) {
			log.warn("Encode PVP 2.1 message FAILED.", e);
			throw new PVP2Exception("Encode PVP 2.1 message FAILED.", e);
			
		} catch (Exception ex) {
            log.warn("Initialization exception", ex);
            throw new PVP2Exception("Initializing Velocity engine FAILED.", ex);
        }
	}
	

	/**
	 * @param request
	 * @param response
	 * @param sloReq
	 * @param authcredential
	 * @param location
	 * @param object
	 * @throws PVP2Exception 
	 */
	public static void redirectBindingEncoder(HttpServletRequest request,
			HttpServletResponse response, SignableSAMLObject pvp2Req,
			X509Credential authcredential, String location, String relayState) throws PVP2Exception {
		try {			
			HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
					response
					, true);
			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
			SingleSignOnService service = new SingleSignOnServiceBuilder()
					.buildObject();
			service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
			service.setLocation(location);
			context.setOutboundSAMLMessageSigningCredential(authcredential);
			context.setPeerEntityEndpoint(service);
			context.setOutboundSAMLMessage(pvp2Req);
			context.setOutboundMessageTransport(responseAdapter);
			context.setRelayState(relayState);

			encoder.encode(context);
		} catch (MessageEncodingException e) {
			log.warn("Encode PVP 2.1 message FAILED.", e);
			throw new PVP2Exception("Encode PVP 2.1 message FAILED.", e);
			
		}		
	}
	
	public static ExplicitKeySignatureTrustEngine getTrustEngine(ConfigurationProvider configuration) {
		//Verify Signature
				List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
				keyInfoProvider.add(new DSAKeyValueProvider());
				keyInfoProvider.add(new RSAKeyValueProvider());
				keyInfoProvider.add(new InlineX509DataProvider());
			
				KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
						keyInfoProvider);
			
				MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();    
				MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(configuration.getMetaDataProvier());  
			  			  				
				return new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
		
	}
	
	public static void validateSignature(SignableXMLObject msg, ConfigurationProvider configuration) throws SecurityException, ValidationException {
		//Validate Signature
		SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
		profileValidator.validate(msg.getSignature());
			
		CriteriaSet criteriaSet = new CriteriaSet();  
		criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));  
		criteriaSet.add(new EntityIDCriteria(configuration.getPVP2IDPMetadataEntityName()));
		criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
		
		ExplicitKeySignatureTrustEngine trustEngine = getTrustEngine(configuration);
		trustEngine.validate(msg.getSignature(), criteriaSet);		
	}
	
	public static X509Credential signMessage(AbstractSignableXMLObject msg, ConfigurationProvider config) throws PVP2Exception {
		//sign authentication request
		KeyStore keyStore;
		try {
			keyStore = config.getPVP2KeyStore();
			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
					keyStore, 
					config.getPVP2KeystoreAuthRequestKeyAlias(), 
					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());

			Signature signer = SAML2Utils.createSAMLObject(Signature.class);
			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
			signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
			signer.setSigningCredential(authcredential);
			msg.setSignature(signer);
			
			return authcredential;
						
		} catch (NoSuchAlgorithmException e) {
			log.warn("Sign PVP 2.1 message FAILED.", e);
			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
			
		} catch (CertificateException e) {
			log.warn("Sign PVP 2.1 message FAILED.", e);
			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
			
		} catch (KeyStoreException e) {
			log.warn("Sign PVP 2.1 message FAILED.", e);
			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
			
		} catch (ConfigurationException e) {
			log.warn("Sign PVP 2.1 message FAILED.", e);
			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
			
		} catch (IOException e) {
			log.warn("Sign PVP 2.1 message FAILED.", e);
			throw new PVP2Exception("Sign PVP 2.1 message FAILED.", e);
		}		
	}
}