/*******************************************************************************
 * Copyright 2014 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 *******************************************************************************/
package at.gv.egovernment.moa.id.demoOA.servlet.pvp2;

import java.io.IOException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCredentialResolverFactory;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.security.SecurityPolicyResolver;
import org.opensaml.ws.security.provider.BasicSecurityPolicy;
import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;

import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
import at.gv.egovernment.moa.id.demoOA.Configuration;
import at.gv.egovernment.moa.id.demoOA.Constants;
import at.gv.egovernment.moa.id.demoOA.PVPConstants;
import at.gv.egovernment.moa.id.demoOA.utils.ApplicationBean;
import at.gv.egovernment.moa.id.demoOA.utils.SAML2Utils;
import lombok.extern.slf4j.Slf4j;

@Slf4j
public class DemoApplication extends HttpServlet {

  private static final long serialVersionUID = -2129228304760706063L;

  private void process(HttpServletRequest request,
      HttpServletResponse response) throws ServletException, IOException {

    final ApplicationBean bean = new ApplicationBean();

    log.debug("Receive request on secure-area endpoint ...");

    final String method = request.getMethod();
    final HttpSession session = request.getSession();
    if (session == null) {
      log.info("NO HTTP Session");
      bean.setErrorMessage("NO HTTP session");
      setAnser(request, response, bean);
      return;
    }

    try {
      final Configuration config = Configuration.getInstance();
      Response samlResponse = null;

      if (method.equals("GET")) {
        log.debug("Find possible SAML2 Redirect-Binding response ...");
        final HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool());
        final BasicSAMLMessageContext<Response, ?, ?> messageContext =
            new BasicSAMLMessageContext<>();

        messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
        messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);

        messageContext.setMetadataProvider(config.getMetaDataProvier());

        final MetadataCredentialResolver resolver = new MetadataCredentialResolver(config
            .getMetaDataProvier());
        final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>();
        keyInfoProvider.add(new DSAKeyValueProvider());
        keyInfoProvider.add(new RSAKeyValueProvider());
        keyInfoProvider.add(new InlineX509DataProvider());
        final KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
            keyInfoProvider);
        final ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(
            resolver, keyInfoResolver);

        final SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
            engine);
        final SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
        final BasicSecurityPolicy policy = new BasicSecurityPolicy();
        policy.getPolicyRules().add(signatureRule);
        policy.getPolicyRules().add(signedRole);
        final SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy);
        messageContext.setSecurityPolicyResolver(resolver1);

        decode.decode(messageContext);

        log.info("PVP2 Assertion  with Redirect-Binding is valid");

      } else if (method.equals("POST")) {
        log.debug("Find possible SAML2 Post-Binding response ...");
        // Decode with HttpPost Binding
        final HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
        final BasicSAMLMessageContext<Response, ?, ?> messageContext =
            new BasicSAMLMessageContext<>();
        messageContext
            .setInboundMessageTransport(new HttpServletRequestAdapter(
                request));
        decode.decode(messageContext);

        samlResponse = (Response) messageContext.getInboundMessage();

        final Signature sign = samlResponse.getSignature();
        if (sign == null) {
          log.info("Only http POST Requests can be used");
          bean.setErrorMessage("Only http POST Requests can be used");
          setAnser(request, response, bean);
          return;
        }

        // Validate Signature
        final SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
        profileValidator.validate(sign);

        // Verify Signature
        final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>();
        keyInfoProvider.add(new DSAKeyValueProvider());
        keyInfoProvider.add(new RSAKeyValueProvider());
        keyInfoProvider.add(new InlineX509DataProvider());

        final KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
            keyInfoProvider);

        final MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory
            .getFactory();
        final MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config
            .getMetaDataProvier());

        final CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME,
            SAMLConstants.SAML20P_NS));
        criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName()));
        criteriaSet.add(new UsageCriteria(UsageType.SIGNING));

        final ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(
            credentialResolver, keyInfoResolver);
        trustEngine.validate(sign, criteriaSet);

        log.info("PVP2 Assertion  with POST-Binding is valid");

      } else {
        bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
        setAnser(request, response, bean);
        return;

      }

      if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {

        final List<org.opensaml.saml2.core.Assertion> saml2assertions =
            new ArrayList<>();

        // check encrypted Assertion
        final List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
        if (encryAssertionList != null && encryAssertionList.size() > 0) {
          // decrypt assertions

          log.debug("Found encryped assertion. Start decryption ...");

          final KeyStore keyStore = config.getPVP2KeyStore();

          final X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
              keyStore,
              config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(),
              config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());

          final StaticKeyInfoCredentialResolver skicr =
              new StaticKeyInfoCredentialResolver(authDecCredential);

          final ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
          encryptedKeyResolver.getResolverChain().add(new InlineEncryptedKeyResolver());
          encryptedKeyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver());
          encryptedKeyResolver.getResolverChain().add(new SimpleRetrievalMethodEncryptedKeyResolver());

          final Decrypter samlDecrypter =
              new Decrypter(null, skicr, encryptedKeyResolver);

          for (final EncryptedAssertion encAssertion : encryAssertionList) {
            final Assertion decryptedAssertion = samlDecrypter.decrypt(encAssertion);
            samlResponse.getAssertions().add(decryptedAssertion);
            log.debug("Decrypted Assertion: " + DOMUtils.serializeNode(SAML2Utils.asDOMDocument(
                decryptedAssertion)));

          }

          log.debug("Assertion decryption finished. ");

        } else {
          log.debug("Assertiojn is not encryted. Use it as it is");

        }

        // set assertion
        final org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
        final String assertion = DOMUtils.serializeNode(doc);
        bean.setAssertion(assertion);

        String principleId = null;
        String givenName = null;
        String familyName = null;
        String birthday = null;

        log.debug("Find #" + samlResponse.getAssertions().size() + " assertions after decryption");

        for (final org.opensaml.saml2.core.Assertion saml2assertion : samlResponse.getAssertions()) {

          try {
            principleId = saml2assertion.getSubject().getNameID().getValue();

          } catch (final Exception e) {
            log.warn("Can not read SubjectNameId", e);
          }

          // loop through the nodes to get what we want
          final List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
          for (final AttributeStatement attributeStatement : attributeStatements) {
            final List<Attribute> attributes = attributeStatement.getAttributes();
            for (final Attribute attribute : attributes) {

              final String strAttributeName = attribute.getName();

              log.debug("Find attribute with name: " + strAttributeName + " and value: "
                  + attribute.getAttributeValues().get(0).getDOM().getNodeValue());

              if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME)) {
                familyName = attribute.getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();

              }

              if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME)) {
                givenName = attribute.getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();

              }

              if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
                birthday = attribute.getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();

              }

              if (strAttributeName.equals(PVPConstants.BPK_NAME)) {
                principleId = attribute.getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();

              }
            }
          }
          request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
              saml2assertion.getSubject().getNameID().getFormat());
          request.getSession().setAttribute(Constants.SESSION_NAMEID,
              saml2assertion.getSubject().getNameID().getValue());

        }

        bean.setPrincipleId(principleId);
        bean.setDateOfBirth(birthday);
        bean.setFamilyName(familyName);
        bean.setGivenName(givenName);
        bean.setLogin(true);

        setAnser(request, response, bean);
        return;

      } else {
        bean.setErrorMessage(
            "Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
        setAnser(request, response, bean);
        return;

      }

    } catch (final Exception e) {
      log.warn(e.getMessage(), e);
      bean.setErrorMessage("Internal Error: " + e.getMessage());
      setAnser(request, response, bean);
      return;
    }

  }

  private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean)
      throws ServletException, IOException {
    // store bean in session
    request.setAttribute("answers", answersBean);

    // you now can forward to some view, for example some results.jsp
    request.getRequestDispatcher("demoapp.jsp").forward(request, response);

  }

  /**
   * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
   *      response)
   */
  @Override
  protected void doGet(HttpServletRequest request,
      HttpServletResponse response) throws ServletException, IOException {

    process(request, response);
  }

  /**
   * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
   *      response)
   */
  @Override
  protected void doPost(HttpServletRequest request,
      HttpServletResponse response) throws ServletException, IOException {
    process(request, response);
  }
}