/*******************************************************************************
 * Copyright 2014 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 *******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.binding;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.security.SecurityPolicyResolver;
import org.opensaml.ws.security.provider.BasicSecurityPolicy;
import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;

import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;

public class RedirectBinding implements IDecoder, IEncoder {

	public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
			RequestAbstractType request, String targetLocation)
			throws MessageEncodingException, SecurityException {
		// TODO: implement
	}

	public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
			StatusResponseType response, String targetLocation)
			throws MessageEncodingException, SecurityException {
		try {
			Credential credentials = CredentialProvider
					.getIDPAssertionSigningCredential();

			Logger.debug("create SAML RedirectBinding response");
			
			HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
					resp, true);
			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
			SingleSignOnService service = new SingleSignOnServiceBuilder()
					.buildObject();
			service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
			service.setLocation(targetLocation);
			context.setOutboundSAMLMessageSigningCredential(credentials);
			context.setPeerEntityEndpoint(service);
			// context.setOutboundMessage(authReq);
			context.setOutboundSAMLMessage(response);
			context.setOutboundMessageTransport(responseAdapter);

			encoder.encode(context);
		} catch (CredentialsNotAvailableException e) {
			e.printStackTrace();
			throw new SecurityException(e);
		}
	}

	public MOARequest decodeRequest(HttpServletRequest req,
			HttpServletResponse resp) throws MessageDecodingException,
			SecurityException {

		HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(
				new BasicParserPool());
		decode.setURIComparator(new MOAURICompare());
		BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext = new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>();
		messageContext
				.setInboundMessageTransport(new HttpServletRequestAdapter(req));

		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());

		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
				TrustEngineFactory.getSignatureKnownKeysTrustEngine());

		SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
		
		
		BasicSecurityPolicy policy = new BasicSecurityPolicy();
		policy.getPolicyRules().add(signatureRule);
		policy.getPolicyRules().add(signedRole);
		
		SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
				policy);
		messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
		messageContext.setSecurityPolicyResolver(resolver);
		
		decode.decode(messageContext);

		signatureRule.evaluate(messageContext);

		RequestAbstractType inboundMessage = (RequestAbstractType) messageContext
				.getInboundMessage();
		MOARequest request = new MOARequest(inboundMessage);
		request.setVerified(true);
		request.setEntityMetadata(messageContext.getPeerEntityMetadata());
		return request;
	}

	public MOAResponse decodeRespone(HttpServletRequest req,
			HttpServletResponse resp) throws MessageDecodingException,
			SecurityException {

		HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(
				new BasicParserPool());
		BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
		messageContext
				.setInboundMessageTransport(new HttpServletRequestAdapter(req));

		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
				TrustEngineFactory.getSignatureKnownKeysTrustEngine());

		// signatureRule.evaluate(messageContext);
		BasicSecurityPolicy policy = new BasicSecurityPolicy();
		policy.getPolicyRules().add(signatureRule);
		SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
				policy);
		messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
		messageContext.setSecurityPolicyResolver(resolver);
		MOAMetadataProvider provider = null;

		provider = MOAMetadataProvider.getInstance();

		messageContext.setMetadataProvider(provider);

		decode.decode(messageContext);

		Response inboundMessage = (Response) messageContext.getInboundMessage();

		MOAResponse moaResponse = new MOAResponse(inboundMessage);
		moaResponse.setVerified(true);
		moaResponse.setEntityMetadata(messageContext.getPeerEntityMetadata());
		return moaResponse;
	}

	public boolean handleDecode(String action, HttpServletRequest req) {
		return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod()
				.equals("GET"));
	}
}