/*******************************************************************************
 * Copyright 2014 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 *******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification;

import iaik.x509.X509Certificate;

import java.security.cert.CertificateException;
import java.util.Iterator;

import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.FilterException;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.x509.BasicX509Credential;

import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
import at.gv.egovernment.moa.logging.Logger;

public class MetadataSignatureFilter implements MetadataFilter {
	
	private String metadataURL;
	private BasicX509Credential savedCredential;
	
	public MetadataSignatureFilter(String url, byte[] certificate) 
			throws CertificateException {
		this.metadataURL = url;
		X509Certificate cert = new X509Certificate(certificate);
		savedCredential = new BasicX509Credential();
		savedCredential.setEntityCertificate(cert);
	}
	
	public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException {
		
//		String entityID = desc.getEntityID();
		
		EntityVerifier.verify(desc);
	}
	
	public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException {
		Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator();
		
		if(desc.getSignature() != null) {
			EntityVerifier.verify(desc, this.savedCredential);
		}
		
		while(entID.hasNext()) {
			processEntitiesDescriptor(entID.next());
		}
		
		Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator();
	
		//check every Entity 
		while(entIT.hasNext()) {
			
			EntityDescriptor entity = entIT.next();
			String entityID = entity.getEntityID();
			
			//CHECK if Entity also match MetaData signature.
			/*This check is necessary to prepend declaration of counterfeit OA metadata!!*/
			byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID);
			
			if (entityCert != null) {
			
				X509Certificate cert;
				try {
					cert = new X509Certificate(entityCert);
					BasicX509Credential entityCrendential = new BasicX509Credential();
					entityCrendential.setEntityCertificate(cert);
	
					EntityVerifier.verify(desc, entityCrendential);
					
				} catch (Exception e) {
					throw new MOAIDException("The App", null, e);
				}
				
			} else {
				throw new NoCredentialsException("NO Certificate found for OA " + entityID);
			}

			//TODO: insert to support signed Entity-Elements
			//processEntityDescriptorr(entIT.next());
		}
	}
	
	public void doFilter(XMLObject metadata) throws FilterException {
		try {
			if (metadata instanceof EntitiesDescriptor) {
				EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
				if(entitiesDescriptor.getSignature() == null) {
					throw new MOAIDException("Root element of metadata file has to be signed", null);
				}
				processEntitiesDescriptor(entitiesDescriptor);
			} /*else if (metadata instanceof EntityDescriptor) {
				EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
				processEntityDescriptorr(entityDescriptor);
			} */else {
				throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
			}
			
			ConfigurationDBUtils.closeSession();
			
			Logger.info("Metadata Filter done OK");
		} catch (MOAIDException e) {
			e.printStackTrace();
			throw new FilterException(e);
		}
	}

}