/*******************************************************************************
 * Copyright 2014 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 *******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;

import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.x509.BasicX509Credential;

import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
import at.gv.egovernment.moa.logging.Logger;
import iaik.x509.X509Certificate;

public class MetadataSignatureFilter implements MetadataFilter {
	
	private String metadataURL;
	private BasicX509Credential savedCredential;
	
	public MetadataSignatureFilter(String url, byte[] certificate) 
			throws CertificateException {
		this.metadataURL = url;
		X509Certificate cert = new X509Certificate(certificate);
		savedCredential = new BasicX509Credential();
		savedCredential.setEntityCertificate(cert);
	}
	
	public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException {
		
//		String entityID = desc.getEntityID();
		
		EntityVerifier.verify(desc);
	}
	
	public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException {
		Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator();
		
		if(desc.getSignature() != null) {
			EntityVerifier.verify(desc, this.savedCredential);
		}
		
		while(entID.hasNext()) {
			processEntitiesDescriptor(entID.next());
		}
				
		Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator();

		List<EntityDescriptor> verifiedEntIT = new ArrayList<EntityDescriptor>();
		
		//check every Entity
		
		while(entIT.hasNext()) {
			
			EntityDescriptor entity = entIT.next();
			
			String entityID = entity.getEntityID();
			
			//CHECK if Entity also match MetaData signature.
			/*This check is necessary to prepend declaration of counterfeit OA metadata!!*/
			Logger.debug("Validate metadata for entityID: " + entityID + " ..... ");
			byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID);
						
			if (entityCert != null) {
			
				X509Certificate cert;
				try {
					cert = new X509Certificate(entityCert);
					BasicX509Credential entityCrendential = new BasicX509Credential();
					entityCrendential.setEntityCertificate(cert);
	
					EntityVerifier.verify(desc, entityCrendential);
					
					//add entity to verified entity-list					
					verifiedEntIT.add(entity);
					Logger.debug("Metadata for entityID: " + entityID + " valid");
					
					
				} catch (Exception e) {

					//remove entity of signature can not be verified.
					Logger.info("Entity " + entityID + " is removed from metadata " 
							+ desc.getName() + ". Entity verification error: " + e.getMessage());
//					throw new MOAIDException("The App", null, e);
				}
				
			} else {
				//remove entity if it is not registrated as OA
				Logger.info("Entity " + entityID + " is removed from metadata " 
						+ desc.getName() + ". Entity is not registrated or no certificate is found!");				
//				throw new NoCredentialsException("NO Certificate found for OA " + entityID);
			}
			
			//TODO: insert to support signed Entity-Elements
			//processEntityDescriptorr(entIT.next());
		}		
		
		//set only verified entity elements
		desc.getEntityDescriptors().clear();
		desc.getEntityDescriptors().addAll(verifiedEntIT);
	}
	
	public void doFilter(XMLObject metadata) throws SignatureValidationException {
		try {
			if (metadata instanceof EntitiesDescriptor) {
				EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
				if(entitiesDescriptor.getSignature() == null) {
					throw new MOAIDException("Root element of metadata file has to be signed", null);
				}
				processEntitiesDescriptor(entitiesDescriptor);
				
				
				if (entitiesDescriptor.getEntityDescriptors().size() == 0) {
					throw new MOAIDException("No valid entity in metadata "
							+ entitiesDescriptor.getName() + ". Metadata is not loaded.", null);
				}
				
				
			} else if (metadata instanceof EntityDescriptor) {
				EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
				processEntityDescriptorr(entityDescriptor);
				
			} else {
				throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
			}
			
			
			
			Logger.info("Metadata signature policy check done OK");
		} catch (MOAIDException e) {
			Logger.warn("Metadata signature policy check FAILED.", e);
			throw new SignatureValidationException(e);
		}
	}

}