/*
 * Copyright 2014 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 */
package at.gv.egovernment.moa.id.auth.modules.eidas.config;

import java.util.Locale;
import java.util.Map;

import org.apache.commons.lang.StringUtils;
import org.apache.xml.security.signature.XMLSignature;
import org.opensaml.xml.signature.SignatureConstants;

import com.google.common.collect.ImmutableSet;

import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAWhiteListConfigurator;
import at.gv.egovernment.moaspss.logging.Logger;
import eu.eidas.auth.engine.configuration.SamlEngineConfigurationException;
import eu.eidas.auth.engine.configuration.dom.ConfigurationAdapter;
import eu.eidas.auth.engine.configuration.dom.ConfigurationKey;
import eu.eidas.auth.engine.configuration.dom.KeyStoreSignatureConfigurator;
import eu.eidas.auth.engine.core.impl.KeyStoreProtocolSigner;
import eu.eidas.samlengineconfig.CertificateConfigurationManager;

/**
 * @author tlenz
 *
 */
public class MOASWSigner extends KeyStoreProtocolSigner {

	private static Map<String, String> props;
	private ImmutableSet<String> sigAlgWhiteList = null;
	
    private static final ImmutableSet<String> ALLOWED_ALGORITHMS_FOR_VERIFYING =
            ImmutableSet.of(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256,
                            SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384,
                            SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512,
                            // RIPEMD is allowed to verify
                            SignatureConstants.ALGO_ID_SIGNATURE_RSA_RIPEMD160,
                            SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256,
                            SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384,
                            SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512,

                            //Set other algorithms which are not supported by openSAML in default 
                            StringUtils.lowerCase(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1_MGF1, Locale.ENGLISH),
                            StringUtils.lowerCase(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA224_MGF1, Locale.ENGLISH),
                            StringUtils.lowerCase(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256_MGF1, Locale.ENGLISH),
                            StringUtils.lowerCase(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA384_MGF1, Locale.ENGLISH),
                            StringUtils.lowerCase(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA512_MGF1, Locale.ENGLISH));

    private static final ImmutableSet<String> DEFAULT_ALGORITHM_WHITE_LIST =
            ImmutableSet.of(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256,
                            SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384,
                            SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512,
                            // RIPEMD is not allowed to sign
                            SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256,
                            SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384,
                            SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512,
                            
                            //Set other algorithms which are not supported by openSAML in default 
                            StringUtils.lowerCase(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256_MGF1, Locale.ENGLISH));
	
	public MOASWSigner(Map<String, String> properties) throws SamlEngineConfigurationException {
		super(properties);
		props = properties;
			
	}
		
	/**
	 * @param configManager
	 * @throws SamlEngineConfigurationException
	 */
	public MOASWSigner(CertificateConfigurationManager configManager) throws SamlEngineConfigurationException {
		super(props = ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters());
		
	}

	@Override
    protected ImmutableSet<String> getSignatureAlgorithmWhiteList() {
		try {
			if (sigAlgWhiteList == null) {
				sigAlgWhiteList = MOAWhiteListConfigurator.getAllowedAlgorithms(DEFAULT_ALGORITHM_WHITE_LIST,
						ALLOWED_ALGORITHMS_FOR_VERIFYING,
                           (new KeyStoreSignatureConfigurator().getSignatureConfiguration(props)).getSignatureAlgorithmWhiteList());
        	
			}
        
			return sigAlgWhiteList;
			
		} catch (SamlEngineConfigurationException e) {
			Logger.warn("Can not parse eIDAS signing configuration." , e);
			return DEFAULT_ALGORITHM_WHITE_LIST;
			
		}
    }


}