package at.gv.egovernment.moa.id.auth.modules.eidas.config;

import java.security.cert.X509Certificate;
import java.util.Map;

import org.apache.commons.lang.StringUtils;

import com.google.common.collect.ImmutableMap;
import com.sun.istack.Nullable;

import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.logging.Logger;
import eu.eidas.auth.commons.EidasErrorKey;
import eu.eidas.auth.commons.io.ReloadableProperties;
import eu.eidas.auth.engine.configuration.SamlEngineConfigurationException;
import eu.eidas.auth.engine.configuration.dom.EncryptionKey;
import eu.eidas.auth.engine.core.impl.CertificateValidator;
import eu.eidas.auth.engine.core.impl.KeyStoreSamlEngineEncryption;
import eu.eidas.auth.engine.xml.opensaml.CertificateUtil;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;

/**
 * This encryption module asks the moa configuration on whether to encrypt the response or not. In doubt, encryption is enforced.
 */
public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption {

	private final ImmutableMap<String, String> properties;
	
	private final ReloadableProperties encryptionActivationProperties;
	
	  private static ReloadableProperties initActivationConf(Map<String, String> properties) {
	        String activationConfigurationFile = EncryptionKey.ENCRYPTION_ACTIVATION.getAsString(properties);
	        Logger.debug("File containing encryption configuration: \"" + activationConfigurationFile + "\"");
	        return new ReloadableProperties(activationConfigurationFile, null);
	    }
	
	/**
	 * @param properties
	 * @throws SamlEngineConfigurationException
	 */
	public ModifiedEncryptionSW(Map<String, String> properties, String defaultConfigPath) throws SamlEngineConfigurationException {
		super(properties, null);
		this.properties = ImmutableMap.copyOf(properties);
        encryptionActivationProperties = initActivationConf(properties);
	}

	/* (non-Javadoc)
	 * @see eu.eidas.auth.engine.core.ProtocolEncrypterI#getEncryptionCertificate(java.lang.String)
	 */
    @Override
    @Nullable
    public X509Certificate getEncryptionCertificate(@Nullable String destinationCountryCode)
            throws EIDASSAMLEngineException {
        if (isEncryptionEnabled(destinationCountryCode)) {
            String issuerKey = new StringBuilder(EncryptionKey.RESPONSE_TO_POINT_ISSUER_PREFIX.getKey()).append(
                    destinationCountryCode).toString();
            String serialNumberKey =
                    new StringBuilder(EncryptionKey.RESPONSE_TO_POINT_SERIAL_NUMBER_PREFIX.getKey()).append(
                            destinationCountryCode).toString();
            String serialNumber = properties.get(serialNumberKey);
            String responseToPointIssuer = properties.get(issuerKey);
            if (StringUtils.isNotBlank(responseToPointIssuer)) {
                for (final X509Certificate certificate : getEncryptionCertificates()) {
                    if (CertificateUtil.matchesCertificate(serialNumber, responseToPointIssuer, certificate)) {

                        if (isDisallowedSelfSignedCertificate()) {
                            CertificateValidator.checkCertificateIssuer(certificate);
                        }
                        if (isCheckedValidityPeriod()) {
                            CertificateValidator.checkCertificateValidityPeriod(certificate);
                        }

                        return certificate;
                    }
                }
                throw new EIDASSAMLEngineException(EidasErrorKey.SAML_ENGINE_INVALID_CERTIFICATE.errorCode(),
                                                   EidasErrorKey.SAML_ENGINE_INVALID_CERTIFICATE.errorMessage());
            } else {
                Logger.error("Encryption of SAML Response NOT done, because no \"" + issuerKey +
                                  "\" configured!");
            }
        }
        return null;
    }

	/* (non-Javadoc)
	 * @see eu.eidas.auth.engine.core.ProtocolEncrypterI#isEncryptionEnabled(java.lang.String)
	 */
	@Override
	public boolean isEncryptionEnabled(String countryCode) {
		//encryption is enabled by default in MOA-ID configuration object 				
		try {
			AuthConfiguration moaconfig = AuthConfigurationProviderFactory.getInstance();
			Boolean useEncryption = moaconfig.getStorkConfig().getCPEPSWithCC(countryCode).isXMLSignatureSupported();
			String logResult = useEncryption ? " using encryption" : " do not use encrpytion";
			Logger.debug("eIDAS respone for country " + countryCode + logResult);
			return useEncryption;
			
		} catch(NullPointerException | ConfigurationException e) {
			try {
				return !Boolean.valueOf(
						AuthConfigurationProviderFactory.getInstance().getBasicConfiguration(
								"moa.id.protocols.eIDAS.encryption.disabled", 
								"false"
							));
				
			} catch (ConfigurationException e1) {
				Logger.warn("failed to gather information about encryption for countryCode " + countryCode + " - thus, enabling encryption");			
				if(Logger.isDebugEnabled())
					e.printStackTrace();
				
				return true;
				
			}
			
		}
		
	}
}