/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2014, Red Hat, Inc., and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */

package org.jboss.as.domain.management.security;

import static org.jboss.as.domain.management.logging.DomainManagementLogger.SECURITY_LOGGER;

import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Set;

import javax.security.auth.login.LoginException;

import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.SubjectIdentity;
import org.jboss.msc.inject.Injector;
import org.jboss.msc.service.Service;
import org.jboss.msc.service.ServiceBuilder;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StartException;
import org.jboss.msc.service.StopContext;
import org.jboss.msc.value.InjectedSetValue;

/**
 * {@link Service} responsible for {@link SubjectIdentity} creation.
 *
 * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
 */
class KeytabIdentityFactoryService implements Service<KeytabIdentityFactoryService> {

    private static final String SERVICE_SUFFIX = "keytab_factory";

    private final InjectedSetValue<KeytabService> keytabServices = new InjectedSetValue<KeytabService>();

    private volatile KeytabService defaultService = null;
    private volatile Map<String, KeytabService> hostServiceMap = null;

    /*
     * Service Methods.
     */

    @Override
    public void start(StartContext context) throws StartException {
        Set<KeytabService> services = keytabServices.getValue();

        hostServiceMap = new HashMap<String, KeytabService>(services.size()); // Assume at least one per service.
        /*
         * Iterate the services and find the first one to offer default resolution, also create a hostname to KeytabService map
         * for the first one that claims each host.
         */
        for (KeytabService current : services) {
            for (String currentHost : current.getForHosts()) {
                if ("*".equals(currentHost)) {
                    if (defaultService == null) {
                        defaultService = current;
                    }
                } else if (currentHost != null) {
                    int idx = currentHost.indexOf("/");
                    String hostKey = idx > -1 ? currentHost.substring(0, idx) + "/" + currentHost.substring(idx + 1).toLowerCase(Locale.ENGLISH) :
                        currentHost.toLowerCase(Locale.ENGLISH);
                    if (hostServiceMap.containsKey(hostKey) == false) {
                        hostServiceMap.put(hostKey, current);
                    }
                }
            }
        }

        /*
         * Iterate the services again and attempt to identify host names from the principal name and add to the map if there is
         * not already a mapping for that host name.
         */
        for (KeytabService current : services) {
            String principal = current.getPrincipal();
            int start = principal.indexOf('/');
            int end = principal.indexOf('@');

            String currentHost = principal.substring(start > -1 ? start + 1 : 0, end > -1 ? end : principal.length() - 1);
            if (hostServiceMap.containsKey(currentHost.toLowerCase(Locale.ENGLISH)) == false) {
                hostServiceMap.put(currentHost.toLowerCase(Locale.ENGLISH), current);
            }
            principal = principal.substring(0, end > -1 ? end : principal.length() - 1);
            if (principal.equals(currentHost) == false) {
                String principalKey = principal.substring(0, start) + "/" + currentHost.toLowerCase(Locale.ENGLISH);
                if (hostServiceMap.containsKey(principalKey) == false) {
                    hostServiceMap.put(principalKey, current);
                }
            }
        }
    }

    @Override
    public void stop(StopContext context) {
        defaultService = null;
        hostServiceMap = null;
    }

    @Override
    public KeytabIdentityFactoryService getValue() throws IllegalStateException, IllegalArgumentException {
        return this;
    }

    Injector<KeytabService> getKeytabInjector() {
        return keytabServices.injector();
    }

    /*
     * SubjectIdentity factory method.
     */

    SubjectIdentity getSubjectIdentity(final String protocol, final String forHost) {
        KeytabService selectedService = null;

        final String hostName = forHost == null ? null : forHost.toLowerCase(Locale.ENGLISH);
        String name = protocol + "/" + hostName;
        selectedService = hostServiceMap.get(name);
        if (selectedService == null) {
            SECURITY_LOGGER.tracef("No mapping for name '%s' to KeytabService, attempting to use host only match.", name);
            selectedService = hostServiceMap.get(hostName);
            if (selectedService == null) {
                SECURITY_LOGGER.tracef("No mapping for host '%s' to KeytabService, attempting to use default.", forHost);
                selectedService = defaultService;
            }
        }

        if (selectedService != null) {
            if (SECURITY_LOGGER.isTraceEnabled()) {
                SECURITY_LOGGER.tracef("Selected KeytabService with principal '%s' for host '%s'",
                        selectedService.getPrincipal(), forHost);
            }
            try {
                return selectedService.createSubjectIdentity(false);
            } catch (LoginException e) {
                SECURITY_LOGGER.keytabLoginFailed(selectedService.getPrincipal(), forHost, e);
                /*
                 * Allow to continue and return null, i.e. we have an error preventing Kerberos authentication so log that but
                 * other mechanisms may be available leaving the server still accessible.
                 */
            }
        } else {
            SECURITY_LOGGER.tracef("No KeytabService available for host '%s' unable to return SubjectIdentity.", forHost);
        }

        return null;
    }

    public static final class ServiceUtil {

        private ServiceUtil() {
        }

        public static ServiceName createServiceName(final String realmName) {
            return SecurityRealm.ServiceUtil.createServiceName(realmName).append(SERVICE_SUFFIX);
        }

        public static ServiceBuilder<?> addDependency(ServiceBuilder<?> sb, Injector<KeytabIdentityFactoryService> injector,
                String realmName) {
            ServiceBuilder.DependencyType type = ServiceBuilder.DependencyType.REQUIRED;
            sb.addDependency(type, createServiceName(realmName), KeytabIdentityFactoryService.class, injector);

            return sb;
        }

    }

}