/*
 * Copyright (C) 2011 Citrix Systems, Inc.  All rights reserved.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.cloud.bridge.auth.ec2;

import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.log4j.Logger;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.engine.Handler;
import org.apache.axis2.AxisFault;
import org.apache.axis2.description.HandlerDescription; 
import org.apache.axis2.description.Parameter;
import org.apache.commons.codec.binary.Base64;

import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.io.ByteArrayInputStream;
import java.io.InputStream;

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;

import com.cloud.bridge.model.UserCredentials;
import com.cloud.bridge.persist.dao.UserCredentialsDao;
import com.cloud.bridge.service.UserContext;
import com.cloud.bridge.util.AuthenticationUtils;


public class AuthenticationHandler implements Handler {
     protected final static Logger logger = Logger.getLogger(AuthenticationHandler.class);
     
     private DocumentBuilderFactory dbf = null;

	 protected HandlerDescription handlerDesc = new HandlerDescription( "EC2AuthenticationHandler" );
     private String name = "EC2AuthenticationHandler";
    
     public void init( HandlerDescription handlerdesc ) 
     {
 		 dbf = DocumentBuilderFactory.newInstance();
		 dbf.setNamespaceAware( true );

   	  	 this.handlerDesc = handlerdesc;
     }
    	  	
     public String getName() 
     {
          return name;
     }

     public String toString() 
     {
    	 return (name != null) ? name.toString() : null;
     }
     
     public HandlerDescription getHandlerDesc() 
     {
       	 return handlerDesc;
     }
    	
     public Parameter getParameter( String name ) 
     {
    	 return handlerDesc.getParameter( name );
     } 
     
     
     /**
      * For EC2 SOAP calls this function's goal is to extract the X509 certificate that is
      * part of the WS-Security wrapped SOAP request.   We need the cert in order to 
      * map it to the user's Cloud API key and Cloud Secret Key.
      */
     public InvocationResponse invoke(MessageContext msgContext) throws AxisFault 
     {
    	 // -> the certificate we want is embedded into the soap header
    	 try
    	 {  SOAPEnvelope soapEnvelope = msgContext.getEnvelope();
            String       xmlHeader    = soapEnvelope.toString();
            //System.out.println( "entire request: " + xmlHeader );
    
    		InputStream is = new ByteArrayInputStream( xmlHeader.getBytes("UTF-8"));
    		DocumentBuilder db = dbf.newDocumentBuilder();
    		Document request = db.parse( is );   		
    		NodeList certs   = request.getElementsByTagNameNS( "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken" ); 
	        if (0 < certs.getLength()) {
	    	    Node item = certs.item(0);
	    	    String result = new String( item.getFirstChild().getNodeValue());
	    	    byte[] certBytes = Base64.decodeBase64( result.getBytes()); 

	    	    Certificate userCert  = null;
	    	    CertificateFactory cf = CertificateFactory.getInstance( "X.509" );
	    	    ByteArrayInputStream bs = new ByteArrayInputStream( certBytes );
	    	    while (bs.available() > 0) userCert = cf.generateCertificate(bs);
                //System.out.println( "cert: " + userCert.toString());              
                String uniqueId = AuthenticationUtils.X509CertUniqueId( userCert );
                logger.debug( "X509 cert's uniqueId: " + uniqueId );
                
                // -> find the Cloud API key and the secret key from the cert's uniqueId 
	     	    UserCredentialsDao credentialDao = new UserCredentialsDao();
	     	    UserCredentials cloudKeys = credentialDao.getByCertUniqueId( uniqueId );
	     	    if ( null == cloudKeys ) {
	        	     logger.error( "Cert does not map to Cloud API keys: " + uniqueId );
	        	  throw new AxisFault( "User not properly registered: Certificate does not map to Cloud API Keys", "Client.Blocked" );
	     	    }
	     	    else UserContext.current().initContext( cloudKeys.getAccessKey(), cloudKeys.getSecretKey(), cloudKeys.getAccessKey(), "SOAP Request", null );
                //System.out.println( "end of cert match: " + UserContext.current().getSecretKey());
	        }
    	} 
    	catch (AxisFault e) {
    		throw e;
    	} 
    	catch( Exception e ) {
            logger.error("EC2 Authentication Handler: ", e);
    		throw new AxisFault( "An unknown error occurred.", "Server.InternalError" );
    	}    	
        return InvocationResponse.CONTINUE;
     }

     
     public void revoke(MessageContext msgContext) 
     {
         logger.info(msgContext.getEnvelope().toString());
     }

     public void setName(String name) 
     {
         this.name = name;
     }
     
 	 @Override
	 public void cleanup() 
	 {
	 }

	 @Override
	 public void flowComplete( MessageContext arg0 ) 
	 {
	 }
}