/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.cxf.interceptor.security.callback;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;

import javax.security.auth.callback.CallbackHandler;

import org.apache.cxf.interceptor.security.NamePasswordCallbackHandler;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;

public class CallbackHandlerTlsCert implements CallbackHandlerProvider {
    private CertificateToNameMapper certMapper;
    private NameToPasswordMapper nameToPasswordMapper;
    private String fixedPassword;

    public CallbackHandlerTlsCert() {
        // By default use subjectDN as userName
        this.certMapper = new CertificateToNameMapper() {
            public String getUserName(Certificate cert) {
                return ((X509Certificate)cert).getSubjectDN().getName();
            }
        };
        // By default use fixed password
        this.nameToPasswordMapper = new NameToPasswordMapper() {
            public String getPassword(String userName) {
                return fixedPassword;
            }
        };
    }

    @Override
    public CallbackHandler create(Message message) {
        TLSSessionInfo tlsSession = message.get(TLSSessionInfo.class);
        if (tlsSession == null) {
            return null;
        }
        Certificate cert = getCertificate(message);
        String name = certMapper.getUserName(cert);
        String password = nameToPasswordMapper.getPassword(name);
        return new NamePasswordCallbackHandler(name, password);
    }

    /**
     * Extracts certificate from message, expecting to find TLSSessionInfo inside.
     *
     * @param message
     */
    private Certificate getCertificate(Message message) {
        TLSSessionInfo tlsSessionInfo = message.get(TLSSessionInfo.class);
        if (tlsSessionInfo == null) {
            throw new SecurityException("Not TLS connection");
        }

        Certificate[] certificates = tlsSessionInfo.getPeerCertificates();
        if (certificates == null || certificates.length == 0) {
            throw new SecurityException("No certificate found");
        }

        // Due to RFC5246, senders certificates always comes 1st
        return certificates[0];
    }

    public void setCertMapper(CertificateToNameMapper certMapper) {
        this.certMapper = certMapper;
    }

    public void setFixedPassword(String fixedPassword) {
        this.fixedPassword = fixedPassword;
    }

    public void setNameToPasswordMapper(NameToPasswordMapper nameToPasswordMapper) {
        this.nameToPasswordMapper = nameToPasswordMapper;
    }

}