/*
 *   Licensed to the Apache Software Foundation (ASF) under one
 *   or more contributor license agreements.  See the NOTICE file
 *   distributed with this work for additional information
 *   regarding copyright ownership.  The ASF licenses this file
 *   to you under the Apache License, Version 2.0 (the
 *   "License"); you may not use this file except in compliance
 *   with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *   Unless required by applicable law or agreed to in writing,
 *   software distributed under the License is distributed on an
 *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 *   KIND, either express or implied.  See the License for the
 *   specific language governing permissions and limitations
 *   under the License.
 *
 */
package org.apache.directory.fortress.core.ldap;


import org.apache.directory.fortress.core.CfgRuntimeException;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.util.Config;
import org.apache.directory.fortress.core.util.ResourceUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;


/**
 * Implement the X509TrustManager interface which will be used during JSSE truststore manager initialization for LDAP
 * client-to-server communications over TLS/SSL.
 * It is used during certificate validation operations within JSSE.
 * <p>
 * There are the controlling fortress.properties:
 * <ul>
 *     <li>trust.store : contains the name of the truststore (must be fully qualified iff trust.store.onclasspath=false</li>
 *     <li>trust.store.password : contains the pw for the specified truststore</li>
 *     <li>trust.onclasspath : if false name must be fully qualified, otherwise file must be on classpath as named</li>
 * </ul>
 *
 * Note: This class allows self-signed certificates to pass the validation checks, if its root certificate is found in the truststore.
 *
 * @author <a href="mailto:[email protected]">Apache Directory Project</a>
 */
public final class LdapClientTrustStoreManager implements X509TrustManager, Serializable
{
    /** Default serialVersionUID */
    private static final long serialVersionUID = 1L;
    // Logging
    private static final String CLS_NM = LdapClientTrustStoreManager.class.getName();
    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );

    // Config variables
    private final boolean isExamineValidityDates;
    private final char[] trustStorePw;
    // This is found on the classpath if trust.store.onclasspath = true (default), otherwise must include exact location on filepath:
    private final String trustStoreFile;
    private final String trustStoreFormat;


    /**
     * Constructor used by connection configuration utility to load trust store manager.
     *
     * @param trustStoreFile    contains name of trust store file.
     * @param trustStorePw      contains the password for trust store
     * @param trustStoreFormat  contains the format for trust store
     * @param isExamineValidity boolean var determines if certificate will be examined for valid dates on load.
     */
    public LdapClientTrustStoreManager( final String trustStoreFile, final char[] trustStorePw,
        final String trustStoreFormat, final boolean isExamineValidity )
    {
        if ( trustStoreFile == null )
        {
            // Cannot continue, throw an unchecked exception:
            throw new CfgRuntimeException( GlobalErrIds.FT_CONFIG_JSSE_TRUSTSTORE_NULL,
                "LdapClientTrustStoreManager constructor : input file name is null" );
        }
        // contains the file name of a valid JSSE TrustStore found on classpath:
        this.trustStoreFile = trustStoreFile;
        // the password to the JSSE TrustStore:
        this.trustStorePw = trustStorePw.clone();
        // If true, verify the current date is within the validity period for every certificate in the TrustStore:
        this.isExamineValidityDates = isExamineValidity;
        if ( trustStoreFormat == null )
        {
            this.trustStoreFormat = KeyStore.getDefaultType();
        }
        else
        {
            this.trustStoreFormat = trustStoreFormat;
        }
    }


    /**
     * Determine if client certificate is to be trusted.
     *
     * @param x509Chain
     * @param authNType
     * @throws CertificateException
     */
    public synchronized void checkClientTrusted( final X509Certificate[] x509Chain,
        final String authNType ) throws CertificateException
    {
        // For each certificate in the chain, check validity:
        for ( final X509TrustManager trustMgr : getTrustManagers( x509Chain ) )
        {
            trustMgr.checkClientTrusted( x509Chain, authNType );
        }
    }


    /**
     * Determine if server certificate is to be trusted.
     *
     * @param x509Chain
     * @param authNType
     * @throws CertificateException
     */
    public synchronized void checkServerTrusted( final X509Certificate[] x509Chain, final String authNType ) throws
        CertificateException
    {
        for ( final X509TrustManager trustManager : getTrustManagers( x509Chain ) )
        {
            trustManager.checkServerTrusted( x509Chain, authNType );
        }
    }


    /**
     * Return the list of accepted issuers for this trust manager.
     *
     * @return array of accepted issuers
     */
    public synchronized X509Certificate[] getAcceptedIssuers()
    {
        return new X509Certificate[0];
    }


    /**
     * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
     *
     * @param x509Chain contains input X.509 certificate chain.
     * @return array of X.509 trust managers.
     * @throws CertificateException if trustStoreFile instance variable is null.
     */
    private synchronized X509TrustManager[] getTrustManagers( final X509Certificate[] x509Chain ) throws
        CertificateException
    {
        String szTrustStoreOnClasspath = Config.getInstance().getProperty( GlobalIds.TRUST_STORE_ON_CLASSPATH );

        // If false or null, read the truststore from a fully qualified filename.
        if( szTrustStoreOnClasspath != null && szTrustStoreOnClasspath.equalsIgnoreCase( "false" ))
        {
            LOG.info( CLS_NM + ".getTrustManagers on filepath" );
            return getTrustManagersOnFilepath( x509Chain );
        }
        // Get it off the classpath
        else
        {
            LOG.info( CLS_NM + ".getTrustManagers on classpath" );
            return getTrustManagersOnClasspath( x509Chain );
        }
    }


    /**
     * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
     *
     * @param x509Chain contains input X.509 certificate chain.
     * @return array of X.509 trust managers.
     * @throws CertificateException if trustStoreFile instance variable is null.
     */
    private synchronized X509TrustManager[] getTrustManagersOnClasspath( final X509Certificate[] x509Chain ) throws
        CertificateException
    {
        // If true, verify the current date is within each certificates validity period.
        if ( isExamineValidityDates )
        {
            final Date currentDate = new Date();
            for ( final X509Certificate x509Cert : x509Chain )
            {
                x509Cert.checkValidity( currentDate );
            }
        }
        InputStream trustStoreInputStream = getTrustStoreInputStream();
        if (trustStoreInputStream == null)
        {
            throw new CertificateException("LdapClientTrustStoreManager.getTrustManagers : file not found");
        }
        try
        {
            trustStoreInputStream.close();
        }
        catch (IOException e)
        {
            // Eat this ioexception because it shouldn't be a problem, but log just in case:
            LOG.warn("LdapClientTrustStoreManager.getTrustManagers on input stream close " +
                    "operation caught IOException={}", e.getMessage());
        }
        return loadTrustManagers( getTrustStore() );
    }


    /**
     * Return array of trust managers to caller.  Will verify that current date is within certs validity period.
     *
     * @param x509Chain contains input X.509 certificate chain.
     * @return array of X.509 trust managers.
     * @throws CertificateException if trustStoreFile instance variable is null.
     */
    private synchronized X509TrustManager[] getTrustManagersOnFilepath( final X509Certificate[] x509Chain ) throws
        CertificateException
    {
        // If true, verify the current date is within each certificates validity period.
        if ( isExamineValidityDates )
        {
            final Date currentDate = new Date();
            for ( final X509Certificate x509Cert : x509Chain )
            {
                x509Cert.checkValidity( currentDate );
            }
        }
        // The trustStoreFile should contain the fully-qualified name of a Java TrustStore on local file system.
        final File trustStoreFile = new File( this.trustStoreFile );
        if ( !trustStoreFile.exists() )
        {
            throw new CertificateException( "FortressTrustStoreManager.getTrustManagers : file not found" );
        }
        return loadTrustManagers( getTrustStore() );
    }


    /**
     * Return an array of X.509 TrustManagers.
     *
     * @param trustStore handle to input trustStore
     * @return array of trust managers
     * @throws CertificateException if problem occurs during TrustManager initialization.
     */
    private X509TrustManager[] loadTrustManagers( final KeyStore trustStore ) throws CertificateException
    {
        final X509TrustManager[] x509TrustManagers;
        try
        {
            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory
                .getDefaultAlgorithm() );
            trustManagerFactory.init( trustStore );
            final TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            x509TrustManagers = new X509TrustManager[trustManagers.length];
            for ( int i = 0; i < trustManagers.length; i++ )
            {
                x509TrustManagers[i] = ( X509TrustManager ) trustManagers[i];
            }
        }
        catch ( NoSuchAlgorithmException e )
        {
            throw new CertificateException( "LdapClientTrustStoreManager.loadTrustManagers caught " +
                "NoSuchAlgorithmException", e );
        }
        catch ( KeyStoreException e )
        {
            throw new CertificateException( "LdapClientTrustStoreManager.loadTrustManagers caught KeyStoreException", e );
        }
        return x509TrustManagers;
    }


    /**
     * Load the TrustStore file into JSSE KeyStore instance.
     *
     * @return instance of JSSE KeyStore containing the LDAP Client's TrustStore file info.     *
     * @throws CertificateException if cannot process file load.
     */
    private KeyStore getTrustStore() throws CertificateException
    {
        final KeyStore trustStore;
        try
        {
            trustStore = KeyStore.getInstance( trustStoreFormat );
        }
        catch ( KeyStoreException e )
        {
            throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught KeyStoreException", e );
        }
        InputStream trustStoreInputStream = null;
        try
        {
            trustStoreInputStream = getTrustStoreInputStream();
            trustStore.load( trustStoreInputStream, trustStorePw );
        }
        catch ( NoSuchAlgorithmException e )
        {
            throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught " +
                "NoSuchAlgorithmException", e );
        }
        catch ( IOException e )
        {
            throw new CertificateException( "LdapClientTrustStoreManager.getTrustManagers caught KeyStoreException", e );
        }
        finally
        {
            // Close the input stream.
            if ( trustStoreInputStream != null )
            {
                try
                {
                    trustStoreInputStream.close();
                }
                catch ( IOException e )
                {
                    // Eat this ioexception because it shouldn't be a problem, but log just in case:
                    LOG.warn( "LdapClientTrustStoreManager.getTrustStore finally block on input stream close " +
                        "operation caught IOException={}", e.getMessage() );
                }
            }
        }
        return trustStore;
    }


    /**
     * Read the trust store off the classpath.
     *
     * @return handle to inputStream containing the trust store
     * @throws CertificateException
     */
    private InputStream getTrustStoreInputStream() throws CertificateException
    {
        InputStream result = ResourceUtil.getInputStream(trustStoreFile);
        if (null == result)
        {
            throw new CertificateException("LdapClientTrustStoreManager.getTrustStoreInputStream file does not exist on fortress classpath" );
        }
        return result;
    }
}