/*
 * Copyright 2013 Google Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 * in compliance with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the License
 * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 * or implied. See the License for the specific language governing permissions and limitations under
 * the License.
 */

package com.google.api.client.googleapis.auth.oauth2;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.JsonParser;
import com.google.api.client.json.JsonToken;
import com.google.api.client.util.Beta;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Preconditions;
import com.google.api.client.util.SecurityUtils;
import com.google.api.client.util.StringUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * {@link Beta} <br/>
 * Thread-safe Google public keys manager.
 *
 * <p>
 * The public keys are loaded from the public certificates endpoint at
 * {@link #getPublicCertsEncodedUrl} and cached in this instance. Therefore, for maximum efficiency,
 * applications should use a single globally-shared instance of the {@link GooglePublicKeysManager}.
 * </p>
 *
 * @since 1.17
 */
@Beta
public class GooglePublicKeysManager {

  /** Number of milliseconds before expiration time to force a refresh. */
  private static final long REFRESH_SKEW_MILLIS = 300000;

  /** Pattern for the max-age header element of Cache-Control. */
  private static final Pattern MAX_AGE_PATTERN = Pattern.compile("\\s*max-age\\s*=\\s*(\\d+)\\s*");

  /** JSON factory. */
  private final JsonFactory jsonFactory;

  /** Unmodifiable view of the public keys or {@code null} for none. */
  private List<PublicKey> publicKeys;

  /**
   * Expiration time in milliseconds to be used with {@link Clock#currentTimeMillis()} or {@code 0}
   * for none.
   */
  private long expirationTimeMilliseconds;

  /** HTTP transport. */
  private final HttpTransport transport;

  /** Lock on the public keys. */
  private final Lock lock = new ReentrantLock();

  /** Clock to use for expiration checks. */
  private final Clock clock;

  /** Public certificates encoded URL. */
  private final String publicCertsEncodedUrl;

  /**
   * @param transport HTTP transport
   * @param jsonFactory JSON factory
   */
  public GooglePublicKeysManager(HttpTransport transport, JsonFactory jsonFactory) {
    this(new Builder(transport, jsonFactory));
  }

  /**
   * @param builder builder
   */
  protected GooglePublicKeysManager(Builder builder) {
    transport = builder.transport;
    jsonFactory = builder.jsonFactory;
    clock = builder.clock;
    publicCertsEncodedUrl = builder.publicCertsEncodedUrl;
  }

  /** Returns the HTTP transport. */
  public final HttpTransport getTransport() {
    return transport;
  }

  /** Returns the JSON factory. */
  public final JsonFactory getJsonFactory() {
    return jsonFactory;
  }

  /** Returns the public certificates encoded URL. */
  public final String getPublicCertsEncodedUrl() {
    return publicCertsEncodedUrl;
  }

  /** Returns the clock. */
  public final Clock getClock() {
    return clock;
  }

  /**
   * Returns an unmodifiable view of the public keys.
   *
   * <p>
   * For efficiency, an in-memory cache of the public keys is used here. If this method is called
   * for the first time, or the certificates have expired since last time it has been called (or are
   * within 5 minutes of expiring), {@link #refresh()} will be called before returning the value.
   * </p>
   */
  public final List<PublicKey> getPublicKeys() throws GeneralSecurityException, IOException {
    lock.lock();
    try {
      if (publicKeys == null
          || clock.currentTimeMillis() + REFRESH_SKEW_MILLIS > expirationTimeMilliseconds) {
        refresh();
      }
      return publicKeys;
    } finally {
      lock.unlock();
    }
  }

  /**
   * Returns the expiration time in milliseconds to be used with {@link Clock#currentTimeMillis()}
   * or {@code 0} for none.
   */
  public final long getExpirationTimeMilliseconds() {
    return expirationTimeMilliseconds;
  }

  /**
   * Forces a refresh of the public certificates downloaded from {@link #getPublicCertsEncodedUrl}.
   *
   * <p>
   * This method is automatically called from {@link #getPublicKeys()} if the public keys have not
   * yet been initialized or if the expiration time is very close, so normally this doesn't need to
   * be called. Only call this method to explicitly force the public keys to be updated.
   * </p>
   */
  public GooglePublicKeysManager refresh() throws GeneralSecurityException, IOException {
    lock.lock();
    try {
      publicKeys = new ArrayList<PublicKey>();
      // HTTP request to public endpoint
      CertificateFactory factory = SecurityUtils.getX509CertificateFactory();
      HttpResponse certsResponse = transport.createRequestFactory()
          .buildGetRequest(new GenericUrl(publicCertsEncodedUrl)).execute();
      expirationTimeMilliseconds =
          clock.currentTimeMillis() + getCacheTimeInSec(certsResponse.getHeaders()) * 1000;
      // parse each public key in the JSON response
      JsonParser parser = jsonFactory.createJsonParser(certsResponse.getContent());
      JsonToken currentToken = parser.getCurrentToken();
      // token is null at start, so get next token
      if (currentToken == null) {
        currentToken = parser.nextToken();
      }
      Preconditions.checkArgument(currentToken == JsonToken.START_OBJECT);
      try {
        while (parser.nextToken() != JsonToken.END_OBJECT) {
          parser.nextToken();
          String certValue = parser.getText();
          X509Certificate x509Cert = (X509Certificate) factory.generateCertificate(
              new ByteArrayInputStream(StringUtils.getBytesUtf8(certValue)));
          publicKeys.add(x509Cert.getPublicKey());
        }
        publicKeys = Collections.unmodifiableList(publicKeys);
      } finally {
        parser.close();
      }
      return this;
    } finally {
      lock.unlock();
    }
  }

  /**
   * Gets the cache time in seconds. "max-age" in "Cache-Control" header and "Age" header are
   * considered.
   *
   * @param httpHeaders the http header of the response
   * @return the cache time in seconds or zero if the response should not be cached
   */
  long getCacheTimeInSec(HttpHeaders httpHeaders) {
    long cacheTimeInSec = 0;
    if (httpHeaders.getCacheControl() != null) {
      for (String arg : httpHeaders.getCacheControl().split(",")) {
        Matcher m = MAX_AGE_PATTERN.matcher(arg);
        if (m.matches()) {
          cacheTimeInSec = Long.parseLong(m.group(1));
          break;
        }
      }
    }
    if (httpHeaders.getAge() != null) {
      cacheTimeInSec -= httpHeaders.getAge();
    }
    return Math.max(0, cacheTimeInSec);
  }

  /**
   * {@link Beta} <br/>
   * Builder for {@link GooglePublicKeysManager}.
   *
   * <p>
   * Implementation is not thread-safe.
   * </p>
   *
   * @since 1.17
   */
  @Beta
  public static class Builder {

    /** Clock. */
    Clock clock = Clock.SYSTEM;

    /** HTTP transport. */
    final HttpTransport transport;

    /** JSON factory. */
    final JsonFactory jsonFactory;

    /** Public certificates encoded URL. */
    String publicCertsEncodedUrl = GoogleOAuthConstants.DEFAULT_PUBLIC_CERTS_ENCODED_URL;

    /**
     * Returns an instance of a new builder.
     *
     * @param transport HTTP transport
     * @param jsonFactory JSON factory
     */
    public Builder(HttpTransport transport, JsonFactory jsonFactory) {
      this.transport = Preconditions.checkNotNull(transport);
      this.jsonFactory = Preconditions.checkNotNull(jsonFactory);
    }

    /** Builds a new instance of {@link GooglePublicKeysManager}. */
    public GooglePublicKeysManager build() {
      return new GooglePublicKeysManager(this);
    }

    /** Returns the HTTP transport. */
    public final HttpTransport getTransport() {
      return transport;
    }

    /** Returns the JSON factory. */
    public final JsonFactory getJsonFactory() {
      return jsonFactory;
    }

    /** Returns the public certificates encoded URL. */
    public final String getPublicCertsEncodedUrl() {
      return publicCertsEncodedUrl;
    }

    /**
     * Sets the public certificates encoded URL.
     *
     * <p>
     * The default value is {@link GoogleOAuthConstants#DEFAULT_PUBLIC_CERTS_ENCODED_URL}.
     * </p>
     *
     * <p>
     * Overriding is only supported for the purpose of calling the super implementation and changing
     * the return type, but nothing else.
     * </p>
     */
    public Builder setPublicCertsEncodedUrl(String publicCertsEncodedUrl) {
      this.publicCertsEncodedUrl = Preconditions.checkNotNull(publicCertsEncodedUrl);
      return this;
    }

    /** Returns the clock. */
    public final Clock getClock() {
      return clock;
    }

    /**
     * Sets the clock.
     *
     * <p>
     * Overriding is only supported for the purpose of calling the super implementation and changing
     * the return type, but nothing else.
     * </p>
     */
    public Builder setClock(Clock clock) {
      this.clock = Preconditions.checkNotNull(clock);
      return this;
    }
  }
}