/*
   jGuard is a security framework based on top of jaas (java authentication and authorization security).
   it is written for web applications, to resolve simply, access control problems.
   
   http://sourceforge.net/projects/jguard/
   
   Copyright (C) 2004  Charles GAY
   
   This library is free software; you can redistribute it and/or
  modify it under the terms of the GNU Lesser General Public
  License as published by the Free Software Foundation; either
  version 2.1 of the License, or (at your option) any later version.
  
  This library is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  Lesser General Public License for more details.
  
  You should have received a copy of the GNU Lesser General Public
  License along with this library; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  
  
  jGuard project home page:
  http://sourceforge.net/projects/jguard/
  
  */
  package net.sf.jguard.ext.authentication.loginmodules;
  
  import java.io.BufferedInputStream;
  import java.io.DataInputStream;
  import java.io.FileInputStream;
  import java.io.FileNotFoundException;
  import java.io.IOException;
  import java.io.InputStream;
  import java.net.MalformedURLException;
  import java.net.URL;
  import java.net.URLConnection;
  import java.security.InvalidAlgorithmParameterException;
  import java.security.KeyStore;
  import java.security.KeyStoreException;
  import java.security.NoSuchAlgorithmException;
  import java.security.Provider;
  import java.security.PublicKey;
  import java.security.Security;
  import java.security.cert.CRL;
  import java.security.cert.CRLException;
  import java.security.cert.CertPath;
  import java.security.cert.CertPathValidator;
  import java.security.cert.CertPathValidatorException;
  import java.security.cert.CertStore;
  import java.security.cert.CertStoreParameters;
  import java.security.cert.CertificateException;
  import java.security.cert.CertificateFactory;
  import java.security.cert.CollectionCertStoreParameters;
  import java.security.cert.LDAPCertStoreParameters;
  import java.security.cert.PKIXCertPathValidatorResult;
  import java.security.cert.PKIXParameters;
  import java.security.cert.PolicyNode;
  import java.security.cert.TrustAnchor;
  import java.security.cert.X509Certificate;
  import java.util.ArrayList;
  import java.util.Arrays;
  import java.util.Collection;
  import java.util.Date;
  import java.util.List;
  import java.util.Map;
  import java.util.Set;
  
  import java.util.logging.Level;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.login.FailedLoginException;
  import javax.security.auth.login.LoginException;
  import javax.security.auth.spi.LoginModule;
  
  import net.sf.jguard.core.CoreConstants;
  import net.sf.jguard.ext.SecurityConstants;
  import net.sf.jguard.ext.authentication.certificates.CertUtils;
  
  import org.bouncycastle.jce.provider.BouncyCastleProvider;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
  
  /**
   * validate certificates: validate their certPath and checks if
   * some of them are revoked against CRL(Certificate Revocation list).
   * @author <a href="mailto:diabolo512@users.sourceforge.net ">Charles Gay</a>
   *
   */
  public class CRLLoginModule extends CertificateLoginModule implements LoginModule {
  
  	private static final String COLLECTION = "Collection";
  	private static final String LDAP = "LDAP";
  	private static final String PKIX = "PKIX";
  	private static final String X_509 = "X.509";
  
  	/** Logger for this class */
  	private static final Logger logger = LoggerFactory.getLogger(CRLLoginModule.class.getName());
 	private Set trustAnchors = null;
 	private String trustedCaCertsDirPath = null;
 	private CertPath certPath = null;
 	private boolean debug = false;
 	private Provider securityProvider = null;
 	private String certStoreType =CRLLoginModule.LDAP;
 	private String ldapServerName ="localhost";
 	private int ldapServerPort =389;
 	
 	private Map sharedState;
 	private String fileCrlPath = null;
 	private String urlCrlPath = null;
 	private boolean anyPolicyInhibited = false;
 	private boolean explicitPolicyRequired = false;
 	private boolean policyMappingInhibited = false;
 	private boolean policyQualifierRejected = true;
 	private boolean revocationEnabled = true;
 	private String sigProvider=null;
 	private String keyStorePath;
 	private String keyStorePassword;
 	private String keyStoreType;
 	private static boolean SecurityProviderInitialized = false;
 	
 
 	/**
 	 * @param subj
 	 * @param cbkHandler
 	 * @param state
 	 * @param options
 	 * @see javax.security.auth.spi.LoginModule#initialize(javax.security.auth.Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)
 	 */
 	public void initialize(Subject subj, CallbackHandler cbkHandler, Map state,Map options) {
 		this.subject = subj;
 		this.callbackHandler = cbkHandler;
 		this.sharedState = state;
 
         if(!SecurityProviderInitialized){
         	SecurityProviderInitialized = initSecurityProvider();
         }
 
 		if((String)options.get(CoreConstants.DEBUG)!=null){
 			  debug= Boolean.valueOf((String)options.get(CoreConstants.DEBUG)).booleanValue();
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_ANY_POLICY_INHIBITED)!=null){
 			anyPolicyInhibited = Boolean.valueOf((String)options.get(SecurityConstants.CERT_PATH_ANY_POLICY_INHIBITED)).booleanValue();
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_EXPLICIT_POLICY_REQUIRED)!=null){
 			explicitPolicyRequired = Boolean.valueOf((String)options.get(SecurityConstants.CERT_PATH_EXPLICIT_POLICY_REQUIRED)).booleanValue();
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_POLICY_MAPPING_INHIBITED)!=null){
 			policyMappingInhibited = Boolean.valueOf((String)options.get(SecurityConstants.CERT_PATH_POLICY_MAPPING_INHIBITED)).booleanValue();
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_POLICY_QUALIFIERS_REJECTED)!=null){
 			policyQualifierRejected = Boolean.valueOf((String)options.get(SecurityConstants.CERT_PATH_POLICY_QUALIFIERS_REJECTED)).booleanValue();
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_REVOCATION_ENABLED)!=null){
 			revocationEnabled = Boolean.valueOf((String)options.get(SecurityConstants.CERT_PATH_REVOCATION_ENABLED)).booleanValue();
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_SIG_PROVIDER)!=null){
 			sigProvider =(String)options.get(SecurityConstants.CERT_PATH_SIG_PROVIDER);
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_CRL_PATH)!=null){
 			 fileCrlPath =(String)options.get(SecurityConstants.CERT_PATH_CRL_PATH);
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_URL_CRL_PATH)!=null){
 			 urlCrlPath =(String)options.get(SecurityConstants.CERT_PATH_URL_CRL_PATH);
 		}
 
 		if((String)options.get(SecurityConstants.TRUSTED_CA_CERTIFICATES_DIRECTORY_PATH)!=null){
 			trustedCaCertsDirPath= (String)options.get(SecurityConstants.TRUSTED_CA_CERTIFICATES_DIRECTORY_PATH);
 			trustAnchors = CertUtils.getTrustedAnchorsFromDirectory(trustedCaCertsDirPath);
 		}
 		
 		if((String)options.get(SecurityConstants.SECURITY_PROVIDER)!=null){
 			String securityProviderClassName = (String)options.get(SecurityConstants.SECURITY_PROVIDER);
 			try {
 				Class securityProviderClass = this.getClass().getClassLoader().loadClass(securityProviderClassName);
 				securityProvider = (Provider) securityProviderClass.newInstance();
 
 			} catch (ClassNotFoundException e) {
 				logger.warn(e.getMessage());
 			} catch (InstantiationException e) {
 				logger.warn(e.getMessage());
 			} catch (IllegalAccessException e) {
 				logger.warn(e.getMessage());
 			}
 		}else{
 			securityProvider = new BouncyCastleProvider();
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_CERTSTORE_TYPE)!=null){
 			  certStoreType = (String)options.get(SecurityConstants.CERT_PATH_CERTSTORE_TYPE);
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_LDAP_SERVER_NAME)!=null){
 			ldapServerName = (String)options.get(SecurityConstants.CERT_PATH_LDAP_SERVER_NAME);
 		}
 
 		if((String)options.get(SecurityConstants.CERT_PATH_LDAP_SERVER_PORT)!=null){
 			ldapServerPort = Integer.parseInt((String)options.get(SecurityConstants.CERT_PATH_LDAP_SERVER_PORT));
 		}
 		
 		if((String)options.get(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE)!=null){
 			String trustStoreFileName = (String)options.get(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE);
 			System.setProperty("javax.net.ssl.trustStore",trustStoreFileName);
 		}
 		
 		if((String)options.get(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE_PASSWORD)!=null){
 			String trustStorePassword = (String)options.get(SecurityConstants.JAVAX_NET_SSL_TRUSTSTORE_PASSWORD);
 			System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
 		}
 		
 		if((String)options.get(SecurityConstants.KEY_STORE_PATH)!=null){
 			keyStorePath = (String)options.get(SecurityConstants.KEY_STORE_PATH);
 		}
 		
 		if((String)options.get(SecurityConstants.KEY_STORE_PASSWORD)!=null){
 			keyStorePassword = (String)options.get(SecurityConstants.KEY_STORE_PASSWORD);
 		}
 		
 		if((String)options.get(SecurityConstants.KEY_STORE_TYPE)!=null){
 			keyStoreType = (String)options.get(SecurityConstants.KEY_STORE_TYPE);
 		}
 		
 		
 	}
 
 	/**
 	 *
 	 * @see javax.security.auth.spi.LoginModule#login()
 	 */
 	public boolean login() throws LoginException {
 
 		boolean login = super.login();
 		if(!login){
 			return login;
 		}
 		certPath = buildCertPath(certChainToCheck);
 	    validateCertPath(certPath);
 	    //like we've already check user credentials present in the certificate
 		//password check must not be done one more time.
 	    sharedState.put(SecurityConstants.SKIP_PASSWORD_CHECK, "true");
 		return true;
 	}
 
 	
 	/**
 	 * generate certification Path .
 	 * @param certs the X509Certificate Array
 	 * @return certification path
 	 */
 	private CertPath buildCertPath(X509Certificate[] certs){
 		CertificateFactory certFactory = null;
 		CertPath certPath = null;
 		try {
 			certFactory = CertificateFactory.getInstance(CRLLoginModule.X_509,securityProvider);
 			certPath = certFactory.generateCertPath(Arrays.asList(certs));
 		} catch (CertificateException e) {
 			logger.warn(e.getMessage());
 		}
 
 		return certPath;
 	}
 
 
 	/**
 	 * validate a certPath.
 	 * @param certPath
 	 * @throws LoginException
 	 */
 	private void validateCertPath(CertPath certPath) throws LoginException{
 		CertPathValidator validator = null;
 		PKIXParameters parameters = null;
 		PKIXCertPathValidatorResult result = null;
 		try {
 			validator = CertPathValidator.getInstance(CRLLoginModule.PKIX,securityProvider);
 
 		} catch (NoSuchAlgorithmException e) {
 			logger.error(" algorithm PKIX is not present "+securityProvider.getName()
 			+" "+securityProvider.getInfo()+" "+securityProvider.getVersion());
 		}
 		try {
 
 				parameters = getPKIXParameters();
 				List certStores = new ArrayList();
 				CertStore certStore = getCertStore();
 				certStores.add(certStore);
 				parameters.setCertStores(certStores);
 				parameters.setAnyPolicyInhibited(anyPolicyInhibited);
 				//TODO implement better data handling (more precise)
 				parameters.setDate(new Date());
 				//TODO howto implements the CRLSelector => with certStore?
 				parameters.setExplicitPolicyRequired(explicitPolicyRequired);
 				parameters.setPolicyMappingInhibited(policyMappingInhibited);
 				parameters.setPolicyQualifiersRejected(policyQualifierRejected);
 				parameters.setRevocationEnabled(revocationEnabled);
 				if(sigProvider!=null){
 				  parameters.setSigProvider(sigProvider);
 				}
 				//TODO define the certSelector
 				//parameters.setTargetCertConstraints(null);
 				//
 				result =(PKIXCertPathValidatorResult)validator.validate(certPath,parameters);
 				PolicyNode policyTree = result.getPolicyTree();
 				PublicKey key = result.getPublicKey();
 				TrustAnchor anchor = result.getTrustAnchor();
 				if(debug){
 					if(policyTree!=null){
 						logger.debug("policyTree depth = "+policyTree.getDepth());
 						logger.debug("policyTree expected policies = "+policyTree.getExpectedPolicies());
 						logger.debug("policyTree policy qualifiers = "+policyTree.getPolicyQualifiers());
 					}
 					if(key!=null){
 						logger.debug("public key= "+key.toString());
 					}
 					if(anchor!=null){
 						logger.debug("TrustAnchor ca name= "+anchor.getCAName());
 						logger.debug("TrustAnchor ca public key = "+anchor.getCAPublicKey());
 						logger.debug("TrustAnchor name constraints = "+anchor.getNameConstraints());
 						logger.debug("TrustAnchor trustedCert = "+anchor.getTrustedCert());
 					}
 				}
 		} catch (InvalidAlgorithmParameterException e) {
 			logger.error(e.getMessage());
 			throw new FailedLoginException(e.getMessage());
 		} catch (CertPathValidatorException e) {
 			logger.error(e.getMessage());
 			throw new FailedLoginException(e.getMessage());
 		}
 	}
 
 	private PKIXParameters getPKIXParameters() throws LoginException {
 		PKIXParameters parameters = null;
 		if(keyStorePath!=null){
 			KeyStore keystore;
 			try {
 				keystore = CertUtils.getKeyStore(keyStorePath, keyStorePassword, keyStoreType);
 				parameters = new PKIXParameters(keystore);
 			} catch (KeyStoreException e) {
 				throw new LoginException(e.getMessage());
 			} catch (NoSuchAlgorithmException e) {
 				throw new LoginException(e.getMessage());
 			} catch (CertificateException e) {
 				throw new LoginException(e.getMessage());
 			} catch (IOException e) {
 				throw new LoginException(e.getMessage());
 			} catch (InvalidAlgorithmParameterException e) {
 				throw new LoginException(e.getMessage());
 			}
 			
 		}else{
 			try {
 				parameters = new PKIXParameters(trustAnchors);
 			} catch (InvalidAlgorithmParameterException e) {
 				throw new LoginException(e.getMessage());
 			}
 		}
 		return parameters;
 	}
 
 
 	/**
 	 * retrieve the certStore.
 	 * @return certStore
 	 * @throws LoginException the certStore valueType is invalid
 	 */
 	private CertStore getCertStore() throws LoginException{
 		CertStore certStore = null;
 
 		        //build a certStoreParameters object
 				CertStoreParameters certStoreParams = null;
 				if(certStoreType.equalsIgnoreCase(CRLLoginModule.LDAP)){
 					certStoreParams = new LDAPCertStoreParameters(ldapServerName,ldapServerPort);
 				}else if(certStoreType.equalsIgnoreCase(CRLLoginModule.COLLECTION)){
 					Collection crlCollection = getCRLAndCertsCollection();
 					certStoreParams = new CollectionCertStoreParameters(crlCollection);
 				}else{
 					throw new LoginException(" invalid 'certStoreType' value : this value should be 'LDAP' or 'Collection' ");
 				}
 				try {
 					//build a CRL certStore
 					certStore = CertStore.getInstance(certStoreType,certStoreParams,securityProvider);
 
 				} catch (NoSuchAlgorithmException e) {
 					throw new LoginException(e.getMessage());
 				} catch (InvalidAlgorithmParameterException e) {
 					throw new LoginException(e.getMessage());
 				}
 
 		return certStore;
 	}
 
 	/**
 	 * retrieve Certificate Revocation List (CRL) and Certificates.
 	 * @return collection of CRL and Certificates
 	 */
 	private Collection getCRLAndCertsCollection() {
 		Collection crlAndCerts = new ArrayList();
 		CertificateFactory certFactory = null;
 		try {
 			certFactory = CertificateFactory.getInstance(CRLLoginModule.X_509,securityProvider);
 		} catch (CertificateException e) {
 			logger.error( " X509 certificate factory cannot be retrieved with the securityProvider "+
 					securityProvider.getName()+" "+securityProvider.getInfo()+
 					" "+securityProvider.getVersion(),e);
 		}
 
 		if(fileCrlPath!=null){
 		  addCRLFromPath(crlAndCerts, certFactory);
 		}
 		if(urlCrlPath!=null){
 		  addCRLFromURL(crlAndCerts, certFactory);
 		}
 		return crlAndCerts;
 	}
 
 	/**
 	 *
 	 * add <b>ONE</b> CRL grabbed from a file path to the 'CRLs and Certs' Collection.
 	 * @param crlAndCerts
 	 * @param certFactory
 	 */
 	private void addCRLFromPath(Collection crlAndCerts, CertificateFactory certFactory) {
 
 			InputStream stream = null;
 			try {
 				stream = new BufferedInputStream(new FileInputStream(fileCrlPath));
 			} catch (FileNotFoundException e) {
 				e.printStackTrace();
 			}
 			try {
 				CRL crl  = certFactory.generateCRL(stream);
 				crlAndCerts.add(crl);
 			} catch (CRLException e) {
 				e.printStackTrace();
 			}finally{
 			      try {
 					stream.close();
 				} catch (IOException e) {
 					e.printStackTrace();
 				}
 			}
 	}
 
 	/**
 	 * add <b>ONE</b> CRL grabbed from an URL to the 'CRLs and Certs' Collection.
 	 * @param crlAndCerts
 	 * @param certFactory
 	 */
 	private void addCRLFromURL(Collection crlAndCerts, CertificateFactory certFactory) {
 			DataInputStream data = null;
 			try {
 				URL url = new URL(urlCrlPath);
 				URLConnection connection = url.openConnection();
 				//we retrieve content
 				connection.setDoInput(true);
 				//we do not permit to cache content
 				connection.setUseCaches(false);
 				data = new DataInputStream(connection.getInputStream());
 				try {
 					CRL crl  = certFactory.generateCRL(data);
 					crlAndCerts.add(crl);
 				} catch (CRLException e) {
 					logger.error(" CRL cannot be built with the retrieved data ");
 					e.printStackTrace();
 				}
 			} catch (MalformedURLException e) {
 				logger.error( " bad uri synthax "+urlCrlPath,e);
 			} catch (IOException e) {
 				logger.error( " IOException when we wan to retrieve CRL with data ",e);
 			}finally{
 				try {
 					data.close();
 				} catch (IOException e) {
 					logger.error( " IOException when we close the DATAInputStream",e);
 				}
 			}
 	}
 
 	/**
 	 * install BouncyCastleProvider in the secuirty providers
 	 * stack of the java platform.
 	 * @return true if installation succeed, false otherwise
 	 */
     protected static boolean initSecurityProvider(){
     	if(Security.getProvider(BouncyCastleProvider.class.getName())==null){
 			try{
 			Security.addProvider(new BouncyCastleProvider());
 			return true;
 			}catch(SecurityException sex){
 				logger.error(" jGuard cannot add dynamically the JCE provider required from  \n");
 				logger.error(" the BOUNCYCASTLE library .this operation is prevented by the SECURITYMANAGER \n");
 				logger.error(" to use this required provider, you must add an entry to your java.security  \n");
 				logger.error(" properties file (found in $JAVA_HOME/jre/lib/security/java.security, \n");
 				logger.error(" where $JAVA_HOME is the location of your JDK/JRE distribution) \n");
 				logger.error(" security.provider.<n>=org.bouncycastle.jce.provider.BouncyCastleProvider \n");
 				logger.error("  Where <n> is the preference you want the provider at (1 being the most prefered). ");
 				return false;
 			}
         }else{
         	return true;
         }
     }
 
 }