/*
    jGuard is a security framework based on top of jaas (java authentication and authorization security).
    it is written for web applications, to resolve simply, access control problems.
    version $Name$
    http://sourceforge.net/projects/jguard/
   
    Copyright (C) 2004  Charles GAY
   
    This library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.
  
   This library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.
  
   You should have received a copy of the GNU Lesser General Public
   License along with this library; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  
  
   jGuard project home page:
   http://sourceforge.net/projects/jguard/
  
   */
  package net.sf.jguard.ext.authentication.loginmodules;
  
  import java.io.IOException;
  import java.lang.reflect.Array;
  import java.security.cert.CertificateParsingException;
  import java.security.cert.X509Certificate;
  import java.util.Arrays;
  import java.util.Collection;
  import java.util.Iterator;
  import java.util.List;
  import java.util.Set;
  
  import java.util.logging.Level;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.callback.UnsupportedCallbackException;
  import javax.security.auth.login.LoginException;
  import javax.security.auth.spi.LoginModule;
  
  import net.sf.jguard.core.authentication.credentials.JGuardCredential;
  import net.sf.jguard.ext.SecurityConstants;
  import net.sf.jguard.ext.authentication.callbacks.CertificatesCallback;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
  
  /**
   * Base class for LoginModules related to certificate. 
   * @author <a href="mailto:diabolo512@users.sourceforge.net">Charles Gay</a>
   * @see CRLLoginModule
   * @see OCSPLoginModule
   * @since 1.0.0
   */
  public abstract class CertificateLoginModule implements LoginModule {
  
  	
  	private static final Logger logger = LoggerFactory.getLogger(CertificateLoginModule.class.getName());
  	protected Subject subject;
  	protected boolean loginOK = true;
  	protected X509Certificate[] certChainToCheck;
  	protected CallbackHandler callbackHandler;
  	/**
  	 *
  	 * @see javax.security.auth.spi.LoginModule#abort()
  	 */
  	public boolean abort() throws LoginException {
  		if(subject!= null){
  	          subject.getPrincipals().clear();
  	          subject.getPrivateCredentials().clear();
  	          subject.getPublicCredentials().clear();
  	    }
  	    return true;
  	}
  	public boolean commit() throws LoginException {
  		if(loginOK){
  			return certificateCommit();
  		}else{
  			return false;
  		}
  	}
  
  	
  
  	/**
  	 *
  	 * @see javax.security.auth.spi.LoginModule#logout()
  	 */
  	public boolean logout() throws LoginException {
  		subject.getPrincipals().clear();
  		subject.getPublicCredentials().clear();
  		subject.getPrivateCredentials().clear();
  		return true;
 	}
 
 
 	
 	protected boolean certificateCommit() throws LoginException {
 		Set publicCredentials = this.subject.getPublicCredentials();
 		List certs = Arrays.asList(this.certChainToCheck);
 		//we only use the first certificate which is the one assigned to user
 		X509Certificate cert = (X509Certificate)certs.get(0);
         subject.getPrincipals().add(cert.getSubjectX500Principal());
         
 		
 		if(cert.getSubjectUniqueID()!=null){
 			JGuardCredential credential1 = new JGuardCredential();
 			credential1.setName(SecurityConstants.UNIQUE_ID);
 			credential1.setValue(cert.getSubjectUniqueID());
 			publicCredentials.add(credential1);
 		}
 		
 		Collection altNames=null;
 		try {
 			altNames = cert.getSubjectAlternativeNames();
 		} catch (CertificateParsingException e) {
 			logger.error(" certificate cannot be parsed ");
 			//alternativeNames must be valid unless they don't exist
 			throw new LoginException(e.getMessage());
 		}
 		if(altNames==null){
 			return true;
 		}
 		int count = 0;
 		//populate alternativeNames
 		Iterator itAltNames  = altNames.iterator();
 		while(itAltNames.hasNext()){
 			List extensionEntry = (List)itAltNames.next();
 			Integer nameType = (Integer) extensionEntry.get(0);
 			Object name = extensionEntry.get(1);
 			byte[] nameAsBytes = null;
 			JGuardCredential credential = new JGuardCredential();
 			credential.setName(SecurityConstants.ALTERNATIVE_NAME+"#"+count);
 			if(name instanceof Array){
 				nameAsBytes = (byte[]) name;
 			}
 			if(nameAsBytes!= null){
 				credential.setValue(nameType+"#"+new String(nameAsBytes));
 			}else{
 				credential.setValue(nameType+"#"+(String)name);
 			}
 			publicCredentials.add(credential);
 			count++;
 		}
 
 		return true;
 	}
 	
 	
 	public boolean login()throws LoginException{
 		if (callbackHandler == null) {
 			loginOK = false;
 			throw new LoginException("there is no CallbackHandler to authenticate the user");
 		}
 		Callback[] callbacks = new Callback[1];
 		callbacks[0] = new CertificatesCallback();
 		try {
 			callbackHandler.handle(callbacks);
 		} catch (IOException e1) {
 			logger.error( " IOException when we handle callbacks with callback " + callbackHandler.getClass().getName(), e1);
 		} catch (UnsupportedCallbackException e1) {
 			logger.error( " one callback type is not supported ", e1);
 		}
 		certChainToCheck = ((CertificatesCallback) callbacks[0]).getCertificates();
 		if (certChainToCheck == null ||certChainToCheck.length==0) {
 			loginOK = false;
 			//no certificates can be checked so we inactivate this loginmodule
 			return false;
 		}
 		return true;
 	}
 }