/*
    * SAMLAuthZServiceBase.java
    *
    * Created on January 5, 2005, 5:50 PM
    * 
    */
   
   package org.opensciencegrid.authz.service;
   
  
  import java.util.ArrayList;
  import java.util.Iterator;
  import java.util.Calendar;
  import java.rmi.RemoteException;
  import org.glite.security.SecurityContext;
  import org.glite.security.util.axis.InitSecurityContext;
  
  import org.opensaml.v1_0_1.XML;
  import org.opensaml.v1_0_1.QName;
  import org.opensaml.v1_0_1.SAMLDecision;
  import org.opensaml.v1_0_1.SAMLException;
  import org.opensaml.v1_0_1.SAMLSubject;
  import org.opensaml.v1_0_1.SAMLRequest;
  import org.opensaml.v1_0_1.SAMLAssertion;
  import org.opensaml.v1_0_1.SAMLResponse;
  import org.opensaml.v1_0_1.SAMLAuthorizationDecisionQuery;
  import org.opensaml.v1_0_1.SAMLAuthorizationDecisionStatement;
  import org.opensaml.v1_0_1.SAMLAttribute;
  import org.opensaml.v1_0_1.SAMLAttributeStatement;
  import org.opensaml.v1_0_1.SAMLAction;
  
  import org.opensciencegrid.authz.saml.XACMLObligation;
  import org.opensciencegrid.authz.saml.ObligatedAuthorizationDecisionStatement;
  import org.opensciencegrid.authz.saml.OSGXML;
  import org.opensciencegrid.authz.saml.SAMLExtensionInit;
  import org.opensciencegrid.authz.saml.SAMLUtil;
  
  import org.opensciencegrid.authz.stubs.SAMLRequestPortType;
  import org.opensciencegrid.authz.stubs.SAMLRequestType;
  import org.opensciencegrid.authz.stubs.SAMLResponseType;
  
  import org.opensciencegrid.authz.common.OSGAuthorizationConstants;
  
  import org.apache.log4j.Category;
  import org.apache.axis.message.MessageElement;
  import org.w3c.dom.Element;
  
  /*** 
   * Common implementation for a SAML authorization service: parses the requests,
   * and performs the authorization through an abstract method, to be implemented
   * by the AuthZ service.
   *
   * Status: untested
   *
   * TODO: retrieving the caller identity from the trustmanager
   * 
   * @author Markus Lorch, Gabriele Carcassi, John Weigand
   */
  
  public abstract class SAMLAuthZServiceBase implements SAMLRequestPortType {
  
  
      /*** This inner class is used as return value from the authorize method */
  
      protected class AuthzDecision {
          
          /*** decision may have the following values 
            * org.opensaml.v1_0_1.SAMLDecision.INDETERMINATE, SAMLDecision.DENY, SAMLDecision.PERMIT,
            * is initialized to SAMLDecision.INDETERMINATE
            */
          public String decision = SAMLDecision.INDETERMINATE;       
      
          /*** set of actions authorized by the authorize method */   
          public ArrayList actions;
  
          /*** set of obligations imposed on the response by the authorize method */
          public ArrayList obligations;
      
          /*** holds the issuer name of the authorization decision to be embedded in the  SAMLResponse */
          public String issuer;
  
          /*** method to print the contents for debugging */
          public String toString() {
             String s;
             s = "Decision: "+decision;
             s = s.concat(", Actions: ");
             if(actions==null ) s=s.concat("null");
             else if(actions.isEmpty()) s= s.concat("empty");
             else
               for(int i=0;i<actions.size();i++) {
                 Object x = actions.get(i); 
                 if (x instanceof SAMLAction) {
                    SAMLAction a = (SAMLAction) x;
                    s=s.concat(a.getNamespace()+" "+a.getData()+" | ");
                 }
                 else
                    s= s.concat(actions.get(i).toString()+" | ");
               }
             s=s.concat(", Obligations: ");
            if(obligations==null) s=s.concat("null");
            else if(obligations.isEmpty()) s= s.concat("empty");
            else
              for(int i=0;i<obligations.size();i++) {
                Object x = obligations.get(i); 
                if (x instanceof XACMLObligation) {
                   XACMLObligation o = (XACMLObligation) x;
                   s=s.concat(o.getObligationId()+" "+o.getAttributeId()+"="+o.getValue())+" | ";
                }
                else
                   s= s.concat("Unsupported Obligation | ");
              }
            s = s.concat(", Issuer: "+issuer);
            return s;
         }
 
     }
 
     /*** the Fully Qualified Attribute Name (FQAN) = the VOMS VO-membership/role attribute */
     protected class FQAN {
        String issuer;
        String data;
     }
 
 
     // static parameters
 
     /*** this service can only respond with a SAML AuthorizationDecisionStatement or an 
         ObligatedAuthorizationDecisionStatement (this form is an OSG SAML Extension) */
      
     private static final QName AUTHZ_DECISION_STMT =  new QName(XML.SAML_NS,"AuthorizationDecisionStatement");
     private static final QName OBLIG_DECISION_STMT =  new QName(OSGXML.SAML_EXT_NS,"ObligatedAuthorizationDecisionStatement");
 
     /*** determins for how long (in minutes) should issued assertions be valid */ 
     private static final int ASSERTION_VALIDITY_IN_MINUTES = 10;
 
     /*** Log4Java logger */
     static Category log = Category.getInstance(SAMLAuthZServiceBase.class.getName() );
 
     
 
     //##########################################################################################################
     // Methods
 
 
     /*** Performs the authorization of the request.
      *
      * The abstract authorize method must be implemented by an a concrete subclass that implements an authorization 
      * service. At a minimum the implementation should:
      *  - evaluate subject, resource and requested actions
      *  - return SAMLDecision.DENY, SAMLDecision.PERMIT, or SAMLDecision.INDETERMINATE
      *    if a decision could not be reached (e.g. service not authoritative for resource)
      *  - set member variable responseIssuer
      *  - set member variable responseActions (authorized actions if Decision=Permit, otherwise
      *    a copy of the requested actions)
      *  in addition it may
      *  - evaluate presented subject evidence
      *    (e.g. VOMS FQAN, other privilege attributes, or certificate chain)
      *  - create XACMLObligation objects and add tehm to the  
      *    responseObligations member variable
      */
     protected abstract AuthzDecision authorize(SAMLSubject subject, String resource, Iterator actions, Iterator evidence)
            throws SAMLException;
 
 
     /*** Main function, recives SAMLRequest and response with a SAMLResponse 
      * 1. parse request, can request be serviced by this code?
      * 2. parse authorization query 
      * 3. call authorize method implementation of concrete subclass, which will return decision object 
      * 4. verify and process authorization response from authorize method
      * 5. create and return SAML response
      *    if obligations were provided return ObligatedAuthorizationDecisionStatement   
      *    else return a standard AuthorizationDecisionStatement with the appropriate decision
      */
 
     public SAMLResponseType SAMLRequest(SAMLRequestType samlRequestType) throws java.rmi.RemoteException {
        
         /*** the SAMLRequest we are processing */
         SAMLRequest request = null;
 
         /*** the originator of the request */
         String requestIssuer = null;
 
         /*** the authorization decision query from the saml request */
         SAMLAuthorizationDecisionQuery authzQuery = null;
   
         /*** true if we can use ObligatedAuthorizationDecisionStatement to respond */
         boolean respondWithObligAuthzStmt = false;
 
         /*** the AuthzDecision object is used to hold the return values set by the
             implementation of the abstract authorize method */
         AuthzDecision response = null;
 
         /*** the set of samlStatements that hold the authorization decision - typically one */
         ArrayList   decisionStmts = null;
 
         /*** the set of assertions that hold the decisionStmts - typically one*/
         ArrayList   responseAssertions = null;
         
         /*** the generated samlResponse */     
         SAMLResponseType samlResponse = null;  
     
   
 
         try {
 
             //Initialize SAML Extensions
             SAMLExtensionInit.init();
 
             // retrieve the request originator 
 
             // *************************  todo when glite trusmanager is fixed
             // whats the equivalent of this call without globus
             //requestIssuer = SecurityManager.getManager().getCaller();
             requestIssuer = SecurityUtil.retrieveClientDN();
             log.debug("Processing incoming SAMLRequest from " + requestIssuer);
 
 
             //#######################################################
             // parse and process request
 
             // parse request
             request = processSAMLRequest(samlRequestType);
 
             // check if we may respond with an ObligatedAuthorizationDecisionStatement              
             respondWithObligAuthzStmt = checkRespondWith(request);
 
             // check if request is an AuthorizationDecisionQuery and extract query
             authzQuery = extractAuthorizationDecisionQuery(request); 
 
             if(authzQuery!=null) log.debug("Extracted authorization decision query");
           
             //#######################################################
             // call implementation of authorize method in concrete subclass
             log.debug("Calling implementation of authorize method in the authoirzation service subclass");
             
 	    response = authorize( 	authzQuery.getSubject(), 
             				authzQuery.getResource(), 
            				authzQuery.getActions(),  
           				authzQuery.getEvidence()
                                         );
             log.debug("Authorize method returned:"+ response.toString());
 
 
             //#######################################################
             // check response from authorize method implementation
 
             if (response.decision !=null &&
                   ( response.decision.equals(SAMLDecision.PERMIT) ||
                     response.decision.equals(SAMLDecision.DENY) ||
                     response.decision.equals(SAMLDecision.INDETERMINATE) ) 
                ) {
                 // decision value is ok, do nothing
             }
             else { 
               // decision value not allowed, abort 
               throw new Exception("Authorize method did not return valid decision value");
             }
             
             if (response.actions == null || response.actions.isEmpty()) 
               throw new Exception("Authorize method did not return any actions");
             
             if (response.issuer == null || response.issuer.length() ==0)
               throw new Exception("Authorize method did not return issuer value");
             
        
             // decide if, in the presence of obligations, an ObligatedAuthorizationDecisionStatement
             // may be returned based on the clients respondWith wishes, if not we return "indeterminate"
 
             if(    (response.obligations!=null) 
                 	&& (!response.obligations.isEmpty())  
                 	&& (!respondWithObligAuthzStmt)  ) {
 
                     response.obligations = null; // cannot return obligations
                     log.warn("Response requires obligations, but the set of client-requested response formats did not include ObligatedAuthoirzationDecisionStatement");
                     log.warn("Must return INDETERMINATE, as obligations cannot be conveyed with standard response"); 
                     response.decision = SAMLDecision.INDETERMINATE;   // cannot say yes or no
 
             } // end if response.obligations
 
 
             //#######################################################
             // create SAML Response 
                     
             log.debug("returning AuthorizationDecisionStatement with decision= "+ response.decision); 
 
             decisionStmts =  createAuthzDecisionStmt(authzQuery, response.decision, response.actions, response.obligations);
 
             responseAssertions = createAssertions(response.issuer, decisionStmts);
 
             samlResponse = createSAMLResponse(  request.getId(), 
      						requestIssuer,
 						responseAssertions,     
      						null
                                              );
 
             log.debug("Returning response");
 
             return samlResponse;
 
         } catch (Exception e) {
             // if an error occurred we will reply with a SAMLAuthorizationDecision  
             // and set decision=indeterminate 
             // we deliberately do not tell the possible attacker why our code produced an exception
             log.error("ABORT: "+e);
             log.debug("Exception trace: ",e);
             try {
               log.debug("Attempting to construct a SAML AuthoirzationDecisionStatement with decision = INDETERMINATE");
               if (response==null) response = new AuthzDecision();
               if (response.actions == null) {
                   response.actions = new ArrayList(1);
                   log.debug("don't have actions set so we will duplicate requested actions");
                   Iterator ai = authzQuery.getActions();
                   while(ai.hasNext()) response.actions.add(ai.next());  
               }
               if (response.issuer == null) response.issuer="Unknown";
               decisionStmts = createAuthzDecisionStmt(authzQuery, SAMLDecision.INDETERMINATE, response.actions, null); 
               responseAssertions = createAssertions(response.issuer, decisionStmts);
               samlResponse = createSAMLResponse(  request.getId(), 
      						  requestIssuer,
 						  responseAssertions,     
      						  null
                                                );
               log.error("Responding with SAML AuthorizationDecisionSatement with decision = INDETERMINATE");
               return samlResponse;
 
             } catch (Exception samlExcp) {
               log.error("Unable to create a SAML AuthorizationDecisionStatement with decision = INDETERMINATE");
               log.error("Caught exception was: "+samlExcp,samlExcp);
               try {
                 SAMLException reportedException = new SAMLException(new QName(XML.SAMLP_NS, "RequestDenied"), 
                              "Please contact the system administrator of this authorization service for more information");
                 samlResponse = createSAMLResponse(request.getId(), requestIssuer, null, reportedException);
                 log.error("Responding with SAML-Exception response: RequestDenied");
                 return samlResponse;
               }
               catch (Exception samlExcp2) {
                 // we can't do anything else than throw a remote Exception at this point
                 // we will not tell the client what kind of error occurred
                 log.error("Unable to respond to request");
                 log.error("Caught exception was: "+samlExcp,samlExcp);
                 throw new java.rmi.RemoteException("Service unable to respond to request!");
               } // end samlExcp2
 
             } // enc catch samlExcp
         }
 
 
     } // end SAMLRequest
 
 
 
     //################################################################
     /*** Parses and returns the SAMLRequest in the RequestType 
       * throws RemoteException or SAMLException if problems occur
       */
     private SAMLRequest processSAMLRequest(SAMLRequestType requestType)
     throws RemoteException, SAMLException {
         
         SAMLRequest returnValue;
 
         // --------------------
         // Verify request type
         // --------------------
         log.debug("Validating request type");
         if (requestType == null) {
             throw new RemoteException("Received a null request");
         }
 
         // ------------------------------
         // Construct SAMLRequest object from DOM.
         // sets this.request
         // ------------------------------
         log.debug("Extracting SAMLRequest");
         try {
             MessageElement[] msgElement = requestType.get_any();
             returnValue = new SAMLRequest(msgElement[0].getAsDOM());
             if (returnValue == null) {
                 throw new RemoteException("SAMLRequest returned null");
             }
         } catch (Exception exp) {
             throw new RemoteException("Error extracting SAML Request object: "+exp);
         }
 
         return returnValue;
 
     } // end method processSAMLRequest
 
 
     //################################################################
     /*** checks the respondWith request by the client, returns true
       * if we can respond with an ObligatedAuthorizationDecisionStatement
       * Note: If no respondWith is present, then true is also returned 
       * throws RemoteException or SAMLException if problems occur or
       * if a SAML AuthorizationDecisionStatement is not supporte by
       * the client
       */
     private boolean checkRespondWith(SAMLRequest request)
     throws RemoteException, SAMLException {
         // -------------------------------------------------------------------
         // Validate respondWith elements this service can respond with
         // the obligated authorization decision statement is optional
         // the standard authorization decision statmenent is required
         // -------------------------------------------------------------------
         boolean authzDecisionStmtFound = false;
         boolean obligAuthzDecisionStmtFound = false;
         Iterator respondWiths = request.getRespondWiths();
 
         if (respondWiths == null ) {
            log.debug("No respondWith elements found in request, enabling ObligatedAuthorizationDecisionStatement");
            obligAuthzDecisionStmtFound = true;
         } else {
 
         // ok respondWiths are present, now lets see whats requested
       
         // --- loop thru and check 
         while (respondWiths.hasNext()) {
           QName respondWith = (QName)respondWiths.next();
           // standard SAML AuthzDecisionStatement
           if (respondWith.equals(this.AUTHZ_DECISION_STMT) ) {
               authzDecisionStmtFound = true;
               log.debug("Supported respondWith: "+respondWith.toString());
           } 
           else if (respondWith.equals(this.OBLIG_DECISION_STMT) ) {
               obligAuthzDecisionStmtFound = true;
               log.debug("Supported respondWith: "+respondWith.toString());
           }
           else {
             log.debug("Found unrecognized respondWith: "+respondWith.toString());
           } // end if / else if / else
         } // end while
 
         if (!authzDecisionStmtFound) {
            log.debug("Standard SAML AuthorizationDecisionStatement is not supported by client, aborting");
            throw new java.rmi.RemoteException("Standard SAML AuthorizationDecisionStatement is not supported by client.");
         }
 
         } // end else respondWiths == null
 
         return obligAuthzDecisionStmtFound;
 
      } // end method checkRespondWith
 
 
 
     //################################################################
     /*** Extracts an authorization decision query from the request
       * throws RemoteException or SAMLException if problems occur
       */
     private SAMLAuthorizationDecisionQuery extractAuthorizationDecisionQuery(SAMLRequest request)
     throws RemoteException, SAMLException {
 
         Object obj = request.getQuery();
         if (obj instanceof SAMLAuthorizationDecisionQuery ) {
             log.debug("FOUND SAMLAuthorizationDecisionQuery: "+obj);
             return (SAMLAuthorizationDecisionQuery) obj;
         } else {
             log.error("Request not supported: "+obj);
             throw new java.rmi.RemoteException("Request not supported.");
         } //end if/else
 
     } //end method extractAuthorizaitonDecisionQuery
 
 
     //#############################################################
     /*** Returns the Distinguished Name of a SAMLSubject.
       * Needs: X.509 format validation
       */
     private String getRequestUser(SAMLSubject subject)
     throws SAMLException {
       String subjectDN = subject.getName().getName();
       return subjectDN;
     } // end method
    
  
     //###############################################################
     /*** Creates an ArrayList with a either a standard SAML AuthorizationDecisionStatement
       * or an ObligatedAuthorizationDecisionStatement based on the
       * value of the responseObligations parameter
       */
     private ArrayList createAuthzDecisionStmt(SAMLAuthorizationDecisionQuery query,
                                                String decision,
 					       ArrayList actions,
                                                ArrayList obligations)
     throws SAMLException {
      
        ArrayList	samlStmts = new ArrayList(1);
        Object 	stmt;
          
        if(    (obligations!=null) && (!obligations.isEmpty() ) ) // obligations present
          stmt = new ObligatedAuthorizationDecisionStatement(query.getSubject(),
 						           query.getResource(),
                                                            decision,
                                                            actions,
                                                            null,
                                                            obligations);
        else // no obligations - standard statement
            stmt = new SAMLAuthorizationDecisionStatement(query.getSubject(),
 						           query.getResource(),
                                                            decision,
                                                            actions,
                                                            null);
     
       samlStmts.add(stmt);
   
       return samlStmts;
 
     } // end method 
 
 
   
 
  
     //###############################################################
     /*** Creates an arraylist of SAMLAssertions that hold a single
       * assertion with the provided SAMLStatements and a validity
       * time constraint from now for ASSERTION_VALIDITY_IN_MINUTES
       * minutes
       */
     private ArrayList createAssertions(String issuer, ArrayList stmts)
     throws SAMLException {
 
      ArrayList assertions = new ArrayList(1);
      SAMLAssertion samlAssertion;
    
      Calendar notBefore = Calendar.getInstance();
      Calendar notAfter = Calendar.getInstance();
      notAfter.add(Calendar.MINUTE, this.ASSERTION_VALIDITY_IN_MINUTES);
           
      samlAssertion = new SAMLAssertion(issuer,
                                        notBefore.getTime(),
                                        notAfter.getTime(), 
      				       null, 
 				       null, 
 				       stmts);
      
      assertions.add(samlAssertion);
 
      return assertions;
 
    } // end method
 
    
     //###############################################################
     /*** Creates the SAMLResponseType holding the assertions 
       */
     private SAMLResponseType createSAMLResponse(String inResponseTo, 
 						String recipient, 
 						ArrayList assertions, 
 						SAMLException samlException)
     throws SAMLException {
 
       SAMLResponseType samlResponse = null;
 
       SAMLResponse response = new SAMLResponse(inResponseTo, recipient, assertions, samlException);
 
       log.debug("Created SAMLResponse: "+response);
 
       samlResponse = new SAMLResponseType();
 
       samlResponse.set_any(new MessageElement[] { new MessageElement((Element)response.toDOM())});
 
       return samlResponse;
 
     } // end method
 
 
 
   /*** checks if a specific SAMLAttributeStatement holds a FQAN, and
     * returns that FQAN attribute in form of a string 
     * returns null if no FQAN (string) attribute could be located
     */
 
    protected String getFQAN(SAMLAttributeStatement stmt) throws SAMLException {
 
       String fqan = null;
 
       Iterator attributeIterator = stmt.getAttributes();
 
       while (attributeIterator.hasNext()) {
         Object attrib = attributeIterator.next();
         if ( ! (attrib instanceof SAMLAttribute) ) {
           continue;
         }
         else {
           String attrName = ((SAMLAttribute)attrib).getName();
           String attrNamespace = ((SAMLAttribute)attrib).getNamespace();
           log.debug("Found Evidence Attribute:  "+attrName+ " with namespace: "+attrNamespace);
 
           if ( attrName.equals("FQAN") && attrNamespace.equals(OSGAuthorizationConstants.AUTHZ_NS) ) {
             fqan = getAttributeValue( (SAMLAttribute) attrib);
           }
        } // end if instance of attribute
       } // end while attribute
 
       if(fqan!=null) log.debug("Found FQAN Attribute: "+fqan);
       else log.warn("Found unsupported FQAN Attribute (it had no string value!!!)");
       return fqan;
 
    }
 
 
    /*** Searches the Evidence elements for FQAN attributes.
      *  Returns the first FQAN found that matches the querySubject
      *  These are what GUMS needs to perform the authorization and
      *  determine the username.
      */
 
      protected FQAN findFQANinSubjectEvidence(Iterator evidenceIterator, SAMLSubject querySubject)
         throws SAMLException {
 
       FQAN fqan = new FQAN();
 
       while (evidenceIterator.hasNext()) {
           Object obj = evidenceIterator.next();
           if (obj instanceof SAMLAssertion) {
             // who is the issuer of the statement
             fqan.issuer = ( (SAMLAssertion) obj).getIssuer();
 
             Iterator evidenceStatementIterator = ((SAMLAssertion)obj).getStatements();
             while (evidenceStatementIterator.hasNext()) {
               Object stmt = evidenceStatementIterator.next();
               if (stmt instanceof SAMLAttributeStatement) {
                 if (SAMLUtil.samlSubjectMatch(querySubject, ((SAMLAttributeStatement)stmt).getSubject() ) ) {
                    // subject matches
                    fqan.data=getFQAN((SAMLAttributeStatement)stmt);
                    // was it a fqan attribute, if not getFQAN will have returned null
                    if(fqan.data!=null) {
                      return fqan;
                    }
 
                 }
               } // end if instance of SAMLattribute
             } // end while evidence
           } // end if SAMLAssertion
         } // end while evidenceIterator
 
       return null; // no fqan found in evidence
 
     }
 
 
   /*** returns the subset of the requestedActions that are present in the
     * permissibleActions parameter 
     */
 
    protected ArrayList locatePermissibleActions(Iterator requestedActions, ArrayList permissibleActionsList) {
 
      ArrayList permittedActions = new ArrayList(1);
 
      log.debug("Locating permissible actions");
  
      // loop through all requested actions, check every one against the list of permissible actions
      while (requestedActions.hasNext()) {
              SAMLAction ra = (SAMLAction)requestedActions.next();
          //log.debug("Requested action is: "+ra);
          for(int i=0;i<permissibleActionsList.size();i++) {
             SAMLAction pa = (SAMLAction)permissibleActionsList.get(i);
                           
              //log.debug("Comparing to permissible action: "+pa);
 
              if(SAMLUtil.samlActionMatch(pa,ra) ) {
                    log.debug("requested action matched permissible action: "+ra);
                    // requested action is a permissible action, so add it to the permittedActions
                    permittedActions.add(ra);
                    // remove this action from the list of permissible actions, so we won't add it
                    // to the set of permittedActions multiple times, even if it was requested mult. times
                    permissibleActionsList.remove(i);
                    // do not check remainder of this set, break
                    break;
              } // end if
 
           } // end for
 
       } // end while
 
       // return null if no actions were permitted
       if (permittedActions.isEmpty() ) return null;
       
       return permittedActions; 
  
    }
     
 
     //#############################################################
     /*** Returns the first string value of an attribute,
      * returns null if not string attribute found
      */
     private String getAttributeValue(SAMLAttribute attrib)
     throws SAMLException {
 
       String value = null;
       Iterator attributeValues = ((SAMLAttribute)attrib).getValues();
       while (attributeValues.hasNext()) {
         Object attributeValue = attributeValues.next();
         if( ! (attributeValue instanceof String)) {
           continue; // not a string, look at next value
         }
         value = (String) attributeValue;
         break; // no need to look further       
       } // end while
 
       return value;
     } // end method
 
 
 } // end class SAMLAuthZServiceBase