/**
    * Copyright 2005-2014 The Kuali Foundation
    *
    * Licensed under the Educational Community License, Version 2.0 (the "License");
    * you may not use this file except in compliance with the License.
    * You may obtain a copy of the License at
    *
    * http://www.opensource.org/licenses/ecl2.php
    *
   * Unless required by applicable law or agreed to in writing, software
   * distributed under the License is distributed on an "AS IS" BASIS,
   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   * See the License for the specific language governing permissions and
   * limitations under the License.
   */
  package org.kuali.rice.ksb.security;
  
  import java.io.ByteArrayInputStream;
  import java.io.IOException;
  import java.security.Signature;
  import java.security.cert.CertificateFactory;
  
  import javax.servlet.ServletInputStream;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletRequestWrapper;
  
  import org.apache.commons.codec.binary.Base64;
  import org.apache.commons.lang.StringUtils;
  import org.kuali.rice.ksb.service.KSBServiceLocator;
  import org.kuali.rice.ksb.util.KSBConstants;
  
  /**
   * An HttpServletRequestWrapper which will wraps the underlying request's InputStream in a 
   * SignatureVerifyingInputStream which will verify the digital signature of the request after 
   * all of the data has been read from the input stream.
   * 
   * @author Kuali Rice Team (rice.collab@kuali.org)
   */
  public class SignatureVerifyingRequestWrapper extends HttpServletRequestWrapper {
  
  	private byte[] digitalSignature;
  	private Signature signature;
  	
  	public SignatureVerifyingRequestWrapper(HttpServletRequest request) {
  		super(request);
  		String encodedSignature = request.getHeader(KSBConstants.DIGITAL_SIGNATURE_HEADER);
  		if (StringUtils.isEmpty(encodedSignature)) {
  			throw new RuntimeException("A digital signature was required on the request but none was found.");
  		}
  		String verificationAlias = request.getHeader(KSBConstants.KEYSTORE_ALIAS_HEADER);
  		String encodedCertificate = request.getHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
  		if ( (StringUtils.isEmpty(verificationAlias)) && (StringUtils.isEmpty(encodedCertificate)) ) {
              throw new RuntimeException("A verification alias or certificate was required on the request but neither was found.");
  		}
  		try {
              this.digitalSignature = Base64.decodeBase64(encodedSignature.getBytes("UTF-8"));
              if (StringUtils.isNotBlank(encodedCertificate)) {
                  byte[] certificate = Base64.decodeBase64(encodedCertificate.getBytes("UTF-8"));
                  CertificateFactory cf = CertificateFactory.getInstance("X.509");
                  this.signature = KSBServiceLocator.getDigitalSignatureService().getSignatureForVerification(cf.generateCertificate(new ByteArrayInputStream(certificate)));
              } else if (StringUtils.isNotBlank(verificationAlias)) {
                  this.signature = KSBServiceLocator.getDigitalSignatureService().getSignatureForVerification(verificationAlias);
              }
  		} catch (Exception e) {
  			throw new RuntimeException("Failed to initialize digital signature verification.", e);
  		}
  	}
  
  	@Override
  	public ServletInputStream getInputStream() throws IOException {
  		return new SignatureVerifyingInputStream(this.digitalSignature, this.signature, super.getInputStream());
  	}
  	
  }