/*

 * CDDL HEADER START

 *

 * The contents of this file are subject to the terms of the

 * Common Development and Distribution License (the "License").

 * You may not use this file except in compliance with the License.

 *

 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE

 * or http://www.opensolaris.org/os/licensing.

 * See the License for the specific language governing permissions

 * and limitations under the License.

 *

 * When distributing Covered Code, include this CDDL HEADER in each

 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.

 * If applicable, add the following below this CDDL HEADER, with the

 * fields enclosed by brackets "[]" replaced with your own identifying

 * information: Portions Copyright [yyyy] [name of copyright owner]

 *

 * CDDL HEADER END

 */

/*

 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.

 */

package org.opensolaris.os.vp.client.common;

import java.io.*;

import java.net.*;

import java.security.*;

import java.security.cert.*;

import java.security.cert.Certificate;

import java.util.*;

import javax.management.*;

import javax.management.remote.*;

import javax.swing.JOptionPane;

import org.opensolaris.os.rad.*;

import org.opensolaris.os.rad.api.pam.*;

import org.opensolaris.os.rad.jmx.RadConnector;

import org.opensolaris.os.vp.common.panel.MBeanUtil;

import org.opensolaris.os.vp.panel.common.*;

import org.opensolaris.os.vp.panel.common.action.*;

import org.opensolaris.os.vp.util.misc.*;

import org.opensolaris.os.vp.util.misc.finder.Finder;

public abstract class RadLoginManager {

    //

    // Inner classes

    //

    private static interface AuthPrompter {

	DialogMessage getInitialMessage(LoginRequest request);

	Block initiate(LoginRequest request, AuthenticatorMXBean auth)

	    throws ActionAbortedException, ObjectException;

	void prompt(LoginRequest request, List<LoginProperty> properties,

	    LoginData data) throws ActionAbortedException,

	    ActionRegressedException;

    }

    private class LoginPrompter implements AuthPrompter {

	@Override

	public DialogMessage getInitialMessage(LoginRequest request) {

	    return new DialogMessage(Finder.getString(

                "login.message.userauth", request.getHost().getValue(),

                request.getUser().getValue()));

	}

	@Override

	public Block initiate(LoginRequest request,

	    AuthenticatorMXBean auth) throws ActionAbortedException,

	    ObjectException {

	    return auth.login(Locale.getDefault().getLanguage(),

		request.getUser().getValue());

	}

	@Override

	public void prompt(LoginRequest request, List<LoginProperty> properties,

	    LoginData data) throws ActionAbortedException,

	    ActionRegressedException {

	    try {

		promptForUserAuth(request, properties);

	    } finally {

		data.setUserAcknowledged(true);

	    }

	}

    }

    private class RolePrompter implements AuthPrompter {

	@Override

	public DialogMessage getInitialMessage(LoginRequest request) {

	    return new DialogMessage(Finder.getString(

		"login.message.roleauth", request.getHost().getValue(),

		request.getUser().getValue(), request.getRole().getValue()));

	}

	@Override

	public Block initiate(LoginRequest request,

	    AuthenticatorMXBean auth) throws ActionAbortedException,

	    ObjectException {

	    return auth.assume(Locale.getDefault().getLanguage(),

		request.getRole().getValue());

	}

	@Override

	public void prompt(LoginRequest request, List<LoginProperty> properties,

	    LoginData data) throws ActionAbortedException,

	    ActionRegressedException {

	    try {

		promptForRoleAuth(request, properties);

	    } finally {

		data.setRoleAcknowledged(true);

	    }

	}

    }

    private static class LoginData {

	//

	// Instance data

	//

	private ConnectionInfo userInfo;

	private ConnectionInfo roleInfo;

	private AuthenticatorMXBean auth;

	private JMXConnector authConnector;

	private boolean userAcknowledged;

	private boolean roleAcknowledged;

	//

	// LoginData methods

	//

	public AuthenticatorMXBean getAuthBean(LoginRequest request) {

	    JMXConnector connector =

		roleInfo != null ? roleInfo.getConnector() :

		userInfo != null ? userInfo.getConnector() : null;

	    if (authConnector != connector || auth == null) {

		authConnector = connector;

		auth = null;

		if (connector != null) {

		    try {

			MBeanServerConnection mbsc =

			    connector.getMBeanServerConnection();

			ObjectName oName = MBeanUtil.makeObjectName(

			    "org.opensolaris.os.rad", "authentication");

			auth = JMX.newMXBeanProxy(mbsc, oName,

			    AuthenticatorMXBean.class);

		    } catch (IOException e) {

			request.getMessages().add(new DialogMessage(

			    Finder.getString("login.err.io",

			    request.getHost().getValue()),

			    JOptionPane.ERROR_MESSAGE));

		    }

		}

	    }

	    return auth;

	}

	public ConnectionInfo getRoleConnectionInfo() {

	    return roleInfo;

	}

	public ConnectionInfo getUserConnectionInfo() {

	    return userInfo;

	}

	public boolean isRoleAcknowledged() {

	    return roleAcknowledged;

	}

	public boolean isUserAcknowledged() {

	    return userAcknowledged;

	}

	public void setRoleAcknowledged(boolean roleAcknowledged) {

	    this.roleAcknowledged = roleAcknowledged;

	    if (roleAcknowledged) {

		setUserAcknowledged(true);

	    }

	}

	public void setRoleConnectionInfo(ConnectionInfo roleInfo) {

	    this.roleInfo = roleInfo;

	}

	public void setUserAcknowledged(boolean userAcknowledged) {

	    this.userAcknowledged = userAcknowledged;

	    if (!userAcknowledged) {

		setRoleAcknowledged(false);

	    }

	}

	public void setUserConnectionInfo(ConnectionInfo userInfo) {

	    this.userInfo = userInfo;

	    setRoleConnectionInfo(null);

	}

    }

    private static class ConnectorData {

	//

	// Instance data

	//

	private JMXConnector connector;

	private boolean isLocal;

	//

	// Constructors

	//

	public ConnectorData(JMXConnector connector, boolean isLocal) {

	    this.connector = connector;

	    this.isLocal = isLocal;

	}

	//

	// ConnectorData methods

	//

	public JMXConnector getConnector() {

	    return connector;

	}

	public boolean isLocal() {

	    return isLocal;

	}

    }

    //

    // Static data

    //

    public static final String TRUSTSTORE_PASSWORD = "trustpass";

    public static final String LOCAL_USER = System.getProperty("user.name");

    public static final String LOCAL_HOST = "localhost";

    //

    // Instance data

    //

    private ConnectionManager connManager;

    //

    // Constructors

    //

    public RadLoginManager(ConnectionManager connManager) {

	this.connManager = connManager;

    }

    //

    // RadLoginManager methods

    //

    /**

     * Creates an empty truststore file.

     */

    protected void createTrustStore(File truststore) throws KeyStoreException,

	IOException, NoSuchAlgorithmException, CertificateException {

	File truststoreDir = truststore.getParentFile();

	if (!truststoreDir.exists()) {

	    if (!truststoreDir.mkdirs()) {

		throw new IOException(

		    "could not create truststore directory: " +

		    truststoreDir.getAbsolutePath());

	    }

	}

	KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

	char[] password = getTrustStorePassword().toCharArray();

	// Create empty keystore

	keyStore.load(null, password);

	FileOutputStream fos = new FileOutputStream(truststore);

	keyStore.store(fos, password);

	fos.close();

    }

    /**

     * Opens a connection to the server.  This routine returns a two-element

     * array consisting of:

     * <p/>

     * <ol>

     *	 <li>

     *	   a (new or existing) {@link ConnectionInfo} for the {@code user@host}

     *	   connection, and

     *	 </li>

     *	 <li>

     *	   a (new or existing) {@link ConnectionInfo} for the {@code role@host

     *	   (via user)} connection, or {@code null} if the user did not choose to

     *	   assume a role

     *	 </li>

     * </ol>

     *

     * @param	    request

     *		    the {@link LoginRequest} encapsulating the preset values and

     *		    editability of each core {@link LoginProperty}

     *

     * @param	    current

     *		    if non-{@code null}, ensures that the user is aware of

     *		    changes in host/user/role (preventing the use of cached

     *		    connections without the user's knowledge)

     *

     * @exception   ActionAbortedException

     *		    if the user cancels the operation

     *

     * @exception   ActionFailedException

     *		    if the given request fails

     */

    public ConnectionInfo[] getConnectionInfo(LoginRequest request,

	ConnectionInfo current) throws ActionAbortedException,

	ActionFailedException {

	LoginData data = new LoginData();

	boolean done = false;

	while (!done) {

	    gatherHostAndUserData(request, data);

	    try {

		gatherRoleData(request, data);

		done = true;

	    } catch (ActionRegressedException e) {

		request.getHost().setErrored(false);

		request.getUser().setErrored(false);

		request.getRole().setErrored(false);

		request.getMessages().clear();

		data.setUserConnectionInfo(null);

	    }

	}

	ConnectionInfo userInfo = data.getUserConnectionInfo();

	ConnectionInfo roleInfo = data.getRoleConnectionInfo();

	// To prevent rogue connections, if the chosen connection has a

	// different host/user/role than the current connection, ensure that the

	// user has already acknowledged it at some point in the authentication

	// process.  If not, prompt for acknowledgement now.

	if (current != null &&

	    (roleInfo == null ?

	    (!data.isUserAcknowledged() &&

	    (!current.matchesHost(userInfo.getHost()) ||

	    !current.matchesUser(userInfo.getUser()))) :

	    (!data.isRoleAcknowledged() &&

	    (!current.matchesHost(roleInfo.getHost()) ||

	    !current.matchesUser(roleInfo.getUser()) ||

	    !current.matchesRole(roleInfo.getRole()))))) {

	    promptForAck(request);

	}

	return new ConnectionInfo[] { userInfo, roleInfo };

    }

    public ConnectionManager getConnectionManager() {

	return connManager;

    }

    /**

     * Gets the truststore file.

     */

    public abstract File getTrustStoreFile();

    /**

     * Gets the truststore password.  This default implementation returns

     * "{@code trustpass}".

     */

    public String getTrustStorePassword() {

	return TRUSTSTORE_PASSWORD;

    }

    protected boolean handleCertFailure(String host, File truststore,

	Certificate certificate) throws ActionAbortedException,

	KeyStoreException, IOException, NoSuchAlgorithmException,

	CertificateException {

	KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

	char[] password = getTrustStorePassword().toCharArray();

	// Load truststore

	FileInputStream fis = new FileInputStream(truststore);

	keyStore.load(fis, password);

	fis.close();

	// Does the truststore already contain the certificate?

	String alias = keyStore.getCertificateAlias(certificate);

	if (alias != null) {

	    return false;

	}

	boolean acceptNeeded = true;

	if (NetUtil.isLocalAddress(host)) {

	    FileInputStream certFileIn = null;

	    try {

		File certFile = new File("/etc/rad/cert.pem");

		certFileIn = new FileInputStream(certFile);

		Certificate localCert = CertificateFactory.

		    getInstance("X.509").generateCertificate(certFileIn);

		if (localCert.equals(certificate)) {

		    acceptNeeded = false;

		}

	    } catch (Throwable ignore) {

	    } finally {

		IOUtil.closeIgnore(certFileIn);

	    }

	}

	if (acceptNeeded) {

	    // Display the certificate, prompt user to accept

	    promptForCertificate(host, certificate);

	}

	// Add certificate

	alias = ((X509Certificate)certificate).getIssuerDN().toString();

	KeyStore.Entry entry =

	    new KeyStore.TrustedCertificateEntry(certificate);

	keyStore.setEntry(alias, entry, null);

	FileOutputStream fos = new FileOutputStream(truststore);

	keyStore.store(fos, password);

	fos.close();

	return true;

    }

    /**

     * Prompt the user to acknowledge or reject the imminent completion of the

     * given request.

     *

     * @param	    request

     *		    the {@link LoginRequest} encapsulating the preset values of

     *		    each core {@link LoginProperty}

     *

     * @exception   ActionAbortedException

     *		    if the user cancels the operation

     */

    protected abstract void promptForAck(LoginRequest request)

	throws ActionAbortedException;

    /**

     * Display the given {@code Certificate} details and prompt for user

     * confirmation to add it to the truststore.

     *

     * @param	    host

     *		    the owner of the {@code Certificate}

     *

     * @param	    certificate

     *		    the {@code Certificate} to verify

     *

     * @exception   ActionAbortedException

     *		    if the user cancels the operation

     */

    protected abstract void promptForCertificate(String host,

	Certificate certificate) throws ActionAbortedException;

    /**

     * Prompts the user to acknowledge failure of the given request.

     *

     * @param	    request

     *		    the {@link LoginRequest} encapsulating the values and

     *		    error status of each core {@link LoginProperty}

     */

    protected abstract void promptForFailedRequest(LoginRequest request);

    /**

     * Prompt the user to enter host/user data, subject to the editability and

     * preset values of the host and user {@link LoginProperty}s of the given

     * request.

     *

     * @param	    request

     *		    the {@link LoginRequest} encapsulating the preset values and

     *		    editability of each core {@link LoginProperty}

     *

     * @exception   ActionAbortedException

     *		    if the user cancels the operation

     */

    protected abstract void promptForHostAndUser(LoginRequest request)

	throws ActionAbortedException;

    /**