/*

 * CDDL HEADER START

 *

 * The contents of this file are subject to the terms of the

 * Common Development and Distribution License (the "License").

 * You may not use this file except in compliance with the License.

 *

 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE

 * or http://www.opensolaris.org/os/licensing.

 * See the License for the specific language governing permissions

 * and limitations under the License.

 *

 * When distributing Covered Code, include this CDDL HEADER in each

 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.

 * If applicable, add the following below this CDDL HEADER, with the

 * fields enclosed by brackets "[]" replaced with your own identifying

 * information: Portions Copyright [yyyy] [name of copyright owner]

 *

 * CDDL HEADER END

 */

/*

 * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.

 */

package org.opensolaris.os.vp.client.common;

import java.io.*;

import java.net.*;

import java.security.*;

import java.security.cert.*;

import java.security.cert.Certificate;

import java.util.*;

import java.util.logging.*;

import javax.management.*;

import javax.management.remote.*;

import javax.swing.JOptionPane;

import org.opensolaris.os.adr.Stability;

import org.opensolaris.os.rad.*;

import org.opensolaris.os.rad.api.pam.*;

import org.opensolaris.os.rad.api.zoneadmin.*;

import org.opensolaris.os.rad.jmx.RadConnector;

import org.opensolaris.os.rad.jmx.IncompatibleVersionException;

import org.opensolaris.os.rad.jmx.RadJMX;

import org.opensolaris.os.vp.common.panel.MBeanUtil;

import org.opensolaris.os.vp.panel.common.*;

import org.opensolaris.os.vp.panel.common.action.*;

import org.opensolaris.os.vp.util.misc.*;

import org.opensolaris.os.vp.util.misc.finder.Finder;

public abstract class RadLoginManager {

    //

    // Inner classes

    //

    private static abstract class AuthPrompter {

	//

	// Instance data

	//

	private boolean acknowledged;

	//

	// AuthPrompter methods

	//

	/**

	 * _,__/|

	 *  `O.o'

	 * =(_x_)=

	 *    U

	 */

	protected void ack() {

	    acknowledged = true;

	}

	public boolean isAcknowledged() {

	    return acknowledged;

	}

	public abstract Block initiate(LoginRequest request,

	    AuthenticatorMXBean auth) throws ActionAbortedException,

	    ObjectException;

	public abstract void prompt(LoginRequest request,

	    List<LoginProperty> properties, boolean isFirst)

	    throws ActionAbortedException, ActionRegressedException;

    }

    private class UserPrompter extends AuthPrompter {

	@Override

	public Block initiate(LoginRequest request,

	    AuthenticatorMXBean auth) throws ActionAbortedException,

	    ObjectException {

	    setLoginStatus(request, Finder.getString("login.status.login",

		request.getUser().getValue()));

	    return auth.login(Locale.getDefault().getLanguage(),

		request.getUser().getValue());

	}

	@Override

	public void prompt(LoginRequest request, List<LoginProperty> properties,

	    boolean isFirst) throws ActionAbortedException,

	    ActionRegressedException {

	    try {

		promptForAuth(request, properties, false, true, isFirst);

	    } finally {

		ack();

		request.getHost().setErrored(false);

		request.getUser().setErrored(false);

	    }

	}

    }

    private class RolePrompter extends AuthPrompter {

	@Override

	public Block initiate(LoginRequest request,

	    AuthenticatorMXBean auth) throws ActionAbortedException,

	    ObjectException {

	    setLoginStatus(request, Finder.getString("login.status.assume",

		request.getRole().getValue()));

	    return auth.assume(Locale.getDefault().getLanguage(),

		request.getRole().getValue());

	}

	@Override

	public void prompt(LoginRequest request, List<LoginProperty> properties,

	    boolean isFirst) throws ActionAbortedException,

	    ActionRegressedException {

	    try {

		promptForAuth(request, properties, false, false, isFirst);

	    } finally {

		ack();

		request.getRole().setErrored(false);

	    }

	}

    }

    private class ZoneUserPrompter extends AuthPrompter {

	@Override

	public Block initiate(LoginRequest request,

	    AuthenticatorMXBean auth) throws ActionAbortedException,

	    ObjectException {

	    return auth.login(Locale.getDefault().getLanguage(),

		request.getZoneUser().getValue());

	}

	@Override

	public void prompt(LoginRequest request, List<LoginProperty> properties,

	    boolean isFirst) throws ActionAbortedException,

	    ActionRegressedException {

	    try {

		promptForAuth(request, properties, true, true, isFirst);

	    } finally {

		ack();

		request.getZone().setErrored(false);

		request.getZoneUser().setErrored(false);

	    }

	}

    }

    private class ZoneRolePrompter extends AuthPrompter {

	@Override

	public Block initiate(LoginRequest request,

	    AuthenticatorMXBean auth) throws ActionAbortedException,

	    ObjectException {

	    return auth.assume(Locale.getDefault().getLanguage(),

		request.getZoneRole().getValue());

	}

	@Override

	public void prompt(LoginRequest request, List<LoginProperty> properties,

	    boolean isFirst) throws ActionAbortedException,

	    ActionRegressedException {

	    try {

		promptForAuth(request, properties, true, false, isFirst);

	    } finally {

		ack();

		request.getZoneRole().setErrored(false);

	    }

	}

    }

    private static class LoginData {

	//

	// Instance data

	//

	private LinkedList<ConnectionInfo> depChain =

	    new LinkedList<ConnectionInfo>();

	private LinkedList<Boolean> acks = new LinkedList<Boolean>();

	//

	// LoginData methods

	//

	public boolean isAcknowledged() {

	    return acks.peek();

	}

	public List<ConnectionInfo> getDepChain() {

	    return depChain;

	}

	public ConnectionInfo peek(int offset) {

	    return depChain.get(offset);

	}

	public void pop() {

	    depChain.pop();

	    acks.pop();

	}

	public void push(ConnectionInfo info, boolean acknowledged) {

	    depChain.push(info);

	    acks.push(acknowledged);

	}

	public void setDepChain(List<ConnectionInfo> depChain,

	    boolean acknowledged) {

	    assert compatible(depChain);

	    this.depChain.clear();

	    acks.clear();

	    for (int i = depChain.size() - 1; i >= 0; i--) {

		push(depChain.get(i), acknowledged);

	    }

	}

	//

	// Object methods

	//

	@Override

	public String toString() {

	    for (int i = depChain.size() - 1; i >= 0; i--) {

		buffer.append(String.format("%d. %s (%s)\n", i,

		    depChain.get(i), acks.get(i) ? "acknowledged" :

		    "not acknowledged"));

	    }

	    return buffer.toString();

	}

	//

	// Private methods

	//

	private void clearConnectionsTo(int level) {

	    int size = depChain.size();

	    for (int i = size - 1; i >= level; i--) {

		depChain.remove(i);

	    }

	}

	private boolean compatible(List<ConnectionInfo> depChain) {

	    boolean compatible = false;

	    if (depChain.size() == this.depChain.size() + 1) {

		compatible = true;

		for (int i = 0, n = this.depChain.size(); i < n; i++) {

		    if (!this.depChain.get(i).equals(depChain.get(i + 1))) {

			compatible = false;

			break;

		    }

		}

	    }

	    return compatible;

	}

    }

    //

    // Static data

    //

    public static final String TRUSTSTORE_PASSWORD = "trustpass";

    public static final String LOCAL_USER = System.getProperty("user.name");

    public static final String LOCAL_HOST = "localhost";

    //

    // Instance data

    //

    private ConnectionManager connManager;

    //

    // Constructors

    //

    public RadLoginManager(ConnectionManager connManager) {

	this.connManager = connManager;

    }

    //

    // RadLoginManager methods

    //

    /**

     * Creates an empty truststore file.

     */

    protected void createTrustStore(File truststore) throws KeyStoreException,

	IOException, NoSuchAlgorithmException, CertificateException {

	File truststoreDir = truststore.getParentFile();

	if (!truststoreDir.exists()) {

	    if (!truststoreDir.mkdirs()) {

		throw new IOException(

		    "could not create truststore directory: " +

		    truststoreDir.getAbsolutePath());

	    }

	}

	KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

	char[] password = getTrustStorePassword().toCharArray();

	// Create empty keystore

	keyStore.load(null, password);

	FileOutputStream fos = new FileOutputStream(truststore);

	keyStore.store(fos, password);

	fos.close();

    }

    /**

     * Guides the user through the login process, then returns a dependency

     * chain of {@link ConnectionInfo}s.  The first element of the chain is the

     * {@code ConnectionInfo} that satisfies the given request.  Each additional

     * {@code ConnectionInfo} is a dependency of the previous {@code

     * ConnectionInfo}.

     * <p/>

     * For example, a role-based connection ("root@nerd (via talley)", say)

     * would have an dependency on the user-based connection ("talley@nerd")

     * used to create it.  The returned chain would contain the role-based

     * connection just before the user-based connection.

     * <p/>

     * This chain of {@code ConnectionInfo} dependencies can be {@link

     * ConnectionManager#add added} to the {@code ConnectionManager} for

     * automatic dependency-based management.

     *

     * @param	    request

     *		    the {@link LoginRequest} encapsulating the preset values and

     *		    editability of each core {@link LoginProperty}

     *

     * @param	    current

     *		    if non-{@code null}, ensures that the user is aware of any

     *		    change in login, preventing the use of cached connections

     *		    without the user's knowledge

     *

     * @exception   ActionAbortedException

     *		    if the user cancels the operation

     *

     * @exception   ActionFailedException

     *		    if the given request fails

     */

    @SuppressWarnings({"fallthrough"})

    public List<ConnectionInfo> getConnectionInfo(LoginRequest request,

	LoginInfo current) throws ActionAbortedException, ActionFailedException

    {

	LoginData data = new LoginData();

	Boolean doZone;

	for (int step = 0; ; ) {

	    try {

		switch (step) {

		case 0:

		    gatherHostAndUserData(request, data);

		    step++;

		case 1:

		    gatherRoleData(request, data);

		    step++;

		case 2:

		    doZone = request.getZonePrompt().getValue();

		    if (doZone != null && doZone) {

			gatherZoneHostAndUserData(request, data);

		    }

		    step++;

		case 3:

		    doZone = request.getZonePrompt().getValue();

		    if (doZone != null && doZone) {

			gatherZoneRoleData(request, data);

		    }

		    step++;

		}

		break;

	    } catch (ActionRegressedException e) {

		step--;

	    }

	}

	List<ConnectionInfo> depChain = data.getDepChain();

	// To prevent rogue connections, if the chosen connection differs from

	// the current one, ensure that the user has acknowledged it at some

	// point in the authentication process.  If not, prompt for

	// acknowledgement now.

	if (!data.isAcknowledged() && !depChain.get(0).matches(current)) {

	    promptForAck(request);

	}

	return depChain;

    }

    public ConnectionManager getConnectionManager() {

	return connManager;

    }

    /**

     * Gets the truststore file.

     */

    public abstract File getTrustStoreFile();

    /**

     * Gets the truststore password.  This default implementation returns

     * "{@code trustpass}".

     */

    public String getTrustStorePassword() {

	return TRUSTSTORE_PASSWORD;

    }

    protected boolean handleCertFailure(String host, File truststore,

	Certificate certificate) throws ActionAbortedException,

	KeyStoreException, IOException, NoSuchAlgorithmException,

	CertificateException {

	KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

	char[] password = getTrustStorePassword().toCharArray();

	// Load truststore

	FileInputStream fis = new FileInputStream(truststore);

	keyStore.load(fis, password);

	fis.close();

	// Does the truststore already contain the certificate?

	String alias = keyStore.getCertificateAlias(certificate);

	if (alias != null) {

	    return false;

	}

	boolean acceptNeeded = true;

	if (NetUtil.isLocalAddress(host)) {

	    FileInputStream certFileIn = null;

	    try {

		File certFile = new File("/etc/rad/cert.pem");

		certFileIn = new FileInputStream(certFile);

		Certificate localCert = CertificateFactory.

		    getInstance("X.509").generateCertificate(certFileIn);

		if (localCert.equals(certificate)) {

		    acceptNeeded = false;

		}

	    } catch (Throwable ignore) {

	    } finally {

		IOUtil.closeIgnore(certFileIn);

	    }

	}

	if (acceptNeeded) {

	    // Display the certificate, prompt user to accept

	    promptForCertificate(host, certificate);

	}

	// Add certificate

	alias = ((X509Certificate)certificate).getIssuerDN().toString();

	KeyStore.Entry entry =

	    new KeyStore.TrustedCertificateEntry(certificate);

	keyStore.setEntry(alias, entry, null);

	FileOutputStream fos = new FileOutputStream(truststore);

	keyStore.store(fos, password);

	fos.close();

	return true;

    }

    /**

     * Prompt the user to acknowledge or reject the imminent completion of the

     * given request.

     *

     * @param	    request

     *		    the {@link LoginRequest} encapsulating the preset values of