/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  The ASF licenses this file to You
 * under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.  For additional information regarding
 * copyright in this work, please see the NOTICE file in the top level
 * directory of this distribution.
 */
package org.apache.abdera2.security.util.filters;

import org.apache.abdera2.common.misc.Chain;
import org.apache.abdera2.common.protocol.RequestContext.Scope;
import org.apache.abdera2.common.protocol.RequestContext;
import org.apache.abdera2.common.protocol.ResponseContext;
import org.apache.abdera2.security.Encryption;
import org.apache.abdera2.security.EncryptionOptions;
import org.apache.abdera2.security.util.Constants;
import org.apache.abdera2.security.util.DHContext;

/**
 * A filter implementation that allows requests to be encrypted using Diffie-Hellman key negotiation. A client first
 * uses GET/HEAD/OPTIONS to get the servers DH information, then sends an encrypted request containing it's DH
 * information. The server can then decrypt and process the request. Note: this is currently untested.
 */
public class DHEncryptedRequestFilter extends AbstractEncryptedRequestFilter {

    public DHEncryptedRequestFilter() {
        super();
    }

    public DHEncryptedRequestFilter(String... methods) {
        super(methods);
    }

    public void bootstrap(RequestContext request) {
    }

    public ResponseContext apply(RequestContext request, Chain<RequestContext,ResponseContext> chain) {
        ResponseContext response = super.apply(request, chain);
        String method = request.getMethod();
        // include a Accept-Encryption header in the response to GET, HEAD and OPTIONS requests
        // the header will specify all the information the client needs to construct
        // it's own DH context and encrypt the request
        if ("GET".equalsIgnoreCase(method) || "HEAD".equalsIgnoreCase(method) || "OPTIONS".equalsIgnoreCase(method)) {
            DHContext context = (DHContext)request.getAttribute(Scope.SESSION, "dhcontext");
            if (context == null) {
                context = new DHContext();
                request.setAttribute(Scope.SESSION, "dhcontext", context);
            }
            response.setHeader(Constants.ACCEPT_ENCRYPTION, context.getRequestString());
        }
        return response;
    }

    protected Object initArg(RequestContext request) {
        DHContext context = (DHContext)request.getAttribute(Scope.SESSION, "dhcontext");
        String dh = request.getHeader(Constants.CONTENT_ENCRYPTED);
        if (context != null && dh != null && dh.length() > 0) {
            try {
                context.setPublicKey(dh);
            } catch (Exception e) {
            }
        }
        return context;
    }

    protected EncryptionOptions initEncryptionOptions(RequestContext request, Encryption encryption, Object arg) {
        EncryptionOptions options = null;
        if (arg != null && arg instanceof DHContext) {
            try {
                options = ((DHContext)arg).getEncryptionOptions(encryption);
            } catch (Exception e) {
            }
        }
        return options;
    }

}