//
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements.  See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License.  You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

using System;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Security.Cryptography.X509Certificates;

namespace Trade.Utility
{
    /// <summary>
    /// Provides a base class that allows customization of certificate validation.
    /// Specifically, enables certificates to be identified specifically based on a list of
    /// authorized cert thumbprints.  See StockTrader Order Processor Service for an example of
    /// use, as this sample component uses it to ensure only clients using the authorized 
    /// BSLClient certificate are accepted.
    /// </summary>
    public abstract class CustomCertificateValidator : X509CertificateValidator
    {
        /// <summary>
        /// Override with a provided method that returns an array 
        /// of thumbprints as strings.
        /// </summary>
        /// <returns></returns>
        protected abstract string[] getAllowedThumbprints();

        public override void Validate(X509Certificate2 certificate)
        {
            // create chain and set validation options
            X509Chain chain = new X509Chain();
            SetValidationSettings(chain);

            // optional check if cert is valid 
            if (!chain.Build(certificate))
            {
                throw new SecurityTokenValidationException("Client certificate is not valid!");
            }

            // check if cert is from our trusted list
            if (!isTrusted(chain, getAllowedThumbprints()))
            {
                throw new SecurityTokenValidationException("Client certificate is not trusted!");
            }
        }

        /// <summary>
        /// The base goes with default settings, you could override this method to change them, however.
        /// </summary>
        /// <param name="chain"></param>
        protected virtual void SetValidationSettings(X509Chain chain)
        {
            //override to set customer settings.
        }

        /// <summary>
        /// Determines if the end certificate in a chain is in the list of trusted certs.
        /// You could add logic to perform checks across the whole chain if desired.
        /// </summary>
        /// <param name="chain"></param>
        /// <param name="trustedThumbprints"></param>
        /// <returns></returns>
        protected virtual bool isTrusted(X509Chain chain, string[] trustedThumbprints)
        {
            return CheckThumbprint(chain.ChainElements[0].Certificate, trustedThumbprints);
        }

        /// <summary>
        /// Check if a cert is in the trust list.
        /// </summary>
        /// <param name="certificate">Cert to check.</param>
        /// <param name="trustedThumbprints">List of authorized certs' thumbprints</param>
        /// <returns></returns>
        private bool CheckThumbprint(X509Certificate2 certificate, string[] trustedThumbprints)
        {
            foreach (string thumbprint in trustedThumbprints)
            {
                if (string.Equals(certificate.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase))
                {
                    return true;
                }
            }

            return false;
        }
    }
}