/*
    * Cloud Foundry 2012.02.03 Beta
    * Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
    *
    * This product is licensed to you under the Apache License, Version 2.0 (the "License").
    * You may not use this product except in compliance with the License.
    *
    * This product includes a number of subcomponents with
    * separate copyright notices and license terms. Your use of these
   * subcomponents is subject to the terms and conditions of the
   * subcomponent's license, as noted in the LICENSE file.
   */
  package org.springframework.security.oauth2.provider.token.store;
  
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;
  import org.springframework.beans.factory.InitializingBean;
  import org.springframework.security.crypto.codec.Base64;
  import org.springframework.security.jwt.Jwt;
  import org.springframework.security.jwt.JwtHelper;
  import org.springframework.security.jwt.crypto.sign.*;
  import org.springframework.security.oauth2.common.*;
  import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
  import org.springframework.security.oauth2.common.util.JsonParser;
  import org.springframework.security.oauth2.common.util.JsonParserFactory;
  import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
  import org.springframework.security.oauth2.provider.OAuth2Authentication;
  import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
  import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
  import org.springframework.security.oauth2.provider.token.TokenEnhancer;
  import org.springframework.util.Assert;
  
  import java.security.KeyPair;
  import java.security.PrivateKey;
  import java.security.interfaces.RSAPrivateKey;
  import java.security.interfaces.RSAPublicKey;
  import java.util.Date;
  import java.util.LinkedHashMap;
  import java.util.Map;
  
  /**
   * Helper that translates between JWT encoded token values and OAuth authentication
   * information (in both directions). Also acts as a {@link TokenEnhancer} when tokens are
   * granted.
   *
   * @see TokenEnhancer
   * @see AccessTokenConverter
   *
   * @author Dave Syer
   * @author Luke Taylor
   */
  public class JwtAccessTokenConverter implements TokenEnhancer, AccessTokenConverter, InitializingBean {
  
  	/**
  	 * Field name for token id.
  	 */
  	public static final String TOKEN_ID = AccessTokenConverter.JTI;
  
  	/**
  	 * Field name for access token id.
  	 */
  	public static final String ACCESS_TOKEN_ID = AccessTokenConverter.ATI;
  
  	private static final Log logger = LogFactory.getLog(JwtAccessTokenConverter.class);
  
  	private AccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();
  
  	private JwtClaimsSetVerifier jwtClaimsSetVerifier = new NoOpJwtClaimsSetVerifier();
  
  	private JsonParser objectMapper = JsonParserFactory.create();
  
  	private String verifierKey = new RandomValueStringGenerator().generate();
  
  	private Signer signer = new MacSigner(verifierKey);
  
  	private String signingKey = verifierKey;
  
  	private SignatureVerifier verifier;
  
  	/**
  	 * @param tokenConverter the tokenConverter to set
  	 */
  	public void setAccessTokenConverter(AccessTokenConverter tokenConverter) {
  		this.tokenConverter = tokenConverter;
  	}
  
  	/**
  	 * @return the tokenConverter in use
  	 */
  	public AccessTokenConverter getAccessTokenConverter() {
  		return tokenConverter;
  	}
  
  	/**
  	 * @return the {@link JwtClaimsSetVerifier} used to verify the claim(s) in the JWT Claims Set
  	 */
  	public JwtClaimsSetVerifier getJwtClaimsSetVerifier() {
  		return this.jwtClaimsSetVerifier;
  	}
 
 	/**
 	 * @param jwtClaimsSetVerifier the {@link JwtClaimsSetVerifier} used to verify the claim(s) in the JWT Claims Set
 	 */
 	public void setJwtClaimsSetVerifier(JwtClaimsSetVerifier jwtClaimsSetVerifier) {
 		Assert.notNull(jwtClaimsSetVerifier, "jwtClaimsSetVerifier cannot be null");
 		this.jwtClaimsSetVerifier = jwtClaimsSetVerifier;
 	}
 
 	@Override
 	public Map<String, ?> convertAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
 		return tokenConverter.convertAccessToken(token, authentication);
 	}
 
 	@Override
 	public OAuth2AccessToken extractAccessToken(String value, Map<String, ?> map) {
 		return tokenConverter.extractAccessToken(value, map);
 	}
 
 	@Override
 	public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
 		return tokenConverter.extractAuthentication(map);
 	}
 
 	/**
 	 * Unconditionally set the verifier (the verifer key is then ignored).
 	 *
 	 * @param verifier the value to use
 	 */
 	public void setVerifier(SignatureVerifier verifier) {
 		this.verifier = verifier;
 	}
 
 	/**
 	 * Unconditionally set the signer to use (if needed). The signer key is then ignored.
 	 *
 	 * @param signer the value to use
 	 */
 	public void setSigner(Signer signer) {
 		this.signer = signer;
 	}
 
 	/**
 	 * Get the verification key for the token signatures.
 	 *
 	 * @return the key used to verify tokens
 	 */
 	public Map<String, String> getKey() {
 		Map<String, String> result = new LinkedHashMap<String, String>();
 		result.put("alg", signer.algorithm());
 		result.put("value", verifierKey);
 		return result;
 	}
 
 	public void setKeyPair(KeyPair keyPair) {
 		PrivateKey privateKey = keyPair.getPrivate();
 		Assert.state(privateKey instanceof RSAPrivateKey, "KeyPair must be an RSA ");
 		signer = new RsaSigner((RSAPrivateKey) privateKey);
 		RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
 		verifier = new RsaVerifier(publicKey);
 		verifierKey = "-----BEGIN PUBLIC KEY-----\n" + new String(Base64.encode(publicKey.getEncoded()))
 				+ "\n-----END PUBLIC KEY-----";
 	}
 
 	/**
 	 * Sets the JWT signing key. It can be either a simple MAC key or an RSA key. RSA keys
 	 * should be in OpenSSH format, as produced by <tt>ssh-keygen</tt>.
 	 *
 	 * @param key the key to be used for signing JWTs.
 	 */
 	public void setSigningKey(String key) {
 		Assert.hasText(key);
 		key = key.trim();
 
 		this.signingKey = key;
 
 		if (isPublic(key)) {
 			signer = new RsaSigner(key);
 			logger.info("Configured with RSA signing key");
 		}
 		else {
 			// Assume it's a MAC key
 			this.verifierKey = key;
 			signer = new MacSigner(key);
 		}
 	}
 
 	/**
 	 * @return true if the key has a public verifier
 	 */
 	private boolean isPublic(String key) {
 		return key.startsWith("-----BEGIN");
 	}
 
 	/**
 	 * @return true if the signing key is a public key
 	 */
 	public boolean isPublic() {
 		return signer instanceof RsaSigner;
 	}
 
 	/**
 	 * The key used for verifying signatures produced by this class. This is not used but
 	 * is returned from the endpoint to allow resource servers to obtain the key.
 	 *
 	 * For an HMAC key it will be the same value as the signing key and does not need to
 	 * be set. For and RSA key, it should be set to the String representation of the
 	 * public key, in a standard format (e.g. OpenSSH keys)
 	 *
 	 * @param key the signature verification key (typically an RSA public key)
 	 */
 	public void setVerifierKey(String key) {
 		this.verifierKey = key;
 	}
 
 	public OAuth2AccessToken../../../../org/springframework/security/oauth2/common/OAuth2AccessToken.html#OAuth2AccessToken">OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
 		DefaultOAuth2AccessToken result = new DefaultOAuth2AccessToken(accessToken);
 		Map<String, Object> info = new LinkedHashMap<String, Object>(accessToken.getAdditionalInformation());
 		String tokenId = result.getValue();
 		if (!info.containsKey(TOKEN_ID)) {
 			info.put(TOKEN_ID, tokenId);
 		}
 		else {
 			tokenId = (String) info.get(TOKEN_ID);
 		}
 		result.setAdditionalInformation(info);
 		result.setValue(encode(result, authentication));
 		OAuth2RefreshToken refreshToken = result.getRefreshToken();
 		if (refreshToken != null) {
 			DefaultOAuth2AccessToken encodedRefreshToken = new DefaultOAuth2AccessToken(accessToken);
 			encodedRefreshToken.setValue(refreshToken.getValue());
 			// Refresh tokens do not expire unless explicitly of the right type
 			encodedRefreshToken.setExpiration(null);
 			try {
 				Map<String, Object> claims = objectMapper
 						.parseMap(JwtHelper.decode(refreshToken.getValue()).getClaims());
 				if (claims.containsKey(TOKEN_ID)) {
 					encodedRefreshToken.setValue(claims.get(TOKEN_ID).toString());
 				}
 			}
 			catch (IllegalArgumentException e) {
 			}
 			Map<String, Object> refreshTokenInfo = new LinkedHashMap<String, Object>(
 					accessToken.getAdditionalInformation());
 			refreshTokenInfo.put(TOKEN_ID, encodedRefreshToken.getValue());
 			refreshTokenInfo.put(ACCESS_TOKEN_ID, tokenId);
 			encodedRefreshToken.setAdditionalInformation(refreshTokenInfo);
 			DefaultOAuth2RefreshToken token = new DefaultOAuth2RefreshToken(
 					encode(encodedRefreshToken, authentication));
 			if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
 				Date expiration = ((ExpiringOAuth2RefreshToken) refreshToken).getExpiration();
 				encodedRefreshToken.setExpiration(expiration);
 				token = new DefaultExpiringOAuth2RefreshToken(encode(encodedRefreshToken, authentication), expiration);
 			}
 			result.setRefreshToken(token);
 		}
 		return result;
 	}
 
 	public boolean isRefreshToken(OAuth2AccessToken token) {
 		return token.getAdditionalInformation().containsKey(ACCESS_TOKEN_ID);
 	}
 
 	protected String encode(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
 		String content;
 		try {
 			content = objectMapper.formatMap(tokenConverter.convertAccessToken(accessToken, authentication));
 		}
 		catch (Exception e) {
 			throw new IllegalStateException("Cannot convert access token to JSON", e);
 		}
 		String token = JwtHelper.encode(content, signer).getEncoded();
 		return token;
 	}
 
 	protected Map<String, Object> decode(String token) {
 		try {
 			Jwt jwt = JwtHelper.decodeAndVerify(token, verifier);
 			String claimsStr = jwt.getClaims();
 			Map<String, Object> claims = objectMapper.parseMap(claimsStr);
 			if (claims.containsKey(EXP) && claims.get(EXP) instanceof Integer) {
 				Integer intValue = (Integer) claims.get(EXP);
 				claims.put(EXP, new Long(intValue));
 			}
 			this.getJwtClaimsSetVerifier().verify(claims);
 			return claims;
 		}
 		catch (Exception e) {
 			throw new InvalidTokenException("Cannot convert access token to JSON", e);
 		}
 	}
 
 	public void afterPropertiesSet() throws Exception {
 		if (verifier != null) {
 			// Assume signer also set independently if needed
 			return;
 		}
 		SignatureVerifier verifier = new MacSigner(verifierKey);
 		try {
 			verifier = new RsaVerifier(verifierKey);
 		}
 		catch (Exception e) {
 			logger.warn("Unable to create an RSA verifier from verifierKey (ignoreable if using MAC)");
 		}
 		// Check the signing and verification keys match
 		if (signer instanceof RsaSigner) {
 			byte[] test = "test".getBytes();
 			try {
 				verifier.verify(test, signer.sign(test));
 				logger.info("Signing and verification RSA keys match");
 			}
 			catch (InvalidSignatureException e) {
 				logger.error("Signing and verification RSA keys do not match");
 			}
 		}
 		else if (verifier instanceof MacSigner) {
 			// Avoid a race condition where setters are called in the wrong order. Use of
 			// == is intentional.
 			Assert.state(this.signingKey == this.verifierKey,
 					"For MAC signing you do not need to specify the verifier key separately, and if you do it must match the signing key");
 		}
 		this.verifier = verifier;
 	}
 
 	private class NoOpJwtClaimsSetVerifier implements JwtClaimsSetVerifier {
 		@Override
 		public void verify(Map<String, Object> claims) throws InvalidTokenException {
 		}
 	}
 }