/*
 * Copyright (C) 2011 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */


package com.android.emailcommon.utility;

import android.content.Context;
import android.net.SSLCertificateSocketFactory;
import android.util.Log;

import com.android.emailcommon.Logging;
import com.android.emailcommon.utility.SSLUtils.KeyChainKeyManager;
import com.android.emailcommon.utility.SSLUtils.TrackingKeyManager;

import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
import org.apache.http.params.HttpParams;

import java.security.cert.CertificateException;

import javax.net.ssl.KeyManager;

/**
 * A thread-safe client connection manager that manages the use of client certificates from the
 * {@link android.security.KeyChain} for SSL connections.
 */
public class EmailClientConnectionManager extends ThreadSafeClientConnManager {

    private static final boolean LOG_ENABLED = false;

    /**
     * A {@link KeyManager} to track client certificate requests from servers.
     */
    private final TrackingKeyManager mTrackingKeyManager;

    /**
     * Not publicly instantiable except via {@link #newInstance(HttpParams)}
     */
    private EmailClientConnectionManager(
            HttpParams params, SchemeRegistry registry, TrackingKeyManager keyManager) {
        super(params, registry);
        mTrackingKeyManager = keyManager;
    }

    public static EmailClientConnectionManager newInstance(HttpParams params) {
        TrackingKeyManager keyManager = new TrackingKeyManager();

        // Create a registry for our three schemes; http and https will use built-in factories
        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http",
                PlainSocketFactory.getSocketFactory(), 80));
        registry.register(new Scheme("https",
                SSLUtils.getHttpSocketFactory(false, keyManager), 443));

        // Register the httpts scheme with our insecure factory
        registry.register(new Scheme("httpts",
                SSLUtils.getHttpSocketFactory(true /*insecure*/, keyManager), 443));

        return new EmailClientConnectionManager(params, registry, keyManager);
    }

    /**
     * Ensures that a client SSL certificate is known to be used for the specified connection
     * manager.
     * A {@link SchemeRegistry} is used to denote which client certificates to use for a given
     * connection, so clients of this connection manager should use
     * {@link #makeSchemeForClientCert(String, boolean)}.
     */
    public synchronized void registerClientCert(
            Context context, String clientCertAlias, boolean trustAllServerCerts)
            throws CertificateException {
        SchemeRegistry registry = getSchemeRegistry();
        String schemeName = makeSchemeForClientCert(clientCertAlias, trustAllServerCerts);
        Scheme existing = registry.get(schemeName);
        if (existing == null) {
            if (LOG_ENABLED) {
                Log.i(Logging.LOG_TAG, "Registering socket factory for certificate alias ["
                        + clientCertAlias + "]");
            }
            KeyManager keyManager = KeyChainKeyManager.fromAlias(context, clientCertAlias);
            SSLCertificateSocketFactory underlying = SSLUtils.getSSLSocketFactory(
                    trustAllServerCerts);
            underlying.setKeyManagers(new KeyManager[] { keyManager });
            registry.register(new Scheme(schemeName, new SSLSocketFactory(underlying), 443));
        }
    }

    /**
     * Unregisters a custom connection type that uses a client certificate on the connection
     * manager.
     * @see #registerClientCert(Context, String, boolean)
     */
    public synchronized void unregisterClientCert(
            String clientCertAlias, boolean trustAllServerCerts) {
        SchemeRegistry registry = getSchemeRegistry();
        String schemeName = makeSchemeForClientCert(clientCertAlias, trustAllServerCerts);
        Scheme existing = registry.get(schemeName);
        if (existing != null) {
            registry.unregister(schemeName);
        }
    }

    /**
     * Builds a custom scheme name to be used in a connection manager according to the connection
     * parameters.
     */
    public static String makeScheme(
            boolean useSsl, boolean trustAllServerCerts, String clientCertAlias) {
        if (clientCertAlias != null) {
            return makeSchemeForClientCert(clientCertAlias, trustAllServerCerts);
        } else {
            return useSsl ? (trustAllServerCerts ? "httpts" : "https") : "http";
        }
    }

    /**
     * Builds a unique scheme name for an SSL connection that uses a client user certificate.
     */
    private static String makeSchemeForClientCert(
            String clientCertAlias, boolean trustAllServerCerts) {
        String safeAlias = SSLUtils.escapeForSchemeName(clientCertAlias);
        return (trustAllServerCerts ? "httpts" : "https") + "+clientCert+" + safeAlias;
    }

    /**
     * @param since A timestamp in millis from epoch from which to check
     * @return whether or not this connection manager has detected any unsatisfied requests for
     *     a client SSL certificate by any servers
     */
    public synchronized boolean hasDetectedUnsatisfiedCertReq(long since) {
        return mTrackingKeyManager.getLastCertReqTime() >= since;
    }
}