/*
 * Copyright 2012 gitblit.com.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.gitblit;

import java.io.File;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.util.Collection;

import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.gitblit.utils.StringUtils;

/**
 * Special SSL context factory that configures Gitblit GO and replaces the
 * primary trustmanager with a GitblitTrustManager.
 *
 * @author James Moger
 */
public class GitblitSslContextFactory extends SslContextFactory {

	private static final Logger logger = LoggerFactory.getLogger(GitblitSslContextFactory.class);

	private final File caRevocationList;

	public GitblitSslContextFactory(String certAlias, File keyStore, File clientTrustStore,
			String storePassword, File caRevocationList) {
		super(keyStore.getAbsolutePath());

		this.caRevocationList = caRevocationList;

		// disable renegotiation unless this is a patched JVM
		boolean allowRenegotiation = false;
		String v = System.getProperty("java.version");
		if (v.startsWith("1.7")) {
			allowRenegotiation = true;
		} else if (v.startsWith("1.6")) {
			// 1.6.0_22 was first release with RFC-5746 implemented fix.
			if (v.indexOf('_') > -1) {
				String b = v.substring(v.indexOf('_') + 1);
				if (Integer.parseInt(b) >= 22) {
					allowRenegotiation = true;
				}
			}
		}
		if (allowRenegotiation) {
			logger.info("   allowing SSL renegotiation on Java " + v);
			setAllowRenegotiate(allowRenegotiation);
		}


		if (!StringUtils.isEmpty(certAlias)) {
			logger.info("   certificate alias = " + certAlias);
			setCertAlias(certAlias);
		}
		setKeyStorePassword(storePassword);
		setTrustStore(clientTrustStore.getAbsolutePath());
		setTrustStorePassword(storePassword);

		logger.info("   keyStorePath   = " + keyStore.getAbsolutePath());
		logger.info("   trustStorePath = " + clientTrustStore.getAbsolutePath());
		logger.info("   crlPath        = " + caRevocationList.getAbsolutePath());
	}

	@Override
	protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls)
			throws Exception {
		TrustManager[] managers = super.getTrustManagers(trustStore, crls);
		X509TrustManager delegate = (X509TrustManager) managers[0];
		GitblitTrustManager root = new GitblitTrustManager(delegate, caRevocationList);

		// replace first manager with the GitblitTrustManager
		managers[0] = root;
		return managers;
	}
}