var forge = require('../js/forge');
var fs = require('fs');
var http = require('http');
//var rdf = require('./rdflib');
var sys = require('sys');
var urllib = require('url');
var ws = require('./ws');

// remove xmlns from input
var normalizeNs = function(input, ns) {
  var rval = null;

  // primitive
  if(typeof input === 'string' ||
    typeof input === 'number' ||
    typeof input === 'boolean') {
    rval = input;
  }
  // array
  else if(forge.util.isArray(input)) {
    rval = [];
    for(var i = 0; i < input.length; ++i) {
      rval.push(normalizeNs(input[i], ns));
    }
  }
  // object
  else {
    if('@' in input) {
      // copy namespace map
      var newNs = {};
      for(var key in ns) {
        newNs[key] = ns[key];
      }
      ns = newNs;

      // update namespace map
      for(var key in input['@']) {
        if(key.indexOf('xmlns:') === 0) {
          ns[key.substr(6)] = input['@'][key];
        }
      }
    }

    rval = {};
    for(var key in input) {
      if(key.indexOf('xmlns:') !== 0) {
        var value = input[key];
        var colon = key.indexOf(':');
        if(colon !== -1) {
          var prefix = key.substr(0, colon);
          if(prefix in ns) {
            key = ns[prefix] + key.substr(colon + 1);
          }
        }
        rval[key] = normalizeNs(value, ns);
      }
    }
  }

  return rval;
};

// gets public key from WebID rdf
var getPublicKey = function(data, uri, callback) {
  // FIXME: use RDF library to simplify code below
  //var kb = new rdf.RDFParser(rdf.IndexedFormula(), uri).loadBuf(data);
  //var CERT = rdf.Namespace('http://www.w3.org/ns/auth/cert#');
  //var RSA  = rdf.Namespace('http://www.w3.org/ns/auth/rsa#');
  var RDF = 'http://www.w3.org/1999/02/22-rdf-syntax-ns#';
  var CERT = 'http://www.w3.org/ns/auth/cert#';
  var RSA  = 'http://www.w3.org/ns/auth/rsa#';
  var desc = RDF + 'Description';
  var about = RDF + 'about';
  var type = RDF + 'type';
  var resource = RDF + 'resource';
  var publicKey = RSA + 'RSAPublicKey';
  var modulus = RSA + 'modulus';
  var exponent = RSA + 'public_exponent';
  var identity = CERT + 'identity';
  var hex = CERT + 'hex';
  var decimal = CERT + 'decimal';

  // gets a resource identifer from a node
  var getResource = function(node, key) {
    var rval = null;

    // special case 'about'
    if(key === about) {
      if('@' in node && about in node['@']) {
        rval = node['@'][about];
      }
    }
    // any other resource
    else if(
       key in node &&
       typeof node[key] === 'object' && !forge.util.isArray(node[key]) &&
       '@' in node[key] && resource in node[key]['@']) {
      rval = node[key]['@'][resource];
    }

    return rval;
  };

  // parse XML
  uri = urllib.parse(uri);
  var xml2js = require('./xml2js');
  var parser = new xml2js.Parser();
  parser.addListener('end', function(result) {
    // normalize namespaces
    result = normalizeNs(result, {});

    // find grab all public keys whose identity matches hash from uri
    var keys = [];
    if(desc in result) {
      // normalize RDF descriptions to array
      if(!forge.util.isArray(result[desc])) {
        desc = [result[desc]];
      }
      else {
        desc = result[desc];
      }

      // collect properties for all resources
      var graph = {};
      for(var i = 0; i < desc.length; ++i) {
        var node = desc[i];
        var res = {};
        for(var key in node) {
          var obj = getResource(node, key);
          res[key] = (obj === null) ? node[key] : obj;
        }
        graph[getResource(node, about) || ''] = res;
      }

      // for every public key w/identity that matches the uri hash
      // save the public key modulus and exponent
      for(var r in graph) {
        var props = graph[r];
        if(identity in props &&
          type in props &&
          props[type] === publicKey &&
          props[identity] === uri.hash &&
          modulus in props &&
          exponent in props &&
          props[modulus] in graph &&
          props[exponent] in graph &&
          hex in graph[props[modulus]] &&
          decimal in graph[props[exponent]]) {
          keys.push({
            modulus: graph[props[modulus]][hex],
            exponent: graph[props[exponent]][decimal]
          });
        }
      }
    }

    sys.log('Public keys from RDF: ' + JSON.stringify(keys));
    callback(keys);
  });
  parser.parseString(data);
};

// compares two public keys for equality
var comparePublicKeys = function(key1, key2) {
  return key1.modulus === key2.modulus && key1.exponent === key2.exponent;
};

// gets the RDF data from a URL
var fetchUrl = function(url, callback, redirects) {
  // allow 3 redirects by default
  if(typeof(redirects) === 'undefined') {
    redirects = 3;
  }

  sys.log('Fetching URL: \"' + url + '\"');

  // parse URL
  url = forge.util.parseUrl(url);
  var client = http.createClient(
    url.port, url.fullHost, url.scheme === 'https');
  var request = client.request('GET', url.path, {
    'Host': url.host,
    'Accept': 'application/rdf+xml'
  });
  request.addListener('response', function(response) {
    var body = '';

    // error, return empty body
    if(response.statusCode >= 400) {
       callback(body);
    }
    // follow redirect
    else if(response.statusCode === 302) {
      if(redirects > 0) {
        // follow redirect
        fetchUrl(response.headers.location, callback, --redirects);
      }
      else {
        // return empty body
        callback(body);
      }
    }
    // handle data
    else {
      response.setEncoding('utf8');
      response.addListener('data', function(chunk) {
        body += chunk;
      });
      response.addListener('end', function() {
        callback(body);
      });
    }
  });
  request.end();
};

// does WebID authentication
var authenticateWebId = function(c, state) {
  var auth = false;

  // get client-certificate
  var cert = c.peerCertificate;

  // get public key from certificate
  var publicKey = {
    modulus: cert.publicKey.n.toString(16).toLowerCase(),
    exponent: cert.publicKey.e.toString(10)
  };

  sys.log(
    'Server verifying certificate w/CN: \"' +
    cert.subject.getField('CN').value + '\"\n' +
    'Public Key: ' + JSON.stringify(publicKey));

  // build queue of subject alternative names to authenticate with
  var altNames = [];
  var ext = cert.getExtension({name: 'subjectAltName'});
  if(ext !== null && ext.altNames) {
    for(var i = 0; i < ext.altNames.length; ++i) {
      var altName = ext.altNames[i];
      if(altName.type === 6) {
        altNames.push(altName.value);
      }
    }
  }

  // create authentication processor
  var authNext = function() {
    if(!auth) {
      // no more alt names, auth failed
      if(altNames.length === 0) {
        sys.log('WebID authentication FAILED.');
        c.prepare(JSON.stringify({
          success: false,
          error: 'Not Authenticated'
        }));
        c.close();
      }
      // try next alt name
      else {
        // fetch URL
        var url = altNames.shift();
        fetchUrl(url, function(body) {
          // get public key
          getPublicKey(body, url, function(keys) {
            // compare public keys from RDF until one matches
            for(var i = 0; !auth && i < keys.length; ++i) {
              auth = comparePublicKeys(keys[i], publicKey);
            }
            if(auth) {
              // send authenticated notice to client
              sys.log('WebID authentication PASSED.');
              state.authenticated = true;
              c.prepare(JSON.stringify({
                success: true,
                cert: forge.pki.certificateToPem(cert),
                webID: url,
                rdf: forge.util.encode64(body)
              }));
            }
            else {
              // try next alt name
              authNext();
            }
          });
        });
      }
    }
  };

  // do auth
  authNext();
};

// creates credentials (private key + certificate)
var createCredentials = function(cn, credentials) {
  sys.log('Generating 512-bit key-pair and certificate for \"' + cn + '\".');
  var keys = forge.pki.rsa.generateKeyPair(512);
  sys.log('key-pair created.');

  var cert = forge.pki.createCertificate();
  cert.serialNumber = '01';
  cert.validity.notBefore = new Date();
  cert.validity.notAfter = new Date();
  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
  var attrs = [{
    name: 'commonName',
    value: cn
  }, {
    name: 'countryName',
    value: 'US'
  }, {
    shortName: 'ST',
    value: 'Virginia'
  }, {
    name: 'localityName',
    value: 'Blacksburg'
  }, {
    name: 'organizationName',
    value: 'Test'
  }, {
    shortName: 'OU',
    value: 'Test'
  }];
  cert.setSubject(attrs);
  cert.setIssuer(attrs);
  cert.setExtensions([{
    name: 'basicConstraints',
    cA: true
  }, {
    name: 'keyUsage',
    keyCertSign: true,
    digitalSignature: true,
    nonRepudiation: true,
    keyEncipherment: true,
    dataEncipherment: true
  }, {
    name: 'subjectAltName',
    altNames: [{
      type: 6, // URI
      value: 'http://myuri.com/webid#me'
    }]
  }]);
  // FIXME: add subjectKeyIdentifier extension
  // FIXME: add authorityKeyIdentifier extension
  cert.publicKey = keys.publicKey;

  // self-sign certificate
  cert.sign(keys.privateKey);

  // save credentials
  credentials.key = forge.pki.privateKeyToPem(keys.privateKey);
  credentials.cert = forge.pki.certificateToPem(cert);

  sys.log('Certificate created for \"' + cn + '\": \n' + credentials.cert);
};

// initialize credentials
var credentials = {
  key: null,
  cert: null
};

// read private key from file
var readPrivateKey = function(filename) {
  credentials.key = fs.readFileSync(filename);
  // try to parse from PEM as test
  forge.pki.privateKeyFromPem(credentials.key);
};

// read certificate from file
var readCertificate = function(filename) {
  credentials.cert = fs.readFileSync(filename);
  // try to parse from PEM as test
  forge.pki.certificateFromPem(credentials.cert);
};

// parse command line options
var opts = require('opts');
var options = [
{ short       : 'v'
, long        : 'version'
, description : 'Show version and exit'
, callback    : function() { console.log('v1.0'); process.exit(1); }
},
{ short       : 'p'
, long        : 'port'
, description : 'The port to listen for WebSocket connections on'
, value       : true
},
{ long        : 'key'
, description : 'The server private key file to use in PEM format'
, value       : true
, callback    : readPrivateKey
},
{ long        : 'cert'
, description : 'The server certificate file to use in PEM format'
, value       : true
, callback    : readCertificate
}
];
opts.parse(options, true);

// create credentials for server
if(credentials.key === null || credentials.cert === null) {
  createCredentials('server', credentials);
}

// function to create TLS server connection
var createTls = function(websocket) {
  var state = {
    authenticated: false
  };
  return forge.tls.createConnection({
    server: true,
    caStore: [],
    sessionCache: {},
    // supported cipher suites in order of preference
    cipherSuites: [
       forge.tls.CipherSuites.TLS_RSA_WITH_AES_128_CBC_SHA,
       forge.tls.CipherSuites.TLS_RSA_WITH_AES_256_CBC_SHA],
    connected: function(c) {
      sys.log('Server connected');

      // do WebID authentication
      try {
        authenticateWebId(c, state);
      }
      catch(ex) {
        c.close();
      }
    },
    verifyClient: true,
    verify: function(c, verified, depth, certs) {
      // accept certs w/unknown-CA (48)
      if(verified === 48) {
        verified = true;
      }
      return verified;
    },
    getCertificate: function(c, hint) {
       sys.log('Server using certificate for \"' + hint[0] + '\"');
       return credentials.cert;
    },
    getPrivateKey: function(c, cert) {
       return credentials.key;
    },
    tlsDataReady: function(c) {
       // send base64-encoded TLS data over websocket
       websocket.write(forge.util.encode64(c.tlsData.getBytes()));
    },
    dataReady: function(c) {
      // ignore any data until connection is authenticated
      if(state.authenticated) {
        sys.log('Server received \"' + c.data.getBytes() + '\"');
      }
    },
    closed: function(c) {
      sys.log('Server disconnected');
      websocket.end();
    },
    error: function(c, error) {
      sys.log('Server error: ' + error.message);
    }
  });
};

// create websocket server
var port = opts.get('port') || 8080;
ws.createServer(function(websocket) {
  // create TLS server connection
  var tls = createTls(websocket);

  websocket.addListener('connect', function(resource) {
    sys.log('WebSocket connected: ' + resource);

    // close connection after 30 second timeout
    setTimeout(websocket.end, 30 * 1000);
  });

  websocket.addListener('data', function(data) {
    // base64-decode data and process it
    tls.process(forge.util.decode64(data));
  });

  websocket.addListener('close', function() {
    sys.log('WebSocket closed');
  });
}).listen(port);

sys.log('WebSocket WebID server running on port ' + port);