/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.hbase.io.crypto.tls;

import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.X509ExtendedTrustManager;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * A custom TrustManager that supports hostname verification We attempt to perform verification
 * using just the IP address first and if that fails will attempt to perform a reverse DNS lookup
 * and verify using the hostname. This file has been copied from the Apache ZooKeeper project.
 * @see <a href=
 *      "https://github.com/apache/zookeeper/blob/c74658d398cdc1d207aa296cb6e20de00faec03e/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKTrustManager.java">Base
 *      revision</a>
 */
@InterfaceAudience.Private
public class HBaseTrustManager extends X509ExtendedTrustManager {

  private static final Logger LOG = LoggerFactory.getLogger(HBaseTrustManager.class);

  private final X509ExtendedTrustManager x509ExtendedTrustManager;
  private final boolean hostnameVerificationEnabled;
  private final boolean allowReverseDnsLookup;

  private final HBaseHostnameVerifier hostnameVerifier;

  /**
   * Instantiate a new HBaseTrustManager.
   * @param x509ExtendedTrustManager    The trustmanager to use for
   *                                    checkClientTrusted/checkServerTrusted logic
   * @param hostnameVerificationEnabled If true, this TrustManager should verify hostnames of peers
   *                                    when checking trust.
   * @param allowReverseDnsLookup       If true, we will fall back on reverse dns if resolving of
   *                                    host fails
   */
  HBaseTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager,
    boolean hostnameVerificationEnabled, boolean allowReverseDnsLookup) {
    this.x509ExtendedTrustManager = x509ExtendedTrustManager;
    this.hostnameVerificationEnabled = hostnameVerificationEnabled;
    this.allowReverseDnsLookup = allowReverseDnsLookup;
    this.hostnameVerifier = new HBaseHostnameVerifier();
  }

  @Override
  public X509Certificate[] getAcceptedIssuers() {
    return x509ExtendedTrustManager.getAcceptedIssuers();
  }

  @Override
  public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
    throws CertificateException {
    x509ExtendedTrustManager.checkClientTrusted(chain, authType, socket);
    if (hostnameVerificationEnabled) {
      performHostVerification(socket.getInetAddress(), chain[0]);
    }
  }

  @Override
  public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
    throws CertificateException {
    x509ExtendedTrustManager.checkServerTrusted(chain, authType, socket);
    if (hostnameVerificationEnabled) {
      performHostVerification(socket.getInetAddress(), chain[0]);
    }
  }

  @Override
  public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
    throws CertificateException {
    x509ExtendedTrustManager.checkClientTrusted(chain, authType, engine);
    if (hostnameVerificationEnabled) {
      try {
        performHostVerification(InetAddress.getByName(engine.getPeerHost()), chain[0]);
      } catch (UnknownHostException e) {
        throw new CertificateException("Failed to verify host", e);
      }
    }
  }

  @Override
  public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
    throws CertificateException {
    x509ExtendedTrustManager.checkServerTrusted(chain, authType, engine);
    if (hostnameVerificationEnabled) {
      try {
        performHostVerification(InetAddress.getByName(engine.getPeerHost()), chain[0]);
      } catch (UnknownHostException e) {
        throw new CertificateException("Failed to verify host", e);
      }
    }
  }

  @Override
  public void checkClientTrusted(X509Certificate[] chain, String authType)
    throws CertificateException {
    x509ExtendedTrustManager.checkClientTrusted(chain, authType);
  }

  @Override
  public void checkServerTrusted(X509Certificate[] chain, String authType)
    throws CertificateException {
    x509ExtendedTrustManager.checkServerTrusted(chain, authType);
  }

  /**
   * Compares peer's hostname with the one stored in the provided client certificate. Performs
   * verification with the help of provided HostnameVerifier.
   * @param inetAddress Peer's inet address.
   * @param certificate Peer's certificate
   * @throws CertificateException Thrown if the provided certificate doesn't match the peer
   *                              hostname.
   */
  private void performHostVerification(InetAddress inetAddress, X509Certificate certificate)
    throws CertificateException {
    String hostAddress = "";
    String hostName = "";
    try {
      hostAddress = inetAddress.getHostAddress();
      hostnameVerifier.verify(hostAddress, certificate);
    } catch (SSLException addressVerificationException) {
      // If we fail with hostAddress, we should try the hostname.
      // The inetAddress may have been created with a hostname, in which case getHostName() will
      // return quickly below. If not, a reverse lookup will happen, which can be expensive.
      // We provide the option to skip the reverse lookup if preferring to fail fast.

      // Handle logging here to aid debugging. The easiest way to check for an existing
      // hostname is through toString, see javadoc.
      String inetAddressString = inetAddress.toString();
      if (!inetAddressString.startsWith("/")) {
        LOG.debug(
          "Failed to verify host address: {}, but inetAddress {} has a hostname, trying that",
          hostAddress, inetAddressString, addressVerificationException);
      } else if (allowReverseDnsLookup) {
        LOG.debug(
          "Failed to verify host address: {}, attempting to verify host name with reverse dns",
          hostAddress, addressVerificationException);
      } else {
        LOG.debug("Failed to verify host address: {}, but reverse dns lookup is disabled",
          hostAddress, addressVerificationException);
        throw new CertificateException(
          "Failed to verify host address, and reverse lookup is disabled",
          addressVerificationException);
      }

      try {
        hostName = inetAddress.getHostName();
        hostnameVerifier.verify(hostName, certificate);
      } catch (SSLException hostnameVerificationException) {
        LOG.error("Failed to verify host address: {}", hostAddress, addressVerificationException);
        LOG.error("Failed to verify hostname: {}", hostName, hostnameVerificationException);
        throw new CertificateException("Failed to verify both host address and host name",
          hostnameVerificationException);
      }
    }
  }

}