//------------------------------------------------------------------------------
//     Copyright (c) Microsoft Corporation.  All rights reserved.
//------------------------------------------------------------------------------
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.IdentityModel.Diagnostics.Application;
using System.Runtime;
using System.Runtime.Diagnostics;
using System.Security.Claims;
using System.Security.Principal;
using System.Xml;
namespace System.IdentityModel.Tokens
{
    /// 
    /// SecurityTokenHandler for KerberosReceiverSecurityToken.
    /// 
    public class KerberosSecurityTokenHandler : SecurityTokenHandler
    {
        static string[] _tokenTypeIdentifiers = new string[] { SecurityTokenTypes.Kerberos };
        /// 
        /// Creates an instance of 
        /// 
        public KerberosSecurityTokenHandler()
        {
        }
        /// 
        /// Gets the settings that indicate if the handler can validate tokens.
        /// Returns true by default.
        /// 
        public override bool CanValidateToken
        {
            get
            {
                return true;
            }
        }
        /// 
        /// Gets the System.Type of the token that this SecurityTokenHandler handles.
        /// Returns type of  by default.
        /// 
        public override Type TokenType
        {
            get { return typeof(KerberosReceiverSecurityToken); }
        }
        /// 
        /// Gets the Kerberos Security token type defined in WS-Security Kerberos
        /// Security Token profile.
        /// 
        public override string[] GetTokenTypeIdentifiers()
        {
            return _tokenTypeIdentifiers;
        }
        /// 
        /// Validates a .
        /// 
        /// The  to validate.
        /// A  of  representing the identities contained in the token.
        /// The parameter 'token' is null.
        /// The token is not assignable from .
        /// Configuration is null.                
        /// The  of the is null.                
        public override ReadOnlyCollection ValidateToken(SecurityToken token)
        {
            if (token == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
            }
            KerberosReceiverSecurityToken kerbToken = token as KerberosReceiverSecurityToken;
            if (kerbToken == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("token", SR.GetString(SR.ID0018, typeof(KerberosReceiverSecurityToken)));
            }
            if (this.Configuration == null)
            {
                throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
            }
            try
            {
                if (kerbToken.WindowsIdentity == null)
                {
                    throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4026));
                }
                // KerberosReceiveSecurityToken is disposable, best to make a copy as Dispose() nulls out the WindowsIdentity. The AuthenticationType was set when the kerbToken was created.
                WindowsIdentity wi = new WindowsIdentity(kerbToken.WindowsIdentity.Token, kerbToken.WindowsIdentity.AuthenticationType);
                // PARTIAL TRUST: will fail when adding claims, AddClaim is SecurityCritical.
                wi.AddClaim(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated), ClaimValueTypes.DateTime));
                wi.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Windows, ClaimValueTypes.String));
                if (this.Configuration.SaveBootstrapContext)
                {
                    wi.BootstrapContext = new BootstrapContext(token, this);
                }
                this.TraceTokenValidationSuccess(token);
                List identities = new List(1);
                identities.Add(wi);
                return identities.AsReadOnly();
            }
            catch (Exception e)
            {
                if (Fx.IsFatal(e))
                {
                    throw;
                }
                this.TraceTokenValidationFailure(token, e.Message);
                throw e;
            }
        }
    }
}