package org.apache.archiva.redback.authorization.rbac;

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

import org.apache.archiva.redback.authorization.AuthorizationDataSource;
import org.apache.archiva.redback.authorization.AuthorizationException;
import org.apache.archiva.redback.authorization.AuthorizationResult;
import org.apache.archiva.redback.authorization.Authorizer;
import org.apache.archiva.redback.authorization.NotAuthorizedException;
import org.apache.archiva.redback.authorization.rbac.evaluator.PermissionEvaluationException;
import org.apache.archiva.redback.authorization.rbac.evaluator.PermissionEvaluator;
import org.apache.archiva.redback.rbac.Permission;
import org.apache.archiva.redback.rbac.RBACManager;
import org.apache.archiva.redback.rbac.RbacManagerException;
import org.apache.archiva.redback.rbac.RbacObjectNotFoundException;
import org.apache.archiva.redback.users.User;
import org.apache.archiva.redback.users.UserManager;
import org.apache.archiva.redback.users.UserManagerException;
import org.apache.archiva.redback.users.UserNotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;

import javax.inject.Inject;
import javax.inject.Named;
import java.util.List;
import java.util.Map;

/**
 * RbacAuthorizer:
 *
 * @author Jesse McConnell
 */
@Service("authorizer#rbac")
public class RbacAuthorizer
    implements Authorizer
{
    private Logger log = LoggerFactory.getLogger( getClass() );

    @Inject
    @Named(value = "rbacManager#default")
    private RBACManager manager;

    @Inject
    @Named(value = "userManager#default")
    private UserManager userManager;

    @Inject
    private PermissionEvaluator evaluator;

    public String getId()
    {
        return "rbac";
    }

    /**
     * @param source
     * @return
     * @throws AuthorizationException
     */
    public AuthorizationResult isAuthorized( AuthorizationDataSource source )
        throws AuthorizationException
    {
        String principal = source.getPrincipal();
        String operation = source.getPermission();
        String resource = source.getResource();

        try
        {
            if ( principal != null )
            {
                // Set permissions = manager.getAssignedPermissions( principal.toString(), operation );
                Map<String, List<? extends Permission>> permissionMap = manager.getAssignedPermissionMap( principal );

                if ( permissionMap.keySet().contains( operation ) )
                {
                    for ( Permission permission : permissionMap.get( operation ) )
                    {

                        log.debug( "checking permission {} for operation {} resource {}",
                                   ( permission != null ? permission.getName() : "null" ), operation, resource );

                        if ( evaluator.evaluate( permission, operation, resource, principal ) )
                        {
                            return new AuthorizationResult( true, permission, null );
                        }
                    }

                    log.debug( "no permission found for operation {} resource {}", operation, resource );
                }
                else
                {
                    log.debug( "permission map does not contain operation: {}", operation );
                }
            }
            // check if guest user is enabled, if so check the global permissions
            User guest = userManager.getGuestUser();

            if ( !guest.isLocked() )
            {
                // Set permissions = manager.getAssignedPermissions( principal.toString(), operation );
                Map<String, List<? extends Permission>> permissionMap = manager.getAssignedPermissionMap( guest.getUsername() );

                if ( permissionMap.keySet().contains( operation ) )
                {
                    for ( Permission permission : permissionMap.get( operation ) )
                    {
                        log.debug( "checking permission {}", permission.getName() );

                        if ( evaluator.evaluate( permission, operation, resource, guest.getUsername() ) )
                        {
                            return new AuthorizationResult( true, permission, null );
                        }
                    }
                }
            }

            return new AuthorizationResult( false, null, new NotAuthorizedException( "no matching permissions" ) );
        }
        catch ( PermissionEvaluationException pe )
        {
            return new AuthorizationResult( false, null, pe );
        }
        catch ( RbacObjectNotFoundException nfe )
        {
            return new AuthorizationResult( false, null, nfe );
        }
        catch ( UserNotFoundException ne )
        {
            return new AuthorizationResult( false, null,
                                            new NotAuthorizedException( "no matching permissions, guest not found" ) );
        }
        catch ( RbacManagerException rme )
        {
            return new AuthorizationResult( false, null, rme );
        }
        catch ( UserManagerException e )
        {
            return new AuthorizationResult( false, null, e );
        }
    }

    public RBACManager getManager()
    {
        return manager;
    }

    public void setManager( RBACManager manager )
    {
        this.manager = manager;
    }

    public UserManager getUserManager()
    {
        return userManager;
    }

    public void setUserManager( UserManager userManager )
    {
        this.userManager = userManager;
    }

    public PermissionEvaluator getEvaluator()
    {
        return evaluator;
    }

    public void setEvaluator( PermissionEvaluator evaluator )
    {
        this.evaluator = evaluator;
    }

    public boolean isFinalImplementation()
    {
        return true;
    }

    public String getDescriptionKey()
    {
        return "archiva.redback.authorizer.rbac";
    }
}