/*
 * Copyright 2005-2010 the original author or authors.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */ 
package org.wamblee.security.authorization;

import javax.persistence.DiscriminatorColumn;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Inheritance;
import javax.persistence.InheritanceType;
import javax.persistence.Table;
import javax.persistence.Version;

import org.wamblee.persistence.Persistent;

import org.wamblee.usermgt.User;

/**
 * Represents an authorization rule to determine whether an operation is allowed
 * on a resource.
 * 
 * @author Erik Brakkee
 */
@Entity
@Table(name = "SEC_AUTH_RULE")
@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
@DiscriminatorColumn(name = "TYPE")
public abstract class AuthorizationRule {
    
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long primaryKey;

    @Version
    private int version;
    
    public AuthorizationRule() { 
        // Empty
    }
    
    public AuthorizationRule(AuthorizationRule aRule) { 
        primaryKey = aRule.primaryKey;
        version = aRule.version;
    }
    
    /**
     * Returns the supported object types for which this authorization rule
     * applies. This can be used by the authorization service for optimization.
     * 
     * @return Array of supported types.
     */
    public abstract Class[] getSupportedTypes();

    /**
     * Determines whether an operation is allowed on a certain resource. The
     * rule implementation must be prepared to deal with resources for which it
     * does not apply. In those cases it should return
     * {@link AuthorizationResult#UNSUPPORTED_RESOURCE}.
     * 
     * @param aResource
     *            Resource.
     * @param aOperation
     *            Operation.
     * @param aUser
     *            Current user.
     * 
     * @return Authorization result.
     */
    public abstract AuthorizationResult isAllowed(Object aResource, Operation aOperation,
        User aUser);
}