/*
 * Copyright 2005-2010 the original author or authors.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.wamblee.security.authorization;

import java.util.ArrayList;
import java.util.List;

import javax.persistence.CascadeType;
import javax.persistence.DiscriminatorValue;
import javax.persistence.Entity;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.OneToMany;
import javax.persistence.OrderColumn;
import javax.persistence.Transient;

import org.wamblee.security.authentication.UserAccessor;
import org.wamblee.security.authentication.UserAdministration;

/**
 * Default implementation of an authorization service. To determine whether
 * access to a resource is allowed, the service consults a number of
 * authorization rules in a fixed order. The first rule that gives a result
 * GRANTED or DENIED determines the result of the evaluation. Rules that return
 * any other result are ignoed. If none of the rules match, than access is
 * denied.
 * 
 * @author Erik Brakkee
 */
@Entity
@DiscriminatorValue("DEFAULT")
public class DefaultAuthorizationService extends AbstractAuthorizationService {

    /**
     * List of ordered authorization rules.
     */
    @OneToMany(cascade = CascadeType.ALL, orphanRemoval = true, targetEntity = AbstractAuthorizationRule.class)
    @JoinTable(name = "SEC_AUTH_SVC_RULE", joinColumns = { @JoinColumn(name = "SVC_ID") }, inverseJoinColumns = { @JoinColumn(name = "RULE_ID") })
    @OrderColumn(name = "RULE_INDEX")
    private List<AuthorizationRule> rules;

    /**
     * User accessor used to obtain the current user.
     */
    @Transient
    private UserAccessor userAccessor;

    @Transient
    private UserAdministration userAdmin;

    /**
     * Constructs the service.
     * 
     * @param aAccessor
     *            User accessor.
     * @param aUserAdmin
     *            User administration.
     * @param aName
     *            Name of this instance of the service.
     */
    public DefaultAuthorizationService(UserAccessor aAccessor,
        UserAdministration aUserAdmin, String aName) {
        super(aName);
        rules = new ArrayList<AuthorizationRule>();
        userAccessor = aAccessor;
        userAdmin = aUserAdmin;
    }

    /**
     * Constructs the authorization service.
     */
    public DefaultAuthorizationService() {
        rules = new ArrayList<AuthorizationRule>();
        userAccessor = null;
        userAdmin = null;
    }

    @Override
    public void setUserAccessor(UserAccessor aUserAccessor) {
        userAccessor = aUserAccessor;
    }

    @Override
    public void setUserAdministration(UserAdministration aUserAdmin) {
        userAdmin = aUserAdmin;
        for (AuthorizationRule rule : rules) {
            rule.setUserAdministration(userAdmin);
        }
    }

    /*
     * (non-Javadoc)
     * 
     * @see
     * org.wamblee.security.authorization.AuthorizationService#isAllowed(java
     * .lang.Object, org.wamblee.security.authorization.Operation)
     */
    public boolean isAllowed(Object aResource, Operation aOperation) {
        String user = userAccessor.getCurrentUser();

        for (AuthorizationRule rule : rules) {
            switch (rule.isAllowed(aResource, aOperation, user)) {
            case DENIED:
                return false;

            case GRANTED:
                return true;
            }
        }

        return false;
    }

    /*
     * (non-Javadoc)
     * 
     * @see org.wamblee.security.authorization.AuthorizationService#check(T,
     * org.wamblee.security.authorization.Operation)
     */
    public <T> T check(T aResource, Operation aOperation) {
        if (!isAllowed(aResource, aOperation)) {
            throw new AuthorizationException(aResource, aOperation);
        }

        return aResource;
    }

    /*
     * (non-Javadoc)
     * 
     * @see org.wamblee.security.authorization.AuthorizationService#getRules()
     */
    public AuthorizationRule[] getRules() {
        return rules.toArray(new AbstractAuthorizationRule[0]);
    }

    /*
     * (non-Javadoc)
     * 
     * @see
     * org.wamblee.security.authorization.AuthorizationService#appendRule(org
     * .wamblee.security.authorization.AuthorizationRule)
     */
    public void appendRule(AuthorizationRule aRule) {
        aRule.setUserAdministration(userAdmin);
        rules.add(aRule);
    }

    /*
     * (non-Javadoc)
     * 
     * @see
     * org.wamblee.security.authorization.AuthorizationService#insertRuleAfter
     * (int, org.wamblee.security.authorization.AuthorizationRule)
     */
    public void insertRuleAfter(int aIndex, AuthorizationRule aRule) {
        aRule.setUserAdministration(userAdmin);
        rules.add(aIndex, aRule);
    }

    /*
     * (non-Javadoc)
     * 
     * @see
     * org.wamblee.security.authorization.AuthorizationService#removeRule(int)
     */
    public void removeRule(int aIndex) {
        rules.remove(aIndex);
    }

    /**
     * For OR mapping.
     * 
     * @return The rules.
     */
    protected List<AuthorizationRule> getMappedRules() {
        return rules;
    }

    /**
     * For OR mapping.
     * 
     * @param aRules
     *            The rules.
     */
    protected void setMappedRules(List<AuthorizationRule> aRules) {
        rules = aRules;
        for (AuthorizationRule rule : rules) {
            rule.setUserAdministration(userAdmin);
        }
    }
}