/**
    * Copyright 2005-2007 the original author or authors.
    *
    * Licensed under the Gnu General Pubic License, Version 2.0 (the
    * "License"); you may not use this file except in compliance with
    * the License. You may obtain a copy of the License at
    *
    *      http://www.opensource.org/licenses/gpl-license.php
    *
   * This program is distributed in the hope that it will be useful,
   * but WITHOUT ANY WARRANTY; without even the implied warranty of
   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
   * See the Gnu General Public License for more details.
   */
  package org.figure8.join.control;
  
  import org.figure8.join.control.config.RoleConfig;
  import org.figure8.join.control.config.AccessControlConfig;
  import org.figure8.join.control.config.AccessControlRuleSet;
  import org.figure8.join.control.config.ActionConstraintConfig;
  import org.figure8.join.control.config.OperationConstraintConfig;
  import org.figure8.join.services.cache.Cache;
  import org.figure8.join.services.cache.EternalCacheKeys;
  import org.figure8.join.services.cache.EternalCacheAccessor;
  import org.figure8.join.businessobjects.security.Role;
  import org.figure8.join.util.LogUtil;
  
  import org.xml.sax.InputSource;
  import org.apache.commons.logging.Log;
  import org.apache.commons.digester.Digester;
  
  import javax.servlet.Filter;
  import javax.servlet.FilterChain;
  import javax.servlet.FilterConfig;
  import javax.servlet.ServletRequest;
  import javax.servlet.ServletResponse;
  import javax.servlet.ServletException;
  import javax.servlet.UnavailableException;
  import javax.servlet.ServletContext;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  
  import java.net.URL;
  import java.io.InputStream;
  import java.io.IOException;
  import java.util.Iterator;
  import java.util.Collection;
  /**
   * Servlet filter that checks is user associated with request we are
   * processing is allowed to call the specified action or business operation
   * with the action.
   * @author  <a href="mailto:laurent.broudoux@free.fr">Laurent Broudoux</a>
   * @version $Revision: 1.2 $
   */
  public class AccessControlFilter implements Filter{
  
     // Static -------------------------------------------------------------------
  
     /** Get a commons logger. */
     private static final Log log = LogUtil.getLog(AccessControlFilter.class);
  
  
     // Attributes ---------------------------------------------------------------
     
     /** The context relative name of the XML configuration file. */
     private String config;
     /** The filter configuration object we are associated with. */
     private FilterConfig filterConfig;
     /** The Access control configuration object (retrieved from servlet context). */
     private AccessControlConfig accessConfig;
     
     
     // Constructors -------------------------------------------------------------
     
     /** Creates a new AccessControlFilter instance. */
     public AccessControlFilter(){
     }
     
     
     // Implementation of Filter -------------------------------------------------
     
     /**
      * Called by the web container to indicate to a filter that is being placed
      * into service. This method stores filterConfig into inner attribute and
      * creates an AccessControlConfig object by "digestering" the join-access-control.xml
      * configuration file.
      * @param filterConfig The configuration of this filter
      * @throws ServletException if app servlet context is not correctly initialized
      */
     public void init(FilterConfig filterConfig) throws ServletException{
        this.filterConfig = filterConfig;
  
        // Retrieve configuration file name.
        config = filterConfig.getInitParameter("config");
        log.info("Initializing AccessControlFilter with: " + config);
        
        InputStream input = null;
        try{
           accessConfig = new AccessControlConfig();
          // Init digester with correct rules and push accessConfig.
          Digester digester = initDigester();
          digester.push(accessConfig);
          // Parse the security control configuration.
          URL url = filterConfig.getServletContext().getResource(config);
          InputSource is = new InputSource(url.toExternalForm());
          input = filterConfig.getServletContext().getResourceAsStream(config);
          is.setByteStream(input);
          
          digester.parse(is);
       }
       catch (Exception e){
          // Log and propagate.
          log.error("AccessControl configuration file cannot be parsed !");
          log.error("Here's the detailed message: " + e.getMessage());
          throw new UnavailableException("Access Control configuration file cannot be parsed.");
       }
       finally{
          // Try to close input stream.
          if (input != null){
             try {input.close();}
             catch (Exception ee) {/* Do nothing here */}
          }
       }
       log.info("Filter initialized. AccessControlFilter is enable");
    }
    
    /**
     * Apply the Access Control filter to rh request we are processing. This
     * involves using the AccessControlConfig object created during initilization
     * to check if there's constraints on the current requested action and
     * business operation.<br/>
     * If user is allowed to call action or business operation, <code>chain.doFilter()
     * </code> is called. Else, user response is redierect to the page stored
     * under "authorization.fails.url" servlet context attribute.
     * @param request The servlet request we are processing
     * @param response The servlet response we are creating
     * @param chain The filter chain we are processing
     * @exception IOException if an input/output error occurs
     * @exception ServletException if a servlet error occurs
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException{
 
       // Identify the path component we will use to select a constraint.
       String path = extractPath((HttpServletRequest)request);
       if (log.isDebugEnabled())
          log.debug("Applying AccessControlFilter for path: " + path);
       
       if (path != null){
          // Is there any ActionConstraint config for this path ?
          ActionConstraintConfig constraint = accessConfig.findActionConstraint(path);
          
          if (constraint != null){
             boolean hasRole = false;
             // Is there any roles associated to action or operation ?
             Collection roles = getRequiredRoles((HttpServletRequest)request, constraint);
             
             if (roles != null && !roles.isEmpty()){
                // Try retrieving roles from cache.
                Cache roleCache = getRoleNameToRoleCache(filterConfig.getServletContext());
                if (roleCache == null){
                   // Log an throw an exception.
                   log.error("Application is in illegal state: Role cache is not present in context");
                   throw new IllegalStateException("App. is in illegal state: Role cache is not present in context");
                }
                // Get the user container associated with request.
                UserContainer container = JoinAction.getUserContainer((HttpServletRequest)request);
 
                // Check if the user has one of the specified roles.
                Iterator iterator = roles.iterator();
                while (iterator.hasNext() && !hasRole){
                   RoleConfig role = (RoleConfig)iterator.next();
                   Role cachedRole = (Role)roleCache.get(role.getName());
                   // Test role config upon container.
                   if (!role.hasResource())
                      hasRole = container.isUserInRole(cachedRole);
                   else if (!role.hasResourceParameter())
                      hasRole = container.isUserInRoleForResource(cachedRole, role.getResource());
                   else{
                      String resourceId = request.getParameter(role.getResourceParameter());
                      try{
                         // Retrieve resource for check if everything is ok.
                         if (resourceId != null && cachedRole.getPermissionResourceResolver() != null){
                            Object resource = cachedRole.getPermissionResourceResolver().getResource(resourceId);
                            hasRole = container.isUserInRoleForResource(cachedRole, resource);
                         }
                      }
                      catch (Throwable t){
                         // Just warn into logs...
                         log.warn("Throwable was caught when checking authorization for " + path);
                         log.warn("Maybe join-access-control.xml is misconfigured or cached roles out of synch ?...");
                      }
                   }
                }
             }
             else{
                if (log.isDebugEnabled())
                   log.debug("No required role for this path: allowing user to access");
                hasRole = true;
             }
             
             if (!hasRole){
                if (log.isDebugEnabled())
                   log.debug("Required role is not endorsed by user: forwarding to authorization failure page");
                // Forward response to page with error message.
                HttpServletRequest httpRequest = (HttpServletRequest)request;
                HttpServletResponse httpResponse = (HttpServletResponse)response;
                httpResponse.sendRedirect(httpRequest.getContextPath()
                                           + filterConfig.getInitParameter("failurePage"));
             }
          }
       }
       
       // Path is not identifiable or there is not declared constraints or everything is OK ...
       chain.doFilter(request, response);
    }
    
    /**
     * Called by the container to indicate to a filter that is being taken out
     * of service. Just release handles on <b>filterConfig</b> and <b>accessConfig</b>.
     */
    public void destroy(){
       this.filterConfig = null;
       this.accessConfig = null;
    }
    
    
    // Protected ----------------------------------------------------------------
    
    /**
     * Create and return a new Digester instance that has been initialized
     * to process Join security control configuration files and configure a
     * corresponding AccessControlConfig object (which must be pushed on to
     * the evaluation stack before parsing begins).
     */
    protected Digester initDigester(){
       // Create a new digester instance with standard capabilities.
       Digester digester = new Digester();
       digester.setValidating(false);
       digester.setNamespaceAware(true);
       digester.setUseContextClassLoader(true);
       digester.addRuleSet(new AccessControlRuleSet());
       
       // Return the completely configured Digester instance.
       return digester;
    }
    
    /**
     * Identify and return the path component (from the request URI) that
     * we will use to select an ActionConstraintConfig. If no such path can
     * be identified, create an error response and return <code>null</code>.
     * @param request The servlet request we are processing
     */
    protected String extractPath(HttpServletRequest request){
       // Try simplest thing ...
       String path = request.getPathInfo();
       if ((path != null) && (path.length() > 0))
          return (path);
       
       // Try something else ...
       path = request.getServletPath();
       int slash = path.lastIndexOf("/");
       int period = path.lastIndexOf(".");
       if ((period >= 0) && (period > slash))
          path = path.substring(0, period);
       
       return path;
    }
    
    /**
     * Extract a collection of required roles from the ActionContraintConfig.
     * Check if action constraint specifies constraints for the business operation
     * requested.
     * @param request The servlet request we are processing.
     * @param constraint The security control constraints related to requested action.
     * @return Collection of <code>org.figure8.join.security.RoleConfig</code>
     */
    protected Collection getRequiredRoles(HttpServletRequest request, ActionConstraintConfig constraint){
       // Is there any OperationConstraint for this operation ?
       OperationConstraintConfig opConstraint = constraint.findOperationConstraint(request.getParameter("op"));
       if (opConstraint != null)
          return opConstraint.getRoles();
       
       // Else simply return the roles associated with the action.
       return constraint.getRoles();
    }
 
 
    // Private ------------------------------------------------------------------
 
    /** Get the cache for roles or null if it is not available */
    private Cache getRoleNameToRoleCache(ServletContext ctx){
       // First, get the cacheAccessor.
       EternalCacheAccessor cacheAccessor = (EternalCacheAccessor)ctx.getAttribute(EternalCacheAccessor.CONTEXT_KEY);
       // Return cache or null if no accessor.
       if (cacheAccessor != null){
          return cacheAccessor.getCache(EternalCacheKeys.ROLE_NAME_TO_ROLE_KEY);
       }
       return null;
    }
 }