/**
    * This file Copyright (c) 2003-2011 Magnolia International
    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
    *
    *
    * This file is dual-licensed under both the Magnolia
    * Network Agreement and the GNU General Public License.
    * You may elect to use one or the other of these licenses.
    *
   * This file is distributed in the hope that it will be
   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
   * implied warranty of MERCHANTABILITY or FITNESS FOR A
   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
   * Redistribution, except as permitted by whichever of the GPL
   * or MNA you select, is prohibited.
   *
   * 1. For the GPL license (GPL), you can redistribute and/or
   * modify this file under the terms of the GNU General
   * Public License, Version 3, as published by the Free Software
   * Foundation.  You should have received a copy of the GNU
   * General Public License, Version 3 along with this program;
   * if not, write to the Free Software Foundation, Inc., 51
   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
   *
   * 2. For the Magnolia Network Agreement (MNA), this file
   * and the accompanying materials are made available under the
   * terms of the MNA which accompanies this distribution, and
   * is available at http://www.magnolia-cms.com/mna.html
   *
   * Any modifications to this file must keep this entire header
   * intact.
   *
   */
  package info.magnolia.jaas.sp.jcr;
  
  import info.magnolia.cms.core.Content;
  import info.magnolia.cms.security.MgnlUser;
  import info.magnolia.cms.security.MgnlUserManager;
  import info.magnolia.cms.security.SecuritySupport;
  import info.magnolia.cms.security.User;
  import info.magnolia.cms.security.UserManager;
  import info.magnolia.cms.security.auth.Entity;
  import info.magnolia.jaas.principal.EntityImpl;
  import info.magnolia.jaas.sp.AbstractLoginModule;
  import info.magnolia.jaas.sp.UserAwareLoginModule;
  import org.apache.commons.lang.StringUtils;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
  
  import javax.security.auth.login.FailedLoginException;
  import javax.security.auth.login.LoginException;
  import javax.security.auth.login.AccountNotFoundException;
  import javax.security.auth.login.AccountLockedException;
  
  import java.util.Calendar;
  import java.util.GregorianCalendar;
  import java.util.Iterator;
  import java.util.TimeZone;
  
  
  /**
   * Authentication module implementation using JCR to retrieve the users.
   * @author Sameer Charles $Id: JCRAuthenticationModule.java 49089 2011-09-08 14:00:30Z ochytil $
   */
  public class JCRAuthenticationModule extends AbstractLoginModule implements UserAwareLoginModule {
      private static final Logger log = LoggerFactory.getLogger(JCRAuthenticationModule.class);
  
      protected User user;
      
      /**
       * Get number of failed login attempts before locking account.
       */
      public int getMaxAttempts() {
          //Workaround until you can get realm from user (5.0).
          if (this.user instanceof MgnlUser) {
              Content node = ((MgnlUser) this.user).getUserNode();
              realm = StringUtils.substringBefore(StringUtils.substringAfter(node.getHandle(), "/"), "/");
          //If not supported by user manager then lockout is disabled.
          } else {
              return 0;
          }
          MgnlUserManager manager = (MgnlUserManager) SecuritySupport.Factory.getInstance().getUserManager(realm);
          return (int)manager.getMaxFailedLoginAttempts();
      }
  
      /**
       * Get time period for time lockout.
       */
      public long getTimeLock(){
          //Workaround until you can get realm from user (5.0).
          if (this.user instanceof MgnlUser) {
              Content node = ((MgnlUser) this.user).getUserNode();
              realm = StringUtils.substringBefore(StringUtils.substringAfter(node.getHandle(), "/"), "/");
          } else {
              //If not supported by user manager then lockout is disabled.
              return 0;
          }
          MgnlUserManager manager = (MgnlUserManager) SecuritySupport.Factory.getInstance().getUserManager(realm);
          return (long)manager.getLockTimePeriod();
     }    
 
     /**
      * Releases all associated memory.
      */
     public boolean release() {
         return true;
     }
 
     /**
      * Checks is the credentials exist in the repository.
      * @throws LoginException or specific subclasses (which will be handled further for user feedback)
      */
     public void validateUser() throws LoginException {
         initUser();
 
         if (this.user == null) {
             throw new AccountNotFoundException("User account " + this.name + " not found.");
         }
 
         if (!this.user.isEnabled()){
             throw new AccountLockedException("User account " + this.name + " is locked.");
         }
 
         matchPassword();
 
         if (!UserManager.ANONYMOUS_USER.equals(user.getName()) && user instanceof MgnlUser)
         {
             ((MgnlUser) user).setLastAccess();
         }
     }
 
     protected void initUser() {
         user = getUserManager().getUser(name);
     }
 
     protected void matchPassword() throws LoginException {
         if(getMaxAttempts() > 0 && !UserManager.ANONYMOUS_USER.equals(user.getName()) && getTimeLock() > 0){
             //Only MgnlUser is able to use lockout for time period like hard-lock (timeLock is higher than 0).
             Calendar currentTime = new GregorianCalendar(TimeZone.getDefault());
             Calendar lockTime = new GregorianCalendar(TimeZone.getDefault());
             MgnlUser mgnlUser = (MgnlUser) user;
             if(mgnlUser.getReleaseTime() != null){
                 lockTime.clear();
                 lockTime.setTime(mgnlUser.getReleaseTime().getTime());
             }
             if(lockTime.after(currentTime) && mgnlUser.getReleaseTime() != null){
                 throw new LoginException("User account " + this.name + " is locked until " + mgnlUser.getReleaseTime().getTime() + ".");
             }
         }
 
         String serverPassword = user.getPassword();
 
         if (StringUtils.isEmpty(serverPassword)) {
             throw new FailedLoginException("we do not allow users with no password");
         }
 
         if (!StringUtils.equals(serverPassword, new String(this.pswd))) {
 
             if (getMaxAttempts() > 0 && !UserManager.ANONYMOUS_USER.equals(user.getName())){
                 //Only MgnlUser is able to use lockout i.e. has maxAttempts higher than 0.
                 MgnlUser mgnlUser = (MgnlUser) user;
                 mgnlUser.setFailedLoginAttempts(mgnlUser.getFailedLoginAttempts() + 1);
 
                 //Hard lock
                 if (mgnlUser.getFailedLoginAttempts() >= getMaxAttempts() && getTimeLock() <= 0){
                     mgnlUser.setEnabled(false);
                     mgnlUser.setFailedLoginAttempts(0);
                     log.warn("Account " + this.name + " was locked due to high number of failed login attempts.");
                 //Lock for time period
                 }else if (mgnlUser.getFailedLoginAttempts() >= getMaxAttempts() && getTimeLock() > 0){
                     mgnlUser.setFailedLoginAttempts(0);
                     Calendar calendar = new GregorianCalendar(TimeZone.getDefault());
                     calendar.add(Calendar.MINUTE, (int)getTimeLock());
                     mgnlUser.setReleaseTime(calendar);
                     String minuteString = "minutes";
                     if(getTimeLock() == 1){
                         minuteString = "minute";
                     }
                     log.warn("Account " + this.name + " was locked for " + getTimeLock() + " " + minuteString + " due to high number of failed login attempts.");                    
                 }
             }
             throw new FailedLoginException("passwords do not match");
         }
         if(user instanceof MgnlUser){
             MgnlUser mgnlUser = (MgnlUser) user;
             if (getMaxAttempts() > 0 && !UserManager.ANONYMOUS_USER.equals(mgnlUser.getName()) && mgnlUser.getFailedLoginAttempts() > 0){
                 mgnlUser.setFailedLoginAttempts(0);
             }
         }
     }
 
     /**
      * Override this to support any configured/non-configured user manager.
      */
     public UserManager getUserManager() {
         SecuritySupport securitySupport = SecuritySupport.Factory.getInstance();
         return securitySupport.getUserManager(this.realm);
     }
 
     /**
      * Set user details.
      */
     public void setEntity() {
         EntityImpl entity = new EntityImpl();
         entity.addProperty(Entity.LANGUAGE, this.user.getLanguage());
         entity.addProperty(Entity.NAME, this.user.getName());
 
         String fullName = this.user.getProperty("title");
         if(fullName != null){
             entity.addProperty(Entity.FULL_NAME, fullName);
         }
         entity.addProperty(Entity.PASSWORD, new String(this.pswd));
         this.subject.getPrincipals().add(entity);
 
         collectGroupNames();
         collectRoleNames();
     }
 
     /**
      * Set access control list from the user, roles and groups.
      */
     public void setACL() {
     }
 
     /**
      * Extract all the configured roles from the given node. (which can be the user node or a group node)
      */
     public void collectRoleNames() {
         for (Iterator iter = this.user.getAllRoles().iterator(); iter.hasNext();) {
             addRoleName((String)iter.next());
         }
     }
 
     /**
      * Extract all the configured groups from the given node. (which can be the user node or a group node)
      */
     public void collectGroupNames() {
         for (Iterator iter = this.user.getAllGroups().iterator(); iter.hasNext();) {
             addGroupName((String) iter.next());
         }
     }
 
     public User getUser() {
         return user;
     }
 
 }