/**
    * This file Copyright (c) 2003-2015 Magnolia International
    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
    *
    *
    * This file is dual-licensed under both the Magnolia
    * Network Agreement and the GNU General Public License.
    * You may elect to use one or the other of these licenses.
    *
   * This file is distributed in the hope that it will be
   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
   * implied warranty of MERCHANTABILITY or FITNESS FOR A
   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
   * Redistribution, except as permitted by whichever of the GPL
   * or MNA you select, is prohibited.
   *
   * 1. For the GPL license (GPL), you can redistribute and/or
   * modify this file under the terms of the GNU General
   * Public License, Version 3, as published by the Free Software
   * Foundation.  You should have received a copy of the GNU
   * General Public License, Version 3 along with this program;
   * if not, write to the Free Software Foundation, Inc., 51
   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
   *
   * 2. For the Magnolia Network Agreement (MNA), this file
   * and the accompanying materials are made available under the
   * terms of the MNA which accompanies this distribution, and
   * is available at http://www.magnolia-cms.com/mna.html
   *
   * Any modifications to this file must keep this entire header
   * intact.
   *
   */
  package info.magnolia.cms.security;
  
  import info.magnolia.cms.core.Content;
  import info.magnolia.cms.core.HierarchyManager;
  import info.magnolia.cms.core.Path;
  import info.magnolia.context.MgnlContext;
  import info.magnolia.jcr.iterator.SameChildNodeTypeIterator;
  import info.magnolia.jcr.util.NodeTypes;
  import info.magnolia.repository.RepositoryConstants;
  
  import javax.jcr.Node;
  import javax.jcr.NodeIterator;
  import javax.jcr.PathNotFoundException;
  import javax.jcr.RepositoryException;
  import javax.jcr.Session;
  
  import org.apache.commons.lang3.StringUtils;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
  
  
  /**
   * Manages the users stored in the {@link info.magnolia.repository.RepositoryConstants#USER_ROLES} workspace.
   */
  public class MgnlRoleManager extends RepositoryBackedSecurityManager implements RoleManager {
  
      public static final String NODE_ACLROLES = "acl_userroles";
  
      private static final Logger log = LoggerFactory.getLogger(MgnlRoleManager.class);
  
      @Override
      public Role getRole(final String name) {
          return MgnlContext.doInSystemContext(new SilentSessionOp<MgnlRole>(getRepositoryName()) {
  
              @Override
              public MgnlRole doExec(Session session) throws RepositoryException {
                  Node roleNode = findPrincipalNode(name, MgnlContext.getJCRSession(getRepositoryName()));
                  if (roleNode == null) {
                      log.debug("can't find role [{}]", name);
                      return null;
                  }
                  return newRoleInstance(roleNode);
              }
  
              @Override
              public String toString() {
                  return "get role " + name;
              }
          });
      }
  
      @Override
      public Role createRole(String name) throws AccessDeniedException {
          return createRole(null, name);
      }
  
      /**
       * Create a new role in a specific folder without any security restrictions.
       *
       * @throws IllegalArgumentException if the name is not valid or if a group with this name already exists
       * @throws UnsupportedOperationException in case the role manager does not support this operation
       */
      @Override
      public Role createRole(final String path, final String name) throws AccessDeniedException {
          validateRoleName(name);
          return MgnlContext.doInSystemContext(new SilentSessionOp<MgnlRole>(getRepositoryName()) {
 
             @Override
             public MgnlRole doExec(Session session) throws RepositoryException {
                 String parentPath = StringUtils.defaultString(path, "/");
                 Node roleNode = session.getNode(parentPath).addNode(name, NodeTypes.Role.NAME);
                 final Node acls = roleNode.addNode(NODE_ACLROLES, NodeTypes.ContentNode.NAME);
                 // read only access to the role itself
                 Node acl = acls.addNode(Path.getUniqueLabel(session, acls.getPath(), "0"), NodeTypes.ContentNode.NAME);
                 acl.setProperty("path", roleNode.getPath());
                 acl.setProperty("permissions", Permission.READ);
 
                 session.save();
                 return newRoleInstance(roleNode);
             }
 
             @Override
             public String toString() {
                 return "create role " + name;
             }
         });
     }
 
     /**
      * @deprecated since 4.5
      */
     @Deprecated
     protected MgnlRole newRoleInstance(Content node) throws RepositoryException {
         return newRoleInstance(node.getJCRNode());
     }
 
     protected MgnlRole newRoleInstance(Node node) throws RepositoryException {
         return new MgnlRole(node.getName(), node.getIdentifier(), getACLs(node).values());
     }
 
     /**
      * @deprecated since 5.2
      */
     @Deprecated
     protected HierarchyManager getHierarchyManager() {
         return MgnlContext.getHierarchyManager(RepositoryConstants.USER_ROLES);
     }
 
     @Override
     public void removePermission(final Role role, final String workspace, final String path, final long permission) {
         MgnlContext.doInSystemContext(new SilentSessionOp<Object>(getRepositoryName()) {
 
             @Override
             public Object doExec(Session session) throws Throwable {
                 Node roleNode = session.getNodeByIdentifier(role.getId());
                 Node aclNode = getAclNode(roleNode, workspace);
                 NodeIterator children = new SameChildNodeTypeIterator(aclNode);
                 while (children.hasNext()) {
                     Node child = children.nextNode();
                     if (child.getProperty("path").getString().equals(path)) {
                         if (permission == MgnlRole.PERMISSION_ANY || child.getProperty("permissions").getLong() == permission) {
                             child.remove();
                         }
                     }
                 }
                 session.save();
                 return null;
             }
 
             @Override
             public String toString() {
                 return "add permission to role " + role.getName();
             }
         });
     }
 
     /**
      * Get the ACL node for the current role node.
      */
     private Node getAclNode(Node roleNode, String repository) throws RepositoryException, PathNotFoundException,
             AccessDeniedException {
         Node aclNode;
         if (!roleNode.hasNode("acl_" + repository)) {
             aclNode = roleNode.addNode("acl_" + repository, NodeTypes.ContentNode.NAME);
         } else {
             aclNode = roleNode.getNode("acl_" + repository);
         }
         return aclNode;
     }
 
     /**
      * Does this permission exist?
      */
     private boolean existsPermission(Node aclNode, String path, long permission) throws RepositoryException {
         NodeIterator children = aclNode.getNodes();
         while (children.hasNext()) {
             Node child = children.nextNode();
             if (child.hasProperty("path") && child.getProperty("path").getString().equals(path)) {
                 if (permission == MgnlRole.PERMISSION_ANY
                         || child.getProperty("permissions").getLong() == permission) {
                     return true;
                 }
             }
         }
         return false;
     }
 
     @Override
     public void addPermission(final Role role, final String workspace, final String path, final long permission) {
         MgnlContext.doInSystemContext(new SilentSessionOp<Object>(getRepositoryName()) {
 
             @Override
             public Object doExec(Session session) throws Throwable {
                 Node roleNode = session.getNodeByIdentifier(role.getId());
                 Node aclNode = getAclNode(roleNode, workspace);
                 if (!existsPermission(aclNode, path, permission)) {
                     String nodeName = Path.getUniqueLabel(session, aclNode.getPath(), "0");
                     Node node = aclNode.addNode(nodeName, NodeTypes.ContentNode.NAME);
                     node.setProperty("path", path);
                     node.setProperty("permissions", permission);
                     session.save();
                 }
                 return null;
             }
 
             @Override
             public String toString() {
                 return "remove permission from role " + role.getName();
             }
         });
     }
 
     /**
      * Helper method to find a role.
      * This will return null if role doesn't exist.
      */
     @Override
     protected Node findPrincipalNode(String principalName, Session session) throws RepositoryException {
         return findPrincipalNode(principalName, session, NodeTypes.Role.NAME);
     }
 
     @Override
     protected String getRepositoryName() {
         return RepositoryConstants.USER_ROLES;
     }
 
     @Override
     public String getRoleNameById(String string) {
         return getResourceName(string);
     }
 
     protected void validateRoleName(String name) throws AccessDeniedException {
         if (StringUtils.isBlank(name)) {
             throw new IllegalArgumentException(name + " is not a valid role name.");
         }
 
         Role role = Security.getRoleManager().getRole(name);
 
         if (role != null) {
             throw new IllegalArgumentException("Role with name " + name + " already exists.");
         }
     }
 }