/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.usergrid.security.shiro.principals;


import com.google.common.collect.HashBiMap;
import org.apache.commons.lang.StringUtils;
import org.apache.usergrid.management.*;
import org.apache.usergrid.persistence.EntityManagerFactory;
import org.apache.usergrid.security.shiro.Realm;
import org.apache.usergrid.security.shiro.UsergridAuthorizationInfo;
import org.apache.usergrid.security.shiro.utils.SubjectUtils;
import org.apache.usergrid.security.tokens.TokenService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.util.Map;
import java.util.UUID;

import static org.apache.usergrid.security.shiro.utils.SubjectUtils.getPermissionFromPath;


public class AdminUserPrincipal extends UserPrincipal {
    private static final Logger logger = LoggerFactory.getLogger(AdminUserPrincipal.class);

    /**
     * Needed for Jackson, do not remove
     */
    public AdminUserPrincipal() {
    }

    public AdminUserPrincipal( UUID managementAppId, UserInfo user ) {
        super( managementAppId, user );
    }

    @Override
    public void grant(
        UsergridAuthorizationInfo info,
        EntityManagerFactory emf,
        ManagementService management,
        TokenService tokens) {

        // AdminUserPrincipals are through basic auth and sessions
        // They have access to organizations and organization
        // applications

        UserInfo user = this.getUser();

        Map<UUID, String> organizationSet = HashBiMap.create();
        Map<UUID, String> applicationSet = HashBiMap.create();
        OrganizationInfo organization = null;
        ApplicationInfo application = null;

        boolean superUserEnabled = false;
        final String s = management.getProperties().getProperty(
            AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_ALLOWED);
        if ( s != null && "true".equalsIgnoreCase(s.trim())) {
            superUserEnabled = true;
        }

        String superUser = management.getProperties().getProperty(
            AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_NAME);

        if ( superUserEnabled && ( superUser != null ) && superUser.equals( user.getUsername() ) ) {

            // The system user has access to everything

            role(info, Realm.ROLE_SERVICE_ADMIN);
            role(info, Realm.ROLE_ORGANIZATION_ADMIN);
            role(info, Realm.ROLE_APPLICATION_ADMIN);
            role(info, Realm.ROLE_ADMIN_USER);

            grant(info, "system:access");

            grant(info, "organizations:admin,access,get,put,post,delete:*");
            grant(info, "applications:admin,access,get,put,post,delete:*");
            grant(info, "organizations:admin,access,get,put,post,delete:*:/**");
            grant(info, "applications:admin,access,get,put,post,delete:*:/**");
            grant(info, "users:access:*");

            grant(info, SubjectUtils.getPermissionFromPath(emf.getManagementAppId(), "access"));

            grant(info, SubjectUtils.getPermissionFromPath(emf.getManagementAppId(), "get,put,post,delete", "/**"));

            // don't need to load organizations here for superuser/sysadmin because it has access to everything
        }

        else {

            // For regular service users, we find what organizations
            // they're associated with
            // An service user can be associated with multiple
            // organizations

            grant( info, getPermissionFromPath( emf.getManagementAppId(), "access" ) );

            // admin users cannot access the management app directly
            // so open all permissions
            grant( info, getPermissionFromPath(emf.getManagementAppId(), "get,put,post,delete", "/**") );

            role(info, Realm.ROLE_ADMIN_USER);

            try {

                Map<UUID, String> userOrganizations = management.getOrganizationsForAdminUser(user.getUuid());

                if ( userOrganizations != null ) {
                    for ( UUID id : userOrganizations.keySet() ) {
                        grant( info, "organizations:admin,access,get,put,post,delete:" + id );
                    }
                    organizationSet.putAll( userOrganizations );

                    Map<UUID, String> userApplications =
                        management.getApplicationsForOrganizations( userOrganizations.keySet() );
                    if ( ( userApplications != null ) && !userApplications.isEmpty() ) {
                        grant( info, "applications:admin,access,get,put,post,delete:" + StringUtils
                            .join(userApplications.keySet(), ',') );
                        applicationSet.putAll( userApplications );
                    }

                    role( info, Realm.ROLE_ORGANIZATION_ADMIN );
                    role( info, Realm.ROLE_APPLICATION_ADMIN );
                }
            }
            catch ( Exception e ) {
                logger.error( "Unable to construct admin user permissions", e );
            }
        }

        info.setOrganization(organization);
        info.addOrganizationSet(organizationSet);
        info.setApplication(application);
        info.addApplicationSet(applicationSet);
    }
}