package diskCacheV111.services.space;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.auth.Subject;

import diskCacheV111.util.VOInfo;

import org.dcache.auth.FQAN;
import org.dcache.auth.FQANPrincipal;
import org.dcache.auth.Subjects;

public class SimpleSpaceManagerAuthorizationPolicy
        implements SpaceManagerAuthorizationPolicy {
	private static final Logger logger =
            LoggerFactory.getLogger(SimpleSpaceManagerAuthorizationPolicy.class);

    @Override
    public void checkReleasePermission(Subject subject, Space space)
        throws SpaceAuthorizationException {
        String spaceGroup = space.getVoGroup();
        String spaceRole  = space.getVoRole();

        if (spaceGroup != null) {
            if (spaceRole == null) {
                if (spaceGroup.equals(Subjects.getUserName(subject))) {
                    logger.debug("Subject with user name {} has permission to release space {}",
                                 Subjects.getUserName(subject), space);
                    return;
                }

                try {
                    long authorisedGid = Long.parseLong(spaceGroup);

                    if (Subjects.hasGid(subject, authorisedGid)) {
                        logger.debug("Subject with gid {} has permission to release space {}",
                                authorisedGid, space);
                        return;
                    }
                } catch (NumberFormatException e) {
                    // It is OK for spaceGroup not to be a valid Long.
                }
            }

            for (FQANPrincipal principal : subject.getPrincipals(FQANPrincipal.class)) {
                FQAN fqan = principal.getFqan();
                if (spaceGroup.equals(fqan.getGroup()) && (spaceRole == null || spaceRole.equals(fqan.getRole()))) {
                    logger.debug("Subject with fqan {} has permission to release space {}",
                                 fqan, space);
                    return;
                }
            }
        }

        throw new SpaceAuthorizationException("Subject " + subject.getPrincipals() +
                " has no permission to release " + space);
    }

    @Override
    public VOInfo checkReservePermission(Subject subject, LinkGroup linkGroup)
        throws SpaceAuthorizationException {
        for (VOInfo voInfo: linkGroup.getVOs()) {
            String userName = Subjects.getUserName(subject);
            if (userName != null && voInfo.match(userName, null)) {
                logger.debug("Subject with user name {} has permission to reserve {}", userName, linkGroup);
                return new VOInfo(userName, null);
            }

            for (long gid : Subjects.getGids(subject)) {
                if (voInfo.match(Long.toString(gid), null)) {
                    logger.debug("Subject with gid {} has permission to reserve {}", gid, linkGroup);
                    return new VOInfo(Long.toString(gid), null);
                }
            }

            for (FQANPrincipal principal : subject.getPrincipals(FQANPrincipal.class)) {
                FQAN fqan = principal.getFqan();

                if (voInfo.match(fqan.getGroup(), fqan.getRole())) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Subject with FQAN {} has permission to reserve {}", fqan, linkGroup);
                    }
                    return new VOInfo(fqan.getGroup(), fqan.getRole());
                }
            }
        }
        throw new SpaceAuthorizationException("Subject " + subject.getPrincipals() +
                " has no permission to reserve in " + linkGroup);
    }
}