/*
 *  Copyright 2016 Anyware Services
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package org.ametys.core.right;

import java.util.Arrays;
import java.util.Collection;
import java.util.Comparator;
import java.util.Map;
import java.util.Set;

import org.ametys.core.group.GroupIdentity;
import org.ametys.core.right.RightManager.RightResult;
import org.ametys.core.user.UserIdentity;

/**
 * This interface is for computing the rights a user has.
 */
public interface AccessController
{
    /**
     * The access result when looking for a right
     */
    public enum AccessResult
    {
        /* Note: the order of the values are important ! */
        
        /** If the user is allowed because the right is allowed for any anonymous user */
        ANONYMOUS_ALLOWED,
        /** If the user is directly denied */
        USER_DENIED,
        /** If the user is directly allowed */
        USER_ALLOWED,
        /** If the user is denied through its groups and not directly */
        GROUP_DENIED,
        /** If the user is allowed through its groups and not directly */
        GROUP_ALLOWED,
        /** If the user is denied because the right is denied for any connected user */
        ANY_CONNECTED_DENIED,
        /** If the user is allowed because the right is allowed for any connected user */
        ANY_CONNECTED_ALLOWED,
        /** If the user is denied because the right is denied for any anonymous user */
        ANONYMOUS_DENIED,
        /** Cannot determine */
        UNKNOWN;
        
        /**
         * Convert the value to an access result
         * @return denied enumerated will be converted to deny, allow to allow and unknown to unknown
         */
        public RightResult toRightResult()
        {
            switch (this)
            {
                case USER_DENIED:
                case GROUP_DENIED:
                case ANY_CONNECTED_DENIED:
                case ANONYMOUS_DENIED:
                    return RightResult.RIGHT_DENY;
                case USER_ALLOWED:
                case GROUP_ALLOWED:
                case ANY_CONNECTED_ALLOWED:
                case ANONYMOUS_ALLOWED:
                    return RightResult.RIGHT_ALLOW;
                case UNKNOWN:
                default:
                    return RightResult.RIGHT_UNKNOWN;
            }
        }
        
        /**
         * Merge several access results to keep only the more important
         * @param accessResults The access results to merge. Cannot be null but can be empty.
         * @return The more important access result
         */
        public static AccessResult merge(Collection<AccessResult> accessResults)
        {
            return accessResults.stream().filter(r -> r != null).min(Comparator.naturalOrder()).orElse(AccessResult.UNKNOWN);
        }
        
        /**
         * Merge several access results to keep only the more important
         * @param accessResults The access results to merge. Cannot be null but can be empty.
         * @return The more important access result
         */
        public static AccessResult merge(AccessResult... accessResults)
        {
            return Arrays.stream(accessResults).filter(r -> r != null).min(Comparator.naturalOrder()).orElse(AccessResult.UNKNOWN);
        }

    }
    
    /**
     * Gets the kind of access a user has on an object for a given right
     * @param user The user. Cannot be null.
     * @param userGroups The groups the user belongs to
     * @param rightId The id of the right of the user
     * @param object The context object to check the access
     * @return the kind of access a user has on an object for a right
     */
    public AccessResult getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object);

    /**
     * Gets the kind of access a user has on an object for thye read access
     * @param user The user. Cannot be null.
     * @param userGroups The groups the user belongs to
     * @param object The context object to check the access
     * @return the kind of access a user has on an object for the read access
     */
    public AccessResult getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object);

    /**
     * Gets the kind of access a user has on an object for all rights
     * @param user The user. Cannot be null.
     * @param userGroups The groups the user belongs to
     * @param object The context object to check the access
     * @return the kind of access a user has on an object for all rights
     */
    public Map<String, AccessResult> getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object);
    
    /**
     * Gets the permission for Anonymous only on an object for a given right
     * @param rightId The id of the right to check
     * @param object The object
     * @return the permission for Anonymous only on an object for a given right
     */
    public AccessResult getPermissionForAnonymous(String rightId, Object object);
    
    /**
     * Gets the read access permission for Anonymous only on an object
     * @param object The object
     * @return the read access permission for Anonymous only on an object
     */
    public AccessResult getReadAccessPermissionForAnonymous(Object object);
    
    /**
     * Gets the permission for any connected user only on an object for a given right
     * @param rightId The id of the right to check
     * @param object The object
     * @return the permission for any connected user only on an object for a given right
     */
    public AccessResult getPermissionForAnyConnectedUser(String rightId, Object object);

    /**
     * Gets the read access permission for any connected user only on an object
     * @param object The object
     * @return the read access permission for any connected user only on an object
     */
    public AccessResult getReadAccessPermissionForAnyConnectedUser(Object object);

    /**
     * Gets the permission by user only on an object for the given right. It does not take account of the groups of the user, etc.
     * @param rightId The id of the right to check
     * @param object The object
     * @return the permission by user only on an object for the given right
     */
    public Map<UserIdentity, AccessResult> getPermissionByUser(String rightId, Object object);

    /**
     * Gets the read access permission by user only on an object. It does not take account of the groups of the user, etc.
     * @param object The object
     * @return the read access permission by user only on an object
     */
    public Map<UserIdentity, AccessResult> getReadAccessPermissionByUser(Object object);
    
    /**
     * Gets the permission by group only on an object for the given right.
     * @param rightId The id of the right to check
     * @param object The object
     * @return the permission by group only on an object for the given right
     */
    public Map<GroupIdentity, AccessResult> getPermissionByGroup(String rightId, Object object);
    
    /**
     * Gets the read access permission by group only on an object.
     * @param object The object
     * @return the read access permission by group only on an object
     */
    public Map<GroupIdentity, AccessResult> getReadAccessPermissionByGroup(Object object);
    
    /**
     * Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.<br>
     * @param workspacesContexts The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}
     * @param user The user
     * @param userGroups The groups
     * @param rightId The id of the right to check
     * @return true if the user has a permission on at least one object, directly or though groups, for a given right
     */
    public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId);
    
    /**
     * Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.<br>
     * @param workspacesContexts The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}
     * @param user The user
     * @param userGroups The groups
     * @return true if the user has a permission on at least one object, directly or though groups, for a given right
     */
    public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups);
    
    /**
     * Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.<br>
     * @param workspacesContexts The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}
     * @param rightId The id of the right to check
     * @return true if anonymous has a permission on at least one object, directly or though groups, for a given right
     */
    public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId);
    
    /**
     * Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.<br>
     * @param workspacesContexts The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}
     * @return true if anonymous has a permission on at least one object, directly or though groups, for a given right
     */
    public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts);
    
    /**
     * Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.<br>
     * @param workspacesContexts The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}
     * @param rightId The id of the right to check
     * @return true if any connected user has a permission on at least one object, directly or though groups, for a given right
     */
    public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId);
    
    /**
     * Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.<br>
     * @param workspacesContexts The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}
     * @return true if any connected user has a permission on at least one object, directly or though groups, for a given right
     */
    public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts);
    
    /**
     * Returns true if this access controller supports the given object
     * @param object The object to test
     * @return true if this accessc controller supports the given object
     */
    public boolean isSupported(Object object);
}