/*
 *  Copyright 2015 Anyware Services
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package org.ametys.web.pageaccess;

import java.util.Collection;
import java.util.Set;

import org.apache.avalon.framework.component.Component;
import org.apache.avalon.framework.logger.AbstractLogEnabled;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;

import org.ametys.cms.repository.Content;
import org.ametys.core.group.GroupIdentity;
import org.ametys.core.right.AllowedUsers;
import org.ametys.core.right.ProfileAssignmentStorageExtensionPoint;
import org.ametys.core.right.RightManager;
import org.ametys.core.user.CurrentUserProvider;
import org.ametys.core.user.UserIdentity;
import org.ametys.web.repository.content.WebContent;
import org.ametys.web.repository.page.Page;

/**
 * Class managing access to contents on the front-office side.
 */
public class ContentAccessManager extends AbstractLogEnabled implements Component, Serviceable
{
    
    /**
     * Enumeration representing a content access status.
     */
    public enum ContentAccess 
    {
        /**
         * The content can be viewed by all users because of one of these reasons:
         * <ul>
         *   <li>it appears on a public page</li>
         *   <li>it doesn't appear on any page (orphan content) but its sitemap is freely accessible</li>
         * </ul>
         */
        UNRESTRICTED,
        
        /**
         * The content appears on pages with limited access, and the given user can access at least one.
         */
        ALLOWED,
        
        /**
         * The content appears on pages with limited access, but the given user can't access any.
         */
        FORBIDDEN
    }
    
    /** The component role. */
    public static final String ROLE = ContentAccessManager.class.getName();
    
    /** The right manager */
    protected RightManager _rightManager;
    
    /** The current user provider */
    protected CurrentUserProvider _currentUserProvider;
    
    /** The component handling profile storage */
    protected ProfileAssignmentStorageExtensionPoint _profileAssignmentStorageEP;
    
    @Override
    public void service(ServiceManager manager) throws ServiceException
    {
        _rightManager = (RightManager) manager.lookup(RightManager.ROLE);
        _currentUserProvider = (CurrentUserProvider) manager.lookup(CurrentUserProvider.ROLE);
        _profileAssignmentStorageEP = (ProfileAssignmentStorageExtensionPoint) manager.lookup(ProfileAssignmentStorageExtensionPoint.ROLE);
    }
    
    /**
     * Get the access status of a content, from the user currently connected to the front-office.
     * @param content the content to test.
     * @return the content access status.
     */
    public ContentAccess getAccess(Content content)
    {
        return getAccess(content, true);
    }
    
    /**
     * Get the access status of a content, from the user currently connected to the front-office.
     * @param content the content to test.
     * @param checkUser When true, the user's ability to view the page will be checked
     * ({@link ContentAccess#ALLOWED} may be returned).<br>
     * When false, only the content general availability will be checked: {@link ContentAccess#ALLOWED} will never be returned.
     * @return the content access status.
     */
    public ContentAccess getAccess(Content content, boolean checkUser)
    {
        return getAccess(content, _currentUserProvider.getUser(), checkUser);
    }
    
    /**
     * Get the access status of a content from a given user.
     * @param content the content to test.
     * @param userIdentity the user identity, can be null (to test anonymous access).
     * @return the content access status.
     */
    public ContentAccess getAccess(Content content, UserIdentity userIdentity)
    {
        return getAccess(content, userIdentity, true);
    }
    
    /**
     * Get the access status of a content from a given user.
     * The user access is check ONLY on the content's pages. Has read access on content is not enough ! 
     * @param content the content to test.
     * @param userIdentity the user identity, can be null (to test anonymous access).
     * @param checkUser When true, the user's ability to view the page will be checked
     * ({@link ContentAccess#ALLOWED} may be returned).<br>
     * When false, only the content general availability will be checked: {@link ContentAccess#ALLOWED} will never be returned.
     * @return the content access status.
     */
    public ContentAccess getAccess(Content content, UserIdentity userIdentity, boolean checkUser)
    {
        if (!(content instanceof WebContent))
        {
            return _getContentAccess(content, userIdentity, checkUser);
        }
        
        WebContent webContent = (WebContent) content;
        Collection<Page> contentPages = webContent.getReferencingPages();
        
        // Test the restrictions.
        if (contentPages.isEmpty())
        {
            return _getContentAccess(content, userIdentity, checkUser);
        }
        else
        {
            for (Page page : contentPages)
            {
                // If the content is present in a page that is not restricted, it's visible by all.
                if (_rightManager.hasAnonymousReadAccess(page))
                {
                    return ContentAccess.UNRESTRICTED;
                }
                
                // If the user is allowed to see at least one page containing the content, he can access the content.
                if (checkUser && _rightManager.hasReadAccess(userIdentity, page))
                {
                    return ContentAccess.ALLOWED;
                }
            }
        }
        
        return ContentAccess.FORBIDDEN;
    }
    
    private ContentAccess _getContentAccess(Content content, UserIdentity userIdentity, boolean checkUser)
    {
        // Returns content access regardless of its pages.
        
        if (_rightManager.hasAnonymousReadAccess(content))
        {
            return ContentAccess.UNRESTRICTED;
        }
        
        return checkUser && _rightManager.hasReadAccess(userIdentity, content) ? ContentAccess.ALLOWED : ContentAccess.FORBIDDEN;
    }
    
    /**
     * Test if the content is displayed in a page having the same access rights as the current page.
     * @param content the web content.
     * @param currentPage the current page.
     * @return true if the content is accessible, false otherwise.
     */
    public boolean isAccessibleByPage(WebContent content, Page currentPage)
    {
        if (!_rightManager.hasAnonymousReadAccess(currentPage))
        {
            AllowedUsers currentUsersWithReadAccess = _rightManager.getReadAccessAllowedUsers(currentPage);
            boolean currentAllowAnyConnectedUser = currentUsersWithReadAccess.isAnyConnectedUserAllowed();
            Set<UserIdentity> currentAllowedUsers = currentUsersWithReadAccess.getAllowedUsers();
            Set<GroupIdentity> currentAllowedGroups = currentUsersWithReadAccess.getAllowedGroups();
            Set<UserIdentity> currentDeniedUsers = currentUsersWithReadAccess.getDeniedUsers();
            Set<GroupIdentity> currentDeniedGroups = currentUsersWithReadAccess.getDeniedGroups();
            
            Collection<Page> refPages = content.getReferencingPages();
            if (!refPages.isEmpty())
            {
                for (Page referencingPage : refPages)
                {
                    if (!_rightManager.hasAnonymousReadAccess(referencingPage))
                    {
                        AllowedUsers refUsersWithReadAccess = _rightManager.getReadAccessAllowedUsers(referencingPage);
                        boolean refAllowAnyConnectedUser = refUsersWithReadAccess.isAnyConnectedUserAllowed();
                        Set<UserIdentity> refAllowedUsers = refUsersWithReadAccess.getAllowedUsers();
                        Set<GroupIdentity> refAllowedGroups = refUsersWithReadAccess.getAllowedGroups();
                        Set<UserIdentity> refDeniedUsers = refUsersWithReadAccess.getDeniedUsers();
                        Set<GroupIdentity> refDeniedGroups = refUsersWithReadAccess.getDeniedGroups();
                        
                        if ((refAllowAnyConnectedUser || (!currentAllowAnyConnectedUser && refAllowedUsers.containsAll(currentAllowedUsers) && refAllowedGroups.containsAll(currentAllowedGroups)))
                                && currentDeniedUsers.containsAll(refDeniedUsers) && currentDeniedGroups.containsAll(refDeniedGroups))
                        {
                            // The content is referenced by a page either accessible either to all connected users
                            // or restricted to the same population as the current page: display the content.
                            return true;
                        }
                    }
                    else
                    {
                        // The content is referenced by a public page: display the content.
                        return true;
                    }
                }
                
                // The content isn't referenced by a page with the same access: do not display the content.
                return false;
            }
            else
            {
                // Orphan content
                if (!_rightManager.hasAnonymousReadAccess(content))
                {
                    AllowedUsers refUsersWithReadAccess = _rightManager.getReadAccessAllowedUsers(content);
                    boolean refAllowAnyConnectedUser = refUsersWithReadAccess.isAnyConnectedUserAllowed();
                    Set<UserIdentity> refAllowedUsers = refUsersWithReadAccess.getAllowedUsers();
                    Set<GroupIdentity> refAllowedGroups = refUsersWithReadAccess.getAllowedGroups();
                    Set<UserIdentity> refDeniedUsers = refUsersWithReadAccess.getDeniedUsers();
                    Set<GroupIdentity> refDeniedGroups = refUsersWithReadAccess.getDeniedGroups();
                    
                    // Check if the content is accessible to all connected users
                    // or restricted to the same population as the current page: display the content.
                    return (refAllowAnyConnectedUser || (!currentAllowAnyConnectedUser && refAllowedUsers.containsAll(currentAllowedUsers) && refAllowedGroups.containsAll(currentAllowedGroups)))
                            && currentDeniedUsers.containsAll(refDeniedUsers) && currentDeniedGroups.containsAll(refDeniedGroups);
                }
                else
                {
                    // The content is anonymous read access: display the content.
                    return true;
                }
            }
        }
        else
        {
            // The current page is not restricted: display only unrestricted contents
            // N.B: the current user's right are *NOT* tested, as in this mode, the results are cached.
            return getAccess(content, null, false) == ContentAccess.UNRESTRICTED;
        }
    }
}