/* ===================================================================
    * Copyright 2002-04 SRI International.
    * Released under the MOZILLA PUBLIC LICENSE Version 1.1
    * which can be obtained at http://www.mozilla.org/MPL/MPL-1.1.html
    * This software is distributed on an "AS IS"
    * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
    * See the License for the specific language governing rights and
    * limitations under the License.
    * =================================================================== */
  package com.sri.emo.controller;
  
  import com.jcorporate.expresso.core.controller.*;
  import com.jcorporate.expresso.core.db.DBException;
  import com.jcorporate.expresso.core.dbobj.RowSecuredDBObject;
  import com.jcorporate.expresso.core.misc.StringUtil;
  import com.jcorporate.expresso.core.registry.RequestRegistry;
  import com.jcorporate.expresso.services.dbobj.RowGroupPerms;
  import com.jcorporate.expresso.services.dbobj.RowPermissions;
  import com.jcorporate.expresso.services.dbobj.Setup;
  import com.jcorporate.expresso.services.dbobj.UserGroup;
  import com.sri.common.controller.AbstractDBController;
  import com.sri.common.taglib.InputTag;
  import com.sri.common.util.PermGroup;
  import com.sri.emo.dbobj.IViewable;
  
  import java.util.*;
  
  /***
   * Handle manipulation of permissions.
   *
   * @author larry hamel
   */
  public class PermissionController extends AbstractDBController {
      /***
  	 * 
  	 */
  	private static final long serialVersionUID = 1L;
  	public static final String PROMPT_EDIT_PERMS = "promptEditPerms";
      public static final String DO_EDIT_PERMS = "doEditPerms";
      public static final String PROMPT_EDIT_GROUP = "promptEditGroup";
      public static final String DO_EDIT_GROUP = "doEditGroup";
  
      /***
       * Name of incoming parameter which has values for key fields of RowSecuredDBObject, delimited by bar (|).
       */
      public static final String KEY_FIELD_VALUES = "key";
      public static final String OBJ_TYPE = "obj";
      public static final String ASSOC_CHK = "assoc";
      public static final String READ_CHK = "read";
      public static final String WRITE_CHK = "write";
      public static final String ADMIN_CHK = "admin";
      public static final String VIEW_TRANS = "viewTrans";
      public static final String DISABLED = "disabled";
  
      /***
       * Setup item in expresso schema for whether others (in unix sense--all other users)
       * can read always. DEFAULT TRUE.
       */
      public static final String OTHERS_READ_ALWAYS = "OthersRead";
  
      public PermissionController() {
          State state = new State(PROMPT_EDIT_PERMS, "Prompt to edit permissions");
          state.addRequiredParameter(KEY_FIELD_VALUES);
          state.addRequiredParameter(OBJ_TYPE);
          addState(state);
  
          state = new State(DO_EDIT_PERMS, "submit editing of permissions");
          state.addRequiredParameter(KEY_FIELD_VALUES);
          state.addRequiredParameter(OBJ_TYPE);
          addState(state);
  
          state = new State(PROMPT_EDIT_GROUP, "Prompt to edit group");
          state.addRequiredParameter(UserGroup.GROUP_NAME_FIELD);
          addState(state);
  
          state = new State(DO_EDIT_GROUP, "submit editing of group");
          state.addRequiredParameter(UserGroup.GROUP_NAME_FIELD);
          addState(state);
  
          setInitialState(PROMPT_EDIT_PERMS);
      }
  
      /***
       * Returns the title of this controller
       *
       * @return java.lang.String
       */
      public String getTitle() {
          return ("Permission Controller");
      }
  
      /***
       * Prompt for edits.
       *
       * @param request  The ControllerRequest object.
       * @param response The ControllerResponse object.
       * @throws com.jcorporate.expresso.core.controller.ControllerException
       *          upon error.
       */
     protected void runPromptEditPermsState(final ExpressoRequest request,
                                            final ExpressoResponse response) throws ControllerException, DBException {
         try {
             String allkeys = request.getParameter(KEY_FIELD_VALUES); // guaranteed by framework
             String objtype = request.getParameter(OBJ_TYPE); // guaranteed by framework
 
             RowSecuredDBObject obj = getObj(objtype, allkeys);
 
             // can this user administrate?  otherwise, we should be here
             if (!obj.canRequesterAdministrate()) {
                 throw new ControllerException(
                         "User: " + RequestRegistry.getUser().getLoginName() + " does not have administration privileges for object of type: "
                                 + obj.getClass().getName() + " with key: " + allkeys);
             }
 
             //Of the object is viewable create  a link to it.
             if (obj instanceof IViewable) {
                 Transition trans = ((IViewable) obj).getViewTrans();
                 trans.setName(VIEW_TRANS);
                 response.add(trans);
             }
 
             // info about all groups already associated
             Map associatedMap = getAssociatedGroupPermsHashWithAllusers(obj);
 
             // include info about other groups
             List groupsOfUsersMembership = RequestRegistry.getUser().getGroupsList();
 
             // listing groups: admin gets ALL groups; average user just gets list of groups in which s/he has membership
             List groupsForListing;
             if (request.getUserInfo().isAdmin()) {
                 List allgrps = UserGroup.getAllGroups();
                 groupsForListing = new ArrayList(allgrps.size());
                 for (Iterator iterator = allgrps.iterator(); iterator.hasNext();) {
                     UserGroup group = (UserGroup) iterator.next();
                     groupsForListing.add(group.getGroupName());
                 }
             } else {
                 groupsForListing = new ArrayList(groupsOfUsersMembership);
             }
 
             // we don't deal with these pseudo groups
             groupsForListing.remove(UserGroup.NOT_REG_USERS_GROUP);
             groupsForListing.remove(UserGroup.UNKNOWN_USERS_GROUP);
 
             // alphabetize
             TreeMap alphaMap = new TreeMap();
             for (Iterator iterator = groupsForListing.iterator(); iterator.hasNext();) {
                 String groupname = (String) iterator.next();
                 // an skip any group the user cannot read (yet why would they be a member?)
                 PermGroup grp = new PermGroup();
                 grp.setGroupName(groupname);
                 if (grp.canRequesterRead()) {
                     alphaMap.put(groupname, groupname);
                 }
             }
 
             // double-check that we always include ALL_USERS_GROUP
             alphaMap.put(UserGroup.ALL_USERS_GROUP, UserGroup.ALL_USERS_GROUP);
 
             // add rows to response for each group
             Block groupBlock = new Block(ROW_BLOCK);
             response.add(groupBlock);
             for (Iterator iterator = alphaMap.values().iterator(); iterator.hasNext();) {
                 String groupname = (String) iterator.next();
                 RowGroupPerms perms = (RowGroupPerms) associatedMap.get(groupname); // can be null
                 Block groupRow = null;
                 if (groupname.equals(UserGroup.ALL_USERS_GROUP)) {
                     // special handling: the object has a perms for OTHER, not saved as a group perm for grou "Everybody",
                     // but we display it as a group for 'everybody'; in other words, we translate obj perms into
                     // a pseudo group perm
                     if (perms == null) {
                         perms = new RowGroupPerms();
                     }
 
                     insertPrivForOTHER(obj, perms);
 
                     boolean othersReadAlways = othersReadAlways();
                     if (othersReadAlways) {
                         // set read as disabled--we always allow reading--user cannot turn off
                         groupRow = getGroupRow(perms, groupname);
                         Input read = (Input) groupRow.getInputs().get(0); // first one
                         read.setAttribute(DISABLED, DISABLED);
                     }
                 } else {
                     groupRow = getGroupRow(perms, groupname);
                 }
                 groupBlock.add(groupRow);
             }
 
             //Create the submit button.
             Transition submit = new Transition(DO_EDIT_PERMS, this);
             submit.setLabel("Update");
             submit.addParam(KEY_FIELD_VALUES, allkeys);
             submit.addParam(OBJ_TYPE, obj.getClass().getName());
             response.add(submit);
 
             // also put obj description and key
             response.add(new Output(OBJ_TYPE, obj.getMetaData().getDescription()));
             response.add(new Output(KEY_FIELD_VALUES, allkeys));
         } catch (Exception e) {
             throw new ControllerException(e);
         }
 
     }
 
     /***
      * Setup item in expresso schema for whether others (in unix sense--all
      * other users) can read always. DEFAULT TRUE.
      */
     public static boolean othersReadAlways() {
         boolean othersReadAlways = true; // default if no setting
         String othersReadSetting = Setup.getValueUnrequired(OTHERS_READ_ALWAYS);
         if (othersReadSetting != null && !StringUtil.toBoolean(othersReadSetting)) {
             othersReadAlways = false; // use setting
         }
         return othersReadAlways;
     }
 
     /***
      * including 'fake' Everybody reads
      *
      * @param obj The RowSecuredDBObject that is the source of the associated map.
      * @return sorted map of RowGroupPerms, with group name as key
      * @throws DBException upon RowSecured access error.
      */
     private Map getAssociatedGroupPermsHashWithAllusers(RowSecuredDBObject obj) throws DBException {
 
         Map associatedMap = getAssociatedGroupPermsHash(obj);
         // make sure ALL USERS included, since it is used for 'other' in row permissions
         if (associatedMap.get(UserGroup.ALL_USERS_GROUP) == null) {
             RowGroupPerms perms = new RowGroupPerms(obj, UserGroup.ALL_USERS_GROUP);
             insertPrivForOTHER(obj, perms);
             associatedMap.put(UserGroup.ALL_USERS_GROUP, perms);
         }
         return associatedMap;
     }
 
     /***
      * not including 'fake' Everybody reads
      *
      * @param obj The RowSecuredDBObject that is the source of the associated map.
      * @return sorted map of RowGroupPerms, with group name as key
      * @throws DBException upon RowSecured access error.
      */
     private Map getAssociatedGroupPermsHash(RowSecuredDBObject obj) throws DBException {
         List objGroups = obj.getGroups();
         TreeMap associatedMap = new TreeMap();
         // alphabetize
         for (Iterator iterator = objGroups.iterator(); iterator.hasNext();) {
             RowGroupPerms perms = (RowGroupPerms) iterator.next();
             PermGroup grp = new PermGroup();
             grp.setGroupName(perms.group());
             if (grp.canRequesterRead()) {
                 associatedMap.put(perms.group(), perms);
             }
         }
 
         return associatedMap;
     }
 
     /***
      * Insert privileges for "OTHER" from the object into this group,
      * ignoring whatever perms were in the group to begin with
      *
      * @param obj                 The RowSecuredDBobject to get perms from
      * @param grouppermsForOthers the group permissions to insert perms into
      * @throws DBException upon RowSecured access error.
      */
     private void insertPrivForOTHER(RowSecuredDBObject obj, RowGroupPerms grouppermsForOthers) throws DBException {
         int rowperms = obj.getPermissions().permissions();
         // rowperms for 'other' count for group perms for ALL_USERS
         boolean isRead = (rowperms & RowPermissions.OTHERS_READ_MASK) > 0 || othersReadAlways();
         boolean isWrite = (rowperms & RowPermissions.OTHERS_WRITE_MASK) > 0;
         boolean isAdmin = (rowperms & RowPermissions.OTHERS_PERMISSION_MASK) > 0;
 
         int grppermsInt = 0;
         if (isRead) {
             grppermsInt |= RowPermissions.GROUP_READ_MASK;
         }
         if (isWrite) {
             grppermsInt |= RowPermissions.GROUP_WRITE_MASK;
         }
 
         if (isAdmin) {
             grppermsInt |= RowPermissions.GROUP_PERMISSION_MASK;
         }
 
         grouppermsForOthers.permissions(grppermsInt);
     }
 
     private RowSecuredDBObject getObj(String objtype, String allkeys) throws InstantiationException,
             IllegalAccessException, ClassNotFoundException, ControllerException, DBException {
         RowSecuredDBObject obj = (RowSecuredDBObject) Class.forName(objtype).newInstance();
         int numkeys = obj.getMetaData().getAllKeysMap().size();
         String[] values = allkeys.split("//" + DELIMIT);
         if (values.length != numkeys) {
             throw new ControllerException(
                     "Got values: " + allkeys + " which does not correspond to number of keys expected: " + numkeys);
         }
         int i = 0;
         for (Iterator iterator = obj.getKeyFieldListIterator(); iterator.hasNext();) {
             String key = (String) iterator.next();
             obj.setField(key, values[i]);
             i++;
         }
 
         obj.retrieve();
         return obj;
     }
 
     /***
      * Get transition for editing permissions for this group.
      *
      * @param perms     pass in permissions for already-associated groups, null for not-associated groups
      * @param groupname The target group name.
      * @return the Group Row with checkboxes and edit transitions.
      * @throws DBException upon database error.
      */
     private Block getGroupRow(RowGroupPerms perms, String groupname) throws DBException {
         PermGroup grp = new PermGroup();
         grp.setGroupName(groupname);
         grp.retrieve();
 
         Block row = new Block(groupname);
 
         // note that these names for checkboxes will be APPENDED with group name in the JSP
         row.add(getCheckbox(READ_CHK, perms != null && perms.canGroupRead()));
         row.add(getCheckbox(WRITE_CHK, perms != null && perms.canGroupWrite()));
         row.add(getCheckbox(ADMIN_CHK, perms != null && perms.canGroupAdministrate()));
 
         // we use transition always, even if user cannot edit.  we use label in cases
         // where user cannot edit
         Transition trans = new Transition(PROMPT_EDIT_GROUP, this);
         trans.setLabel(groupname);
         trans.addParam(KEY_FIELD_VALUES, grp.getGroupName());
         trans.addParam(OBJ_TYPE, grp.getClass().getName());
         trans.addParam(UserGroup.GROUP_NAME_FIELD, groupname);
         row.add(trans);
 
         // can this user edit this group?
         if (grp.canRequesterAdministrate()) {
             trans.setAttribute(ROW, "Y");
         }
 
         return row;
     }
 
     private Input getCheckbox(String name, boolean checked) {
         Input input = new Input(name);
         input.setType(InputTag.TYPE_CHECKBOX);
         input.setDefaultValue(checked ? "Y" : "N");
         if (checked) {
             input.setAttribute(Input.SELECTED, "Y");
         }
         return input;
     }
 
 
     /***
      * Do for editing single pick item.
      *
      * @param request  The ControllerRequest object.
      * @param response The ControllerResponse object.
      * @throws com.jcorporate.expresso.core.controller.ControllerException
      *          upon error.
      */
     protected void runDoEditPermsState(final ExpressoRequest request, final ExpressoResponse response) throws
             ControllerException {
         try {
             String allkeys = request.getParameter(KEY_FIELD_VALUES); // guaranteed by framework
             String objtype = request.getParameter(OBJ_TYPE); // guaranteed by framework
 
             RowSecuredDBObject obj = getObj(objtype, allkeys);
 
             // info about all groups already associated
             Map oldAssociatedMap = getAssociatedGroupPermsHash(obj); // raw values; not including 'fake' Everybody reads
 
             // map for collecting checkmarks in Privs objects
             Map foundPermsMap = new HashMap(oldAssociatedMap.size());
 
             // collate checkmarks by groupname
             Iterator enumer = request.getAllParameters().keySet().iterator();
             while (enumer.hasNext()) {
                 String grpname = null;
                 String pkey = (String) enumer.next();
                 if (pkey.startsWith(READ_CHK)) {
                     grpname = pkey.substring(READ_CHK.length());
                     Privs privs = putPrivs(foundPermsMap, grpname);
                     privs.isRead = true;
                 }
                 if (pkey.startsWith(WRITE_CHK)) {
                     grpname = pkey.substring(WRITE_CHK.length());
                     Privs privs = putPrivs(foundPermsMap, grpname);
                     privs.isWrite = true;
                 }
                 if (pkey.startsWith(ADMIN_CHK)) {
                     grpname = pkey.substring(ADMIN_CHK.length());
                     Privs privs = putPrivs(foundPermsMap, grpname);
                     privs.isAdmin = true;
                 }
             }
 
             // add a row for 'everybody' in case perms have been removed
             putPrivs(foundPermsMap, UserGroup.ALL_USERS_GROUP);
 
             // compare with existing perms and add/update
             for (Iterator iterator = foundPermsMap.keySet().iterator(); iterator.hasNext();) {
                 String grpname = (String) iterator.next();
                 Privs privs = (Privs) foundPermsMap.get(grpname); // guaranteed to be found by iterator
 
                 // special handling for 'all users' group, which corresponds to
                 // rowpermission's OTHER
                 if (grpname.equals(UserGroup.ALL_USERS_GROUP)) {
                     RowPermissions rowperms = obj.getPermissions();
                     boolean othersReadAlways = othersReadAlways();
                     if (!othersReadAlways) {
                         othersReadAlways = privs.isRead;
                     }
                     // this writes to disk for obj perms
                     setRowPermsForOTHER(rowperms, othersReadAlways, privs.isWrite, privs.isAdmin);
                     // we don't write group perms--we save OTHER perms in object itself, above
                     continue;
                 }
 
                 // does this group already have perms saved?
                 RowGroupPerms perms = (RowGroupPerms) oldAssociatedMap.remove(grpname);
                 boolean isNew = false;
                 if (perms == null) {
                     isNew = true;
                     perms = new RowGroupPerms(obj.getJDBCMetaData().getTargetTable(), allkeys, grpname);
                 }
 
                 int permInt = perms.permissions();
 
                 // this writes to disk
                 setGroupPerms(privs.isRead, permInt, privs.isWrite, privs.isAdmin, perms, isNew);
             } // all associated groups
 
             // remove any groups which were unassociated, except ALL USERS
 //            oldAssociatedMap.remove(UserGroup.ALL_USERS_GROUP);
             for (Iterator iterator = oldAssociatedMap.values().iterator(); iterator.hasNext();) {
                 RowGroupPerms perms = (RowGroupPerms) iterator.next();
                 if (perms.find()) {
                     perms.delete(true);
                 }
             }
 
             // default is just index page of current servlet
             String viewUrl = "/" + getServlet().getServletContext().getServletContextName();
             if (obj instanceof IViewable) {
                 viewUrl = ((IViewable) obj).getViewTrans().getFullUrl();
             }
 
             redirectRequest(request, response, viewUrl);
         } catch (Exception e) {
             throw new ControllerException(e);
         }
     }
 
     private Privs putPrivs(Map foundPermsMap, String groupname) {
         Privs result = (Privs) foundPermsMap.get(groupname);
         if (result == null) {
             result = new Privs();
             foundPermsMap.put(groupname, result);
         }
         return result;
     }
 
     private void setGroupPerms(boolean read,
                                int permissions,
                                boolean write,
                                boolean admin,
                                RowGroupPerms perm,
                                boolean aNew) throws DBException {
         if (read) {
             permissions |= RowPermissions.GROUP_READ_MASK;
         } else {
             permissions &= ~RowPermissions.GROUP_READ_MASK;
         }
 
         if (write) {
             permissions |= RowPermissions.GROUP_WRITE_MASK;
         } else {
             permissions &= ~RowPermissions.GROUP_WRITE_MASK;
         }
 
         if (admin) {
             permissions |= RowPermissions.GROUP_PERMISSION_MASK;
         } else {
             permissions &= ~RowPermissions.GROUP_PERMISSION_MASK;
         }
 
         perm.permissions(permissions);
 
         if (aNew) {
             perm.add();
         } else {
             perm.update(true);
         }
     }
 
     /***
      * set perms for OTHER octet
      */
     private void setRowPermsForOTHER(
             RowPermissions rowperms, boolean read, boolean write, boolean admin) throws DBException {
         int permissions;
 
         permissions = rowperms.permissions();
         if (read) {
             permissions |= RowPermissions.OTHERS_READ_MASK;
         } else {
             permissions &= ~RowPermissions.OTHERS_READ_MASK;
         }
 
         if (write) {
             permissions |= RowPermissions.OTHERS_WRITE_MASK;
         } else {
             permissions &= ~RowPermissions.OTHERS_WRITE_MASK;
         }
 
         if (admin) {
             permissions |= RowPermissions.OTHERS_PERMISSION_MASK;
         } else {
             permissions &= ~RowPermissions.OTHERS_PERMISSION_MASK;
         }
 
         rowperms.permissions(permissions);
         rowperms.addOrUpdate();
     }
 
     /***
      * prompt editing of group; just reuses prompt edit for any RowSec object,
      * using a PermGroup, a wrapper on UserGroup
      *
      * @param request  The ControllerRequest object.
      * @param response The ControllerResponse object.
      * @throws com.jcorporate.expresso.core.controller.ControllerException
      *          upon error.
      */
     protected void runPromptEditGroupState(ControllerRequest request,
                                            ControllerResponse response) throws ControllerException {
         try {
             String grpname = request.getParameter(UserGroup.GROUP_NAME_FIELD);
             PermGroup grp = new PermGroup();
             grp.setGroupName(grpname);
             grp.retrieve();
 
             request.setParameter(KEY_FIELD_VALUES, grp.getKey());
             request.setParameter(OBJ_TYPE, grp.getClass().getName());
             runPromptEditPermsState(request, response);
 
         } catch (Exception e) {
             throw new ControllerException(e);
         }
     }
 }