/*
 * The contents of this file are subject to the terms of the Common Development and
 * Distribution License (the License). You may not use this file except in compliance with the
 * License.
 *
 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
 * specific language governing permission and limitations under the License.
 *
 * When distributing Covered Software, include this CDDL Header Notice in each file and include
 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
 * Header, with the fields enclosed by brackets [] replaced by your own identifying
 * information: "Portions Copyright [year] [name of copyright owner]".
 *
 * Copyright 2008 Sun Microsystems, Inc.
 * Portions Copyright 2011-2016 ForgeRock AS.
 */
package org.opends.server.authorization.dseecompat;

import static org.opends.server.authorization.dseecompat.Aci.*;
import static org.opends.server.authorization.dseecompat.AciHandler.*;
import static org.opends.server.util.ServerConstants.*;

import java.net.InetAddress;
import java.security.cert.Certificate;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;

import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.DN;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.Group;
import org.opends.server.controls.GetEffectiveRightsRequestControl;
import org.opends.server.core.AddOperation;
import org.opends.server.core.SearchOperation;
import org.opends.server.protocols.ldap.LDAPClientConnection;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.opends.server.types.*;

/**
 *  The AciContainer class contains all of the needed information to perform
 *  both target match and evaluate an ACI. Target matching is the process
 *  of testing if an ACI is applicable to an operation, and evaluation is
 *  the actual access evaluation of the ACI.
 */
public abstract class AciContainer
implements AciTargetMatchContext, AciEvalContext {

    /**
     * The allow and deny lists.
     */
    private List<Aci> denyList, allowList;

    /**
     * The attribute type in the resource entry currently being evaluated.
     */
    private AttributeType attributeType;

    /**
     * The attribute type value in the resource entry currently being
     * evaluated.
     */
    private ByteString attributeValue;

    /**
     * True if this is the first attribute type in the resource entry being
     * evaluated.
     */
    private boolean isFirst;

    /**
     * True if an entry test rule was seen during target matching of an ACI
     * entry. A entry test rule is an ACI with targetattrs target keyword.
     */
    private boolean isEntryTestRule;

    /**
     * The right mask to use in the evaluation of the LDAP operation.
     */
    private int rightsMask;

    /**
     * The entry being evaluated (resource entry).
     */
    private Entry resourceEntry;

    /**
     * The client connection information.
     */
    private final ClientConnection clientConnection;

    /**
     * The operation being evaluated.
     */
    private final Operation operation;

    /**
     * True if a targattrfilters match was found.
     */
    private boolean targAttrFiltersMatch;

    /**
     * The authorization entry currently being evaluated. If proxied
     * authorization is being used and the handler is doing a proxy access
     * check, then this entry will switched to the original authorization entry
     * rather than the proxy ID entry. If the check succeeds, it will be
     * switched back for non-proxy access checking. If proxied authentication
     * is not being used then this entry never changes.
     */
    private Entry authorizationEntry;

    /**
     * True if proxied authorization is being used.
     */
    private boolean proxiedAuthorization;

    /**
     * Used by proxied authorization processing. True if the entry has already
     * been processed by an access proxy check. Some operations might perform
     * several access checks on the same entry (modify DN), this
     * flag is used to bypass the proxy check after the initial evaluation.
     */
    private boolean seenEntry;

    /**
     *  True if geteffectiverights evaluation is in progress.
     */
    private boolean isGetEffectiveRightsEval;

    /**
     *  True if the operation has a geteffectiverights control.
     */
    private boolean hasGetEffectiveRightsControl;

    /**
     * The geteffectiverights authzID in DN format.
     */
    private DN authzid;

    /**
     * True if the authZid should be used as the client DN, only used in
     * geteffectiverights evaluation.
     */
    private boolean useAuthzid;

    /**
     * The list of specific attributes to get rights for, in addition to
     * any attributes requested in the search.
     */
    private List<AttributeType> specificAttrs;

    /**
     * Table of ACIs that have targattrfilter keywords that matched. Used
     * in geteffectiverights attributeLevel write evaluation.
     */
    private final HashMap<Aci,Aci> targAttrFilterAcis = new HashMap<>();

    /**
     * The name of a ACI that decided an evaluation and contained a
     * targattrfilter keyword. Used in geteffectiverights attributeLevel
     * write evaluation.
     */
    private String targAttrFiltersAciName;

    /**
     * Value that is used to store the allow/deny result of a deciding ACI
     * containing a targattrfilter keyword.  Used in geteffectiverights
     * attributeLevel write evaluation.
     */
    private int targAttrMatch;

    /**
     * The ACI that decided the last evaluation. Used in geteffectiverights
     * loginfo processing.
     */
    private Aci decidingAci;

    /**
     * The reason the last evaluation decision was made. Used both
     * in geteffectiverights loginfo processing and attributeLevel write
     * evaluation.
     */
    private EnumEvalReason evalReason;

    /**
     * A summary string holding the last evaluation information in textual
     * format. Used in geteffectiverights loginfo processing.
     */
    private String summaryString;

   /**
    * Flag used to determine if ACI all attributes target matched.
    */
    private int evalAllAttributes;

   /**
    * String used to hold a control OID string.
    */
    private String controlOID;

   /**
    * String used to hold an extended operation OID string.
    */
    private String extOpOID;

    /**
     * AuthenticationInfo class to use.
     */
    private AuthenticationInfo authInfo;

  /**
     * This constructor is used by all currently supported LDAP operations
     * except the generic access control check that can be used by
     * plugins.
     *
     * @param operation The Operation object being evaluated and target
     * matching.
     *
     * @param rights The rights array to use in evaluation and target matching.
     *
     * @param entry The current entry being evaluated and target matched.
     */
    protected AciContainer(Operation operation, int rights, Entry entry) {
      this.resourceEntry=entry;
      this.operation=operation;
      this.clientConnection=operation.getClientConnection();
      this.authInfo = clientConnection.getAuthenticationInfo();

      //If the proxied authorization control was processed, then the operation
      //will contain an attachment containing the original authorization entry.
      final Entry origAuthorizationEntry = (Entry) operation.getAttachment(ORIG_AUTH_ENTRY);
      this.proxiedAuthorization = origAuthorizationEntry != null;
      this.authorizationEntry=operation.getAuthorizationEntry();

      //The ACI_READ right at constructor time can only be the result of the
      //AciHandler.filterEntry method. This method processes the
      //geteffectiverights control, so it needs to check for it.  There are
      //two other checks done, because the resource entry passed to that method
      //is filtered (it may not contain enough attribute information
      //to evaluate correctly). See the the comments below.
      if (rights == ACI_READ) {
        //Checks if a geteffectiverights control was sent and
        //sets up the structures needed.
        GetEffectiveRightsRequestControl getEffectiveRightsControl =
              (GetEffectiveRightsRequestControl)
                      operation.getAttachment(OID_GET_EFFECTIVE_RIGHTS);
        if (getEffectiveRightsControl != null
            && operation instanceof SearchOperation)
        {
          hasGetEffectiveRightsControl = true;
          if (getEffectiveRightsControl.getAuthzDN() == null) {
            this.authzid = getClientDN();
          } else {
            this.authzid = getEffectiveRightsControl.getAuthzDN();
          }
          this.specificAttrs = getEffectiveRightsControl.getAttributes();
        }

        //If an ACI evaluated because of an Targetattr="*", then the
        //AciHandler.maySend method signaled this via adding this attachment
        //string.
        String allUserAttrs=
                  (String)operation.getAttachment(ALL_USER_ATTRS_MATCHED);
        if(allUserAttrs != null)
        {
          evalAllAttributes |= ACI_USER_ATTR_STAR_MATCHED;
        }
        //If an ACI evaluated because of an Targetattr="+", then the
        //AciHandler.maySend method signaled this via adding this attachment
        //string.
        String allOpAttrs=(String)operation.getAttachment(ALL_OP_ATTRS_MATCHED);
        if(allOpAttrs != null)
        {
          evalAllAttributes |= ACI_OP_ATTR_PLUS_MATCHED;
        }
      }

      //Reference the current authorization entry, so it can be put back
      //if an access proxy check was performed.
        this.rightsMask = rights;
    }

    /**
     * This constructor is used by the generic access control check.
     *
     * @param operation The operation to use in the access evaluation.
     * @param e The entry to check access for.
     * @param authInfo The authentication information to use in the evaluation.
     * @param rights The rights to check access of.
     */
    protected AciContainer(Operation operation, Entry e,
                            AuthenticationInfo authInfo,
                            int rights) {
        this.resourceEntry=e;
        this.operation=operation;
        this.clientConnection=operation.getClientConnection();
        this.authInfo = authInfo;
        this.authorizationEntry = authInfo.getAuthorizationEntry();
        this.rightsMask = rights;
    }
  /**
   * Returns true if an entry has already been processed by an access proxy
   * check.
   *
   * @return True if an entry has already been processed by an access proxy
   * check.
   */
   public boolean hasSeenEntry() {
      return this.seenEntry;
    }

  /**
   * Set to true if an entry has already been processed by an access proxy
   * check.
   *
   * @param val The value to set the seenEntry boolean to.
   */
    public void setSeenEntry(boolean val) {
     this.seenEntry=val;
    }

    /** {@inheritDoc} */
    @Override
    public boolean isProxiedAuthorization() {
         return this.proxiedAuthorization;
    }

    /** {@inheritDoc} */
    @Override
    public boolean isGetEffectiveRightsEval() {
        return this.isGetEffectiveRightsEval;
    }

  /**
   * The container is going to be used in a geteffectiverights evaluation, set
   * the flag isGetEffectiveRightsEval to true.
   */
  public void setGetEffectiveRightsEval() {
       this.isGetEffectiveRightsEval=true;
    }

  /**
   * Return true if the container is being used in a geteffectiverights
   * evaluation.
   *
   * @return True if the container is being used in a geteffectiverights
   * evaluation.
   */
    public boolean hasGetEffectiveRightsControl() {
      return this.hasGetEffectiveRightsControl;
    }

  /**
   * Use the DN from the geteffectiverights control's authzId as the
   * client DN, rather than the authorization entry's DN.
   *
   * @param v The valued to set the useAuthzid to.
   */
    public void useAuthzid(boolean v) {
       this.useAuthzid=v;
    }

  /**
   * Return the list of additional attributes specified in the
   * geteffectiverights control.
   *
   * @return The list of attributes to return rights information about in the
   * entry.
   */
    public List<AttributeType> getSpecificAttributes() {
       return this.specificAttrs;
    }

    /** {@inheritDoc} */
    @Override
    public void addTargAttrFiltersMatchAci(Aci aci) {
      this.targAttrFilterAcis.put(aci, aci);
    }

    /** {@inheritDoc} */
    @Override
    public boolean hasTargAttrFiltersMatchAci(Aci aci) {
      return this.targAttrFilterAcis.containsKey(aci);
    }

    /** {@inheritDoc} */
    @Override
    public boolean isTargAttrFilterMatchAciEmpty() {
       return this.targAttrFilterAcis.isEmpty();
    }

  /**
   * Reset the values used by the geteffectiverights evaluation to
   * original values. The geteffectiverights evaluation uses the same container
   * repeatedly for different rights evaluations (read, write, proxy,...) and
   * this method resets variables that are specific to a single evaluation.
   */
    public void resetEffectiveRightsParams() {
      this.targAttrFilterAcis.clear();
      this.decidingAci=null;
      this.evalReason=null;
      this.targAttrFiltersMatch=false;
      this.summaryString=null;
      this.targAttrMatch=0;
    }

    /** {@inheritDoc} */
    @Override
    public void setTargAttrFiltersAciName(String name) {
      this.targAttrFiltersAciName=name;
    }

    /** {@inheritDoc} */
    @Override
    public String getTargAttrFiltersAciName() {
      return this.targAttrFiltersAciName;
    }

    /** {@inheritDoc} */
    @Override
    public void setTargAttrFiltersMatchOp(int flag) {
      this.targAttrMatch |= flag;
    }

    /** {@inheritDoc} */
    @Override
    public boolean hasTargAttrFiltersMatchOp(int flag) {
       return (this.targAttrMatch & flag) != 0;
    }

    /** {@inheritDoc} */
    @Override
    public String getDecidingAciName() {
      if(this.decidingAci != null) {
        return this.decidingAci.getName();
      }
      return null;
    }

  /** {@inheritDoc} */
  @Override
  public void setEvaluationResult(EnumEvalReason reason, Aci decidingAci)
  {
    this.evalReason = reason;
    this.decidingAci = decidingAci;
  }

    /** {@inheritDoc} */
    @Override
    public EnumEvalReason getEvalReason() {
      return this.evalReason;
    }

    /** {@inheritDoc} */
    @Override
    public void setEvalSummary(String summary) {
      this.summaryString=summary;
    }

    /** {@inheritDoc} */
    @Override
    public String getEvalSummary() {
      return this.summaryString;
    }

  /**
   * Returns true if the geteffectiverights control's authZid DN is equal to the
   * authorization entry's DN.
   *
   * @return True if the authZid is equal to the authorization entry's DN.
   */
    public boolean isAuthzidAuthorizationDN() {
     return this.authzid.equals(this.authorizationEntry.getName());
    }

    /** {@inheritDoc} */
    @Override
    public void setDenyList(List<Aci> denys) {
        denyList=denys;
    }

    /** {@inheritDoc} */
    @Override
    public void setAllowList(List<Aci> allows) {
        allowList=allows;
    }

    /** {@inheritDoc} */
    @Override
    public AttributeType getCurrentAttributeType() {
        return attributeType;
    }

    /** {@inheritDoc} */
    @Override
    public ByteString getCurrentAttributeValue() {
        return attributeValue;
    }

    /** {@inheritDoc} */
    @Override
    public void setCurrentAttributeType(AttributeType type) {
        attributeType=type;
    }

    /** {@inheritDoc} */
    @Override
    public void setCurrentAttributeValue(ByteString value) {
        attributeValue=value;
    }

    /** {@inheritDoc} */
    @Override
    public boolean isFirstAttribute() {
        return isFirst;
    }

    /** {@inheritDoc} */
    @Override
    public void setIsFirstAttribute(boolean val) {
        isFirst=val;
    }

    /** {@inheritDoc} */
    @Override
    public boolean hasEntryTestRule() {
        return isEntryTestRule;
    }

    /** {@inheritDoc} */
    @Override
    public void setEntryTestRule(boolean val) {
        isEntryTestRule=val;
    }

    /** {@inheritDoc} */
    @Override
    public Entry getResourceEntry() {
        return resourceEntry;
    }

    /** {@inheritDoc} */
    @Override
    public Entry getClientEntry() {
      return this.authorizationEntry;
    }

    /** {@inheritDoc} */
    @Override
    public List<Aci> getDenyList() {
        return denyList;
    }

    /** {@inheritDoc} */
    @Override
    public List<Aci> getAllowList() {
       return allowList;
    }

    /** {@inheritDoc} */
    @Override
    public boolean isDenyEval() {
        return EnumEvalReason.NO_ALLOW_ACIS.equals(evalReason)
            || EnumEvalReason.EVALUATED_DENY_ACI.equals(evalReason);
    }

    /** {@inheritDoc} */
    @Override
    public boolean isAnonymousUser() {
        return !authInfo.isAuthenticated();
    }

    /** {@inheritDoc} */
    @Override
    public DN getClientDN() {
      if(this.useAuthzid)
      {
        return this.authzid;
      }
      else if (this.authorizationEntry != null)
      {
        return this.authorizationEntry.getName();
      }
      return DN.rootDN();
    }

    /** {@inheritDoc} */
    @Override
    public DN getResourceDN() {
        return resourceEntry.getName();
    }

   /**
    * {@inheritDoc}
    * <p>
    * JNR: I find the implementation in this method dubious.
    *
    * @see EnumRight#hasRights(int, int)
    */
    @Override
    public boolean hasRights(int rights) {
       return (this.rightsMask & rights) != 0;
    }

    /** {@inheritDoc} */
    @Override
    public int getRights() {
        return this.rightsMask;
    }

    /** {@inheritDoc} */
    @Override
    public void setRights(int rights) {
         this.rightsMask=rights;
    }

    /** {@inheritDoc} */
    @Override
    public String getHostName() {
        return clientConnection.getRemoteAddress().getCanonicalHostName();
    }

    /** {@inheritDoc} */
    @Override
    public InetAddress getRemoteAddress() {
        return clientConnection.getRemoteAddress();
    }

    /** {@inheritDoc} */
    @Override
    public boolean isAddOperation() {
        return operation instanceof AddOperation;
    }

    /** {@inheritDoc} */
    @Override
    public void setTargAttrFiltersMatch(boolean v) {
        this.targAttrFiltersMatch=v;
    }

    /** {@inheritDoc} */
    @Override
    public boolean getTargAttrFiltersMatch() {
        return targAttrFiltersMatch;
    }

    /** {@inheritDoc} */
    @Override
    public String getControlOID() {
      return controlOID;
    }

    /** {@inheritDoc} */
    @Override
    public String getExtOpOID() {
      return extOpOID;
    }

    /**
     * Set the the controlOID value to the specified oid string.
     *
     * @param oid  The control oid string.
     */
    protected void setControlOID(String oid) {
      this.controlOID=oid;
    }


    /**
     * Set the extended operation OID value to the specified oid string.
     *
     * @param oid  The extended operation oid string.
     */
    protected void setExtOpOID(String oid) {
      this.extOpOID=oid;
    }

    /** {@inheritDoc} */
    @Override
    public EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod,
                                                  String saslMech) {
      EnumEvalResult matched=EnumEvalResult.FALSE;

      if(authMethod==EnumAuthMethod.AUTHMETHOD_NONE) {
        /*
         * None actually means any, in that we don't care what method was used.
         * This doesn't seem very intuitive or useful, but that's the way it is.
         */
        matched = EnumEvalResult.TRUE;
      } else {
        // Some kind of authentication is required.
        if(authInfo.isAuthenticated()) {
          if(authMethod==EnumAuthMethod.AUTHMETHOD_SIMPLE) {
            if(authInfo.hasAuthenticationType(AuthenticationType.SIMPLE)) {
              matched = EnumEvalResult.TRUE;
            }
          } else if(authMethod == EnumAuthMethod.AUTHMETHOD_SSL) {
            /*
             * This means authentication using a certificate over TLS.
             *
             * We check the following:
             * - SASL EXTERNAL has been used, and
             * - TLS is the security provider, and
             * - The client provided a certificate.
             */
            if (authInfo.hasAuthenticationType(AuthenticationType.SASL)
                && authInfo.hasSASLMechanism(saslMech)
                && clientConnection instanceof LDAPClientConnection) {
                LDAPClientConnection lc = (LDAPClientConnection) clientConnection;
                Certificate[] certChain = lc.getClientCertificateChain();
                if (certChain.length != 0) {
                  matched = EnumEvalResult.TRUE;
                }
            }
          } else {
            // A particular SASL mechanism.
            if (authInfo.hasAuthenticationType(AuthenticationType.SASL) &&
                 authInfo.hasSASLMechanism(saslMech)) {
              matched = EnumEvalResult.TRUE;
            }
          }
        }
      }
      return matched;
    }

    /** {@inheritDoc} */
    @Override
    public boolean isMemberOf(Group<?> group) {
        try {
            if(useAuthzid) {
                return group.isMember(this.authzid);
            }
            Entry e = getClientEntry();
            if (e != null) {
                return group.isMember(e);
            }
            return group.isMember(getClientDN());
        } catch (DirectoryException ex) {
            return false;
        }
    }

  /**
   * {@inheritDoc}
   * <p>
   * JNR: I find the implementation in this method dubious.
   *
   * @see EnumRight#getEnumRight(int)
   */
    @Override
    public String rightToString() {
      if(hasRights(ACI_SEARCH))
      {
        return "search";
      }
      else if(hasRights(ACI_COMPARE))
      {
        return "compare";
      }
      else if(hasRights(ACI_READ))
      {
        return "read";
      }
      else if(hasRights(ACI_DELETE))
      {
        return "delete";
      }
      else if(hasRights(ACI_ADD))
      {
        return "add";
      }
      else if(hasRights(ACI_WRITE))
      {
        return "write";
      }
      else if(hasRights(ACI_PROXY))
      {
        return "proxy";
      }
      else if(hasRights(ACI_IMPORT))
      {
        return "import";
      }
      else if(hasRights(ACI_EXPORT))
      {
        return "export";
      }
      else if(hasRights(ACI_WRITE) &&
              hasRights(ACI_SELF))
      {
        return "selfwrite";
      }
      return null;
  }

  /** {@inheritDoc} */
  @Override
  public  void setEvalUserAttributes(int v) {
    if(rightsMask == ACI_READ) {
      if(v == ACI_FOUND_USER_ATTR_RULE) {
        evalAllAttributes |= ACI_FOUND_USER_ATTR_RULE;
        evalAllAttributes &= ~ACI_USER_ATTR_STAR_MATCHED;
      }
      else
      {
        evalAllAttributes |= ACI_USER_ATTR_STAR_MATCHED;
      }
    }
  }

  /** {@inheritDoc} */
  @Override
  public  void setEvalOpAttributes(int v) {
    if(rightsMask == ACI_READ) {
      if(v == ACI_FOUND_OP_ATTR_RULE) {
        evalAllAttributes |= ACI_FOUND_OP_ATTR_RULE;
        evalAllAttributes &= ~ACI_OP_ATTR_PLUS_MATCHED;
      }
      else
      {
        evalAllAttributes |= ACI_OP_ATTR_PLUS_MATCHED;
      }
    }
  }

  /** {@inheritDoc} */
  @Override
  public boolean hasEvalUserAttributes() {
    return hasAttribute(ACI_FOUND_USER_ATTR_RULE);
  }

  /** {@inheritDoc} */
  @Override
  public boolean hasEvalOpAttributes() {
    return hasAttribute(ACI_FOUND_OP_ATTR_RULE);
  }

  /**
   * Return true if the evaluating ACI contained a targetattr all
   * user attributes rule match.
   *
   * @return  True if the above condition was seen.
   */
  public boolean hasAllUserAttributes() {
    return hasAttribute(ACI_USER_ATTR_STAR_MATCHED);
  }

  /**
   * Return true if the evaluating ACI contained a targetattr all
   * operational attributes rule match.
   *
   * @return  True if the above condition was seen.
   */
  public boolean hasAllOpAttributes() {
    return hasAttribute(ACI_OP_ATTR_PLUS_MATCHED);
  }

  private boolean hasAttribute(int aciAttribute)
  {
    return (evalAllAttributes & aciAttribute) == aciAttribute;
  }

  /** {@inheritDoc} */
  @Override
  public void clearEvalAttributes(int v) {
    if(v == 0)
    {
      evalAllAttributes=0;
    }
    else
    {
      evalAllAttributes &= ~v;
    }
  }

  /** {@inheritDoc} */
  @Override
  public int getCurrentSSF() {
      return clientConnection.getSSF();
  }

  /** {@inheritDoc} */
  @Override
  public String toString()
  {
    final StringBuilder sb = new StringBuilder();
    if (attributeType != null)
    {
      appendSeparatorIfNeeded(sb);
      sb.append("attributeType: ").append(attributeType.getNameOrOID());
      if (attributeValue != null)
      {
        sb.append(":").append(attributeValue);
      }
    }
    appendSeparatorIfNeeded(sb);
    sb.append(size(allowList)).append(" allow ACIs");
    appendSeparatorIfNeeded(sb);
    sb.append(size(denyList)).append(" deny ACIs");
    if (evalReason != null)
    {
      appendSeparatorIfNeeded(sb);
      sb.append("evaluationResult: ").append(evalReason);
      if (decidingAci != null)
      {
        sb.append(",").append(decidingAci);
      }
    }
    return sb.toString();
  }

  private void appendSeparatorIfNeeded(StringBuilder sb)
  {
    if (sb.length() > 0)
    {
      sb.append(", ");
    }
  }

  private int size(Collection<?> col)
  {
    if (col != null)
    {
      return col.size();
    }
    return 0;
  }
}