/*
 * Copyright (C) 2007-2012 Mathieu Baudier
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *         http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.argeo.security.jcr;

import javax.jcr.Node;
import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;

import org.argeo.ArgeoException;
import org.argeo.jcr.JcrUtils;
import org.argeo.security.OsAuthenticationToken;
import org.argeo.security.core.OsAuthenticationProvider;
import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationException;

/** Relies on OS to authenticate and additionally setup JCR */
public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
	private Repository repository;
	private String securityWorkspace = "security";
	private Session securitySession;
	private Session nodeSession;

	public void init() {
		try {
			securitySession = repository.login(securityWorkspace);
			nodeSession = repository.login();
		} catch (RepositoryException e) {
			throw new ArgeoException("Cannot initialize", e);
		}
	}

	public void destroy() {
		JcrUtils.logoutQuietly(securitySession);
		JcrUtils.logoutQuietly(nodeSession);
	}

	public Authentication authenticate(Authentication authentication)
			throws AuthenticationException {
		final OsAuthenticationToken authen = (OsAuthenticationToken) super
				.authenticate(authentication);
		try {
			// WARNING: at this stage we assume that the java properties
			// will have the same value
			String username = System.getProperty("user.name");
			Node userProfile = JcrUtils.createUserProfileIfNeeded(
					securitySession, username);
			JcrUserDetails.checkAccountStatus(userProfile);

			// each user should have a writable area in the default workspace of
			// the node
			Node userNodeHome = JcrUtils.createUserHomeIfNeeded(nodeSession,
					username);
			// FIXME how to set user home privileges *before* it is created ?
			// JcrUtils.addPrivilege(nodeSession, userNodeHome.getPath(),
			// username, Privilege.JCR_ALL);
			// if (nodeSession.hasPendingChanges())
			// nodeSession.save();

			// user details
			JcrUserDetails userDetails = new JcrUserDetails(userProfile, authen
					.getCredentials().toString(), getBaseAuthorities());
			authen.setDetails(userDetails);
		} catch (RepositoryException e) {
			JcrUtils.discardQuietly(securitySession);
			throw new ArgeoException(
					"Unexpected exception when synchronizing OS and JCR security ",
					e);
		} finally {
			JcrUtils.logoutQuietly(securitySession);
		}
		return authen;
	}

	public void setSecurityWorkspace(String securityWorkspace) {
		this.securityWorkspace = securityWorkspace;
	}

	public void setRepository(Repository repository) {
		this.repository = repository;
	}
}