/*
   jGuard is a security framework based on top of jaas (java authentication and authorization security).
   it is written for web applications, to resolve simply, access control problems.
   version $Name:  $
   http://sourceforge.net/projects/jguard
   
   Copyright (C) 2004  Charles GAY
   
   This library is free software; you can redistribute it and/or
  modify it under the terms of the GNU Lesser General Public
  License as published by the Free Software Foundation; either
  version 2.1 of the License, or (at your option) any later version.
  
  This library is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  Lesser General Public License for more details.
  
  You should have received a copy of the GNU Lesser General Public
  License along with this library; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  
  
  jGuard project home page:
  http://sourceforge.net/projects/jguard
  
  */
  package net.sf.jguard.core.authorization.policy;
  
  import java.security.AccessController;
  import java.security.Permission;
  import java.security.PermissionCollection;
  import java.security.Permissions;
  import java.security.PrivilegedAction;
  import java.security.ProtectionDomain;
  import java.util.Enumeration;
  import java.util.Map;
  
  import java.util.logging.Level;
  import net.sf.ehcache.CacheException;
  import net.sf.jguard.core.CoreConstants;
  import net.sf.jguard.core.PolicyEnforcementPointOptions;
  import net.sf.jguard.core.authorization.AuthorizationException;
  import net.sf.jguard.core.authorization.AuthorizationHelper;
  import net.sf.jguard.core.authorization.manager.AuthorizationManagerFactory;
  import net.sf.jguard.core.authorization.manager.PermissionProvider;
  import net.sf.jguard.core.authorization.permissions.AuditPermissionCollection;
  import net.sf.jguard.core.authorization.permissions.PermissionUtils;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
  
  
  
  
  
  /**
   * Single application JGuard Policy implementation. Use SingleAppPolicy if the application
   * is the only one running in the VM. It mainly concerns standalone applications.<br>
   * SingleAppPolicy loads a configuration file (JGuardAuthentication.xml is the default one).<br>
   * A custom location of the configuration file can be passed :
   * <ul>
   * <li>in authorizationManager option "fileLocation" in policy configuration file</li>
   * <li>trough vm arg : <code>-Dnet.sf.jguard.policy.configuration.file="path_to_policy_configuration_file"</code></li>
   * </ul>
   * It also gets the application name. There are several ways to pass it. The following list shows them ordered from
   * the first way handled by the policy to the last one.
   * <ul>
   * <li>in authorizationManager option "applicationName" in policy configuration file</li>
   * <li>trough vm arg : <code>net.sf.jguard.application.name</code> VM arg</li>
   * <li>trough vm arg : <code>com.sun.management.jmxremote.login.config</code> 
   * if you have already defined this property because you use JMX.
   *  Do not set application name through this property if you are not using JMX !</li>
   * </ul>
   * If no applicationName is passed to the application, default application name "other" is used.
   * @see net.sf.jguard.core.authorization.policy.JGuardPolicy
   * @see net.sf.jguard.core.authorization.policy.MultipleAppPolicy
   * @author <a href="mailto:vberetti@users.sourceforge.net">Vincent Beretti</a>
   * @author <a href="mailto:diabolo512@users.sourceforge.net">Charles Gay</a>
   */
  public final class SingleAppPolicy extends JGuardPolicy {
  
      private static Logger logger = LoggerFactory.getLogger(SingleAppPolicy.class.getName());
      private static final String DEFAULT_POLICY_CONFIGURATION_FILE = "JGuardAuthorization.xml";
  
      private PermissionProvider permissionProvider;
      private Permissions alwaysGrantedPermissions = null;
  
      /**
       *
       * @throws AuthorizationException
       */
      public SingleAppPolicy() throws AuthorizationException {
          
          alwaysGrantedPermissions = new Permissions();
          
          // call run() method under extended privileges
          AccessController.doPrivileged(new PrivilegedAction() {
              
                  public Object run() {
                     logger.info( "#######   loading SingleAppPolicy  "+JGuardPolicy.version+" ###########");
                     String configurationLocation = System.getProperty(CoreConstants.POLICY_CONFIGURATION_FILE);
 
                     if (configurationLocation == null) {
                         logger.info( "No configuration file in " + CoreConstants.POLICY_CONFIGURATION_FILE + ", using default " + DEFAULT_POLICY_CONFIGURATION_FILE + " location");
                         configurationLocation = DEFAULT_POLICY_CONFIGURATION_FILE;
                     }
 
                     String appHomePath = System.getProperty(CoreConstants.APPLICATION_HOME_PATH);
                     if(appHomePath!=null && !appHomePath.endsWith("/")){
                         appHomePath+="/";
                     }
 
                     if(appHomePath==null){
                         appHomePath="";
                     }
          
         
                     Map authorizationOptions = AuthorizationHelper.loadConfiguration(configurationLocation, appHomePath);
 
                     if (authorizationOptions.get(PolicyEnforcementPointOptions.APPLICATION_NAME.getLabel()) == null) {
                         String appNameProp = System.getProperty(CoreConstants.APPLICATION_NAME_SYSTEM_PROPERTY);
 
                         if (appNameProp != null) {
                             authorizationOptions.put(PolicyEnforcementPointOptions.APPLICATION_NAME.getLabel(), appNameProp);
                         } else {
                             String appNameJMXProp = System.getProperty("com.sun.management.jmxremote.login.config");
 
                             if (appNameJMXProp != null) {
                                 authorizationOptions.put(PolicyEnforcementPointOptions.APPLICATION_NAME.getLabel(), appNameJMXProp);
                             } else {
                                 // use default application name.
                                 authorizationOptions.put(PolicyEnforcementPointOptions.APPLICATION_NAME.getLabel(), CoreConstants.DEFAULT_APPLICATION_NAME);
                             }
                         }
                     }
 
                     if ("false".equals(authorizationOptions.get(CoreConstants.AUTHORIZATION_PERMISSION_RESOLUTION_CACHING))){
             			PermissionUtils.setCachesEnabled(false);
             		}else{
             			// by default, permission resolution caching is activated
             			try {
             				PermissionUtils.createCaches();
             				PermissionUtils.setCachesEnabled(true);
             			} catch (CacheException e) {
             				logger.warn("Failed to activate permission resolution caching : " + e.getMessage());
             				PermissionUtils.setCachesEnabled(false);
             			}
             		}
 
                     try {
                     	String authorizationManagerImplName =(String)authorizationOptions.get(CoreConstants.AUTHORIZATION_MANAGER);
                         
                         Class clazz;
             			clazz = Thread.currentThread().getContextClassLoader().loadClass(authorizationManagerImplName);
                         AuthorizationManagerFactory.setAuthorizationManager(AuthorizationManagerFactory.createAuthorizationManager(clazz,authorizationOptions));
                         permissionProvider = AuthorizationManagerFactory.getAuthorizationManager();
                     } catch (AuthorizationException e) {
                         logger.error("AuthorizationException", e);
                     } catch (ClassNotFoundException e) {
                     	 logger.error("AuthorizationException", e);					}
 
                     return permissionProvider;
                 }
             });
 
         loadDefaultPolicy();
     }
 
     public PermissionCollection getPermissions(ProtectionDomain protectionDomain) {
         final ProtectionDomain fProtectionDomain = protectionDomain;
         
         // execute these instruction under extended privileges
         PermissionCollection pc = (PermissionCollection) AccessController.doPrivileged(new PrivilegedAction() {
                 public Object run() {
                     return getPermissions(fProtectionDomain, permissionProvider);
                 }
             });
         
         PermissionCollection mergedPc =  PermissionUtils.mergePermissionCollections(pc,alwaysGrantedPermissions);
         //add permissions granted to CodeSource
         mergedPc =  PermissionUtils.mergePermissionCollections(mergedPc,getPermissions(protectionDomain.getCodeSource()));
         return new AuditPermissionCollection(mergedPc,protectionDomain);
     }
 
     public void refresh() {
         if (permissionProvider != null) {
             // Refresh the permission configuration
             permissionProvider.refresh();
         }
     }
     
     @Override
     public boolean implies(ProtectionDomain domain, Permission permission) {
         return super.implies(domain, permission);
     }
     
     /**
      * add some permissions always granted by this Policy, like permission used to
      * <i>logoff</i> in webapp, or permissions used to reached the <i>AccessDenied</i> page.
      * @param classloader unused in this implementation may be null.
      * @param permissions permissions always granted by this Policy
      */
     public void addAlwaysGrantedPermissions(ClassLoader cl,Permissions permissions){
             Enumeration perms= permissions.elements();
             while(perms.hasMoreElements()){
                     alwaysGrantedPermissions.add((Permission)perms.nextElement());
             }
     }
 }