/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
    *
    * Licensed under the Apache License, Version 2.0 (the "License");
    * you may not use this file except in compliance with the License.
    * You may obtain a copy of the License at
    *
    *     http://www.apache.org/licenses/LICENSE-2.0
    *
    * Unless required by applicable law or agreed to in writing, software
   * distributed under the License is distributed on an "AS IS" BASIS,
   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   * See the License for the specific language governing permissions and
   * limitations under the License.
   */
  
  package org.acegisecurity.intercept;
  
  import org.acegisecurity.AccessDecisionManager;
  import org.acegisecurity.AccessDeniedException;
  import org.acegisecurity.AcegiMessageSource;
  import org.acegisecurity.AfterInvocationManager;
  import org.acegisecurity.Authentication;
  import org.acegisecurity.AuthenticationCredentialsNotFoundException;
  import org.acegisecurity.AuthenticationException;
  import org.acegisecurity.AuthenticationManager;
  import org.acegisecurity.ConfigAttribute;
  import org.acegisecurity.ConfigAttributeDefinition;
  import org.acegisecurity.RunAsManager;
  
  import org.acegisecurity.context.SecurityContextHolder;
  
  import org.acegisecurity.event.authorization.AuthenticationCredentialsNotFoundEvent;
  import org.acegisecurity.event.authorization.AuthorizationFailureEvent;
  import org.acegisecurity.event.authorization.AuthorizedEvent;
  import org.acegisecurity.event.authorization.PublicInvocationEvent;
  
  import org.acegisecurity.runas.NullRunAsManager;
  
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;
  
  import org.springframework.beans.factory.InitializingBean;
  
  import org.springframework.context.ApplicationEvent;
  import org.springframework.context.ApplicationEventPublisher;
  import org.springframework.context.ApplicationEventPublisherAware;
  import org.springframework.context.MessageSource;
  import org.springframework.context.MessageSourceAware;
  import org.springframework.context.support.MessageSourceAccessor;
  
  import org.springframework.util.Assert;
  
  import java.util.HashSet;
  import java.util.Iterator;
  import java.util.Set;
  
  /**
   * Abstract class that implements security interception for secure objects.
   * <p>
   * The <code>AbstractSecurityInterceptor</code> will ensure the proper startup
   * configuration of the security interceptor. It will also implement the proper
   * handling of secure object invocations, being:
   * <ol>
   * <li>Obtain the {@link Authentication} object from the
   * {@link SecurityContextHolder}.</li>
   * <li>Determine if the request relates to a secured or public invocation by
   * looking up the secure object request against the
   * {@link ObjectDefinitionSource}.</li>
   * <li>For an invocation that is secured (there is a
   * <code>ConfigAttributeDefinition</code> for the secure object invocation):
   * <ol type="a">
   * <li>If either the {@link org.acegisecurity.Authentication#isAuthenticated()}
   * returns <code>false</code>, or the {@link #alwaysReauthenticate} is
   * <code>true</code>, authenticate the request against the configured
   * {@link AuthenticationManager}. When authenticated, replace the
   * <code>Authentication</code> object on the
   * <code>SecurityContextHolder</code> with the returned value.</li>
   * <li>Authorize the request against the configured
   * {@link AccessDecisionManager}.</li>
   * <li>Perform any run-as replacement via the configured {@link RunAsManager}.</li>
   * <li>Pass control back to the concrete subclass, which will actually proceed
   * with executing the object. A {@link InterceptorStatusToken} is returned so
   * that after the subclass has finished proceeding with execution of the object,
   * its finally clause can ensure the <code>AbstractSecurityInterceptor</code>
   * is re-called and tidies up correctly.</li>
   * <li>The concrete subclass will re-call the
   * <code>AbstractSecurityInterceptor</code> via the
   * {@link #afterInvocation(InterceptorStatusToken, Object)} method.</li>
   * <li>If the <code>RunAsManager</code> replaced the
   * <code>Authentication</code> object, return the
   * <code>SecurityContextHolder</code> to the object that existed after the
   * call to <code>AuthenticationManager</code>.</li>
   * <li>If an <code>AfterInvocationManager</code> is defined, invoke the
   * invocation manager and allow it to replace the object due to be returned to
   * the caller.</li>
   * </ol>
   * </li>
   * <li>For an invocation that is public (there is no
   * <code>ConfigAttributeDefinition</code> for the secure object invocation):
  * <ol type="a">
  * <li>As described above, the concrete subclass will be returned an
  * <code>InterceptorStatusToken</code> which is subsequently re-presented to
  * the <code>AbstractSecurityInterceptor</code> after the secure object has
  * been executed. The <code>AbstractSecurityInterceptor</code> will take no
  * further action when its {@link #afterInvocation(InterceptorStatusToken,
  * Object)} is called.</li>
  * </ol>
  * </li>
  * <li>Control again returns to the concrete subclass, along with the
  * <code>Object</code> that should be returned to the caller. The subclass
  * will then return that result or exception to the original caller.</li>
  * </ol>
  * </p>
  * 
  * @author Ben Alex
  * @version $Id: AbstractSecurityInterceptor.java 1790 2007-03-30 18:27:19Z
  * luke_t $
  */
 public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware,
 		MessageSourceAware {
 	// ~ Static fields/initializers
 	// =====================================================================================
 
 	protected static final Log logger = LogFactory.getLog(AbstractSecurityInterceptor.class);
 
 	// ~ Instance fields
 	// ================================================================================================
 
 	private AccessDecisionManager accessDecisionManager;
 
 	private AfterInvocationManager afterInvocationManager;
 
 	private ApplicationEventPublisher eventPublisher;
 
 	private AuthenticationManager authenticationManager;
 
 	protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
 
 	private RunAsManager runAsManager = new NullRunAsManager();
 
 	private boolean alwaysReauthenticate = false;
 
 	private boolean rejectPublicInvocations = false;
 
 	private boolean validateConfigAttributes = true;
 
 	// ~ Methods
 	// ========================================================================================================
 
 	/**
 	 * Completes the work of the <code>AbstractSecurityInterceptor</code>
 	 * after the secure object invocation has been complete
 	 * 
 	 * @param token as returned by the {@link #beforeInvocation(Object)}}
 	 * method
 	 * @param returnedObject any object returned from the secure object
 	 * invocation (may be<code>null</code>)
 	 * 
 	 * @return the object the secure object invocation should ultimately return
 	 * to its caller (may be <code>null</code>)
 	 */
 	protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
 		if (token == null) {
 			// public object
 			return returnedObject;
 		}
 
 		if (token.isContextHolderRefreshRequired()) {
 			if (logger.isDebugEnabled()) {
 				logger.debug("Reverting to original Authentication: " + token.getAuthentication().toString());
 			}
 
 			SecurityContextHolder.getContext().setAuthentication(token.getAuthentication());
 		}
 
 		if (afterInvocationManager != null) {
 			// Attempt after invocation handling
 			try {
 				returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),
 						token.getAttr(), returnedObject);
 			}
 			catch (AccessDeniedException accessDeniedException) {
 				AuthorizationFailureEvent event = new AuthorizationFailureEvent(token.getSecureObject(), token
 						.getAttr(), token.getAuthentication(), accessDeniedException);
 				publishEvent(event);
 
 				throw accessDeniedException;
 			}
 		}
 
 		return returnedObject;
 	}
 
 	public void afterPropertiesSet() throws Exception {
 		Assert.notNull(getSecureObjectClass(), "Subclass must provide a non-null response to getSecureObjectClass()");
 
 		Assert.notNull(this.messages, "A message source must be set");
 
 		Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
 
 		Assert.notNull(this.accessDecisionManager, "An AccessDecisionManager is required");
 
 		Assert.notNull(this.runAsManager, "A RunAsManager is required");
 
 		Assert.notNull(this.obtainObjectDefinitionSource(), "An ObjectDefinitionSource is required");
 
 		Assert.isTrue(this.obtainObjectDefinitionSource().supports(getSecureObjectClass()),
 				"ObjectDefinitionSource does not support secure object class: " + getSecureObjectClass());
 
 		Assert.isTrue(this.runAsManager.supports(getSecureObjectClass()),
 				"RunAsManager does not support secure object class: " + getSecureObjectClass());
 
 		Assert.isTrue(this.accessDecisionManager.supports(getSecureObjectClass()),
 				"AccessDecisionManager does not support secure object class: " + getSecureObjectClass());
 
 		if (this.afterInvocationManager != null) {
 			Assert.isTrue(this.afterInvocationManager.supports(getSecureObjectClass()),
 					"AfterInvocationManager does not support secure object class: " + getSecureObjectClass());
 		}
 
 		if (this.validateConfigAttributes) {
 			Iterator iter = this.obtainObjectDefinitionSource().getConfigAttributeDefinitions();
 
 			if (iter == null) {
 				logger.warn("Could not validate configuration attributes as the MethodDefinitionSource did not return "
 						+ "a ConfigAttributeDefinition Iterator");
 				return;
 			}
 
 			Set unsupportedAttrs = new HashSet();
 
 			while (iter.hasNext()) {
 				ConfigAttributeDefinition def = (ConfigAttributeDefinition) iter.next();
 				Iterator attributes = def.getConfigAttributes();
 
 				while (attributes.hasNext()) {
 					ConfigAttribute attr = (ConfigAttribute) attributes.next();
 
 					if (!this.runAsManager.supports(attr) && !this.accessDecisionManager.supports(attr)
 							&& ((this.afterInvocationManager == null) || !this.afterInvocationManager.supports(attr))) {
 						unsupportedAttrs.add(attr);
 					}
 				}
 			}
 
 			if (unsupportedAttrs.size() != 0) {
 				throw new IllegalArgumentException("Unsupported configuration attributes: " + unsupportedAttrs);
 			}
 
 			logger.info("Validated configuration attributes");
 		}
 	}
 
 	protected InterceptorStatusToken beforeInvocation(Object object) {
 		Assert.notNull(object, "Object was null");
 
 		if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
 			throw new IllegalArgumentException("Security invocation attempted for object "
 					+ object.getClass().getName()
 					+ " but AbstractSecurityInterceptor only configured to support secure objects of type: "
 					+ getSecureObjectClass());
 		}
 
 		ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource().getAttributes(object);
 
 		if (attr == null) {
 			if (rejectPublicInvocations) {
 				throw new IllegalArgumentException(
 						"No public invocations are allowed via this AbstractSecurityInterceptor. "
 								+ "This indicates a configuration error because the "
 								+ "AbstractSecurityInterceptor.rejectPublicInvocations property is set to 'true'");
 			}
 
 			if (logger.isDebugEnabled()) {
 				logger.debug("Public object - authentication not attempted");
 			}
 
 			publishEvent(new PublicInvocationEvent(object));
 
 			return null; // no further work post-invocation
 		}
 
 		if (logger.isDebugEnabled()) {
 			logger.debug("Secure object: " + object.toString() + "; ConfigAttributes: " + attr.toString());
 		}
 
 		if (SecurityContextHolder.getContext().getAuthentication() == null) {
 			credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound",
 					"An Authentication object was not found in the SecurityContext"), object, attr);
 		}
 
 		// Attempt authentication if not already authenticated, or user always
 		// wants reauthentication
 		Authentication authenticated;
 
 		if (!SecurityContextHolder.getContext().getAuthentication().isAuthenticated() || alwaysReauthenticate) {
 			try {
 				authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext()
 						.getAuthentication());
 			}
 			catch (AuthenticationException authenticationException) {
 				throw authenticationException;
 			}
 
 			// We don't authenticated.setAuthentication(true), because each
 			// provider should do that
 			if (logger.isDebugEnabled()) {
 				logger.debug("Successfully Authenticated: " + authenticated.toString());
 			}
 
 			SecurityContextHolder.getContext().setAuthentication(authenticated);
 		}
 		else {
 			authenticated = SecurityContextHolder.getContext().getAuthentication();
 
 			if (logger.isDebugEnabled()) {
 				logger.debug("Previously Authenticated: " + authenticated.toString());
 			}
 		}
 
 		// Attempt authorization
 		try {
 			this.accessDecisionManager.decide(authenticated, object, attr);
 		}
 		catch (AccessDeniedException accessDeniedException) {
 			AuthorizationFailureEvent event = new AuthorizationFailureEvent(object, attr, authenticated,
 					accessDeniedException);
 			publishEvent(event);
 
 			throw accessDeniedException;
 		}
 
 		if (logger.isDebugEnabled()) {
 			logger.debug("Authorization successful");
 		}
 
 		AuthorizedEvent event = new AuthorizedEvent(object, attr, authenticated);
 		publishEvent(event);
 
 		// Attempt to run as a different user
 		Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attr);
 
 		if (runAs == null) {
 			if (logger.isDebugEnabled()) {
 				logger.debug("RunAsManager did not change Authentication object");
 			}
 
 			// no further work post-invocation
 			return new InterceptorStatusToken(authenticated, false, attr, object);
 		}
 		else {
 			if (logger.isDebugEnabled()) {
 				logger.debug("Switching to RunAs Authentication: " + runAs.toString());
 			}
 
 			SecurityContextHolder.getContext().setAuthentication(runAs);
 
 			// revert to token.Authenticated post-invocation
 			return new InterceptorStatusToken(authenticated, true, attr, object);
 		}
 	}
 
 	/**
 	 * Helper method which generates an exception containing the passed reason,
 	 * and publishes an event to the application context.
 	 * <p>
 	 * Always throws an exception.
 	 * </p>
 	 * 
 	 * @param reason to be provided in the exception detail
 	 * @param secureObject that was being called
 	 * @param configAttribs that were defined for the secureObject
 	 */
 	private void credentialsNotFound(String reason, Object secureObject, ConfigAttributeDefinition configAttribs) {
 		AuthenticationCredentialsNotFoundException exception = new AuthenticationCredentialsNotFoundException(reason);
 
 		AuthenticationCredentialsNotFoundEvent event = new AuthenticationCredentialsNotFoundEvent(secureObject,
 				configAttribs, exception);
 		publishEvent(event);
 
 		throw exception;
 	}
 
 	public AccessDecisionManager getAccessDecisionManager() {
 		return accessDecisionManager;
 	}
 
 	public AfterInvocationManager getAfterInvocationManager() {
 		return afterInvocationManager;
 	}
 
 	public AuthenticationManager getAuthenticationManager() {
 		return this.authenticationManager;
 	}
 
 	public RunAsManager getRunAsManager() {
 		return runAsManager;
 	}
 
 	/**
 	 * Indicates the type of secure objects the subclass will be presenting to
 	 * the abstract parent for processing. This is used to ensure collaborators
 	 * wired to the <code>AbstractSecurityInterceptor</code> all support the
 	 * indicated secure object class.
 	 * 
 	 * @return the type of secure object the subclass provides services for
 	 */
 	public abstract Class getSecureObjectClass();
 
 	public boolean isAlwaysReauthenticate() {
 		return alwaysReauthenticate;
 	}
 
 	public boolean isRejectPublicInvocations() {
 		return rejectPublicInvocations;
 	}
 
 	public boolean isValidateConfigAttributes() {
 		return validateConfigAttributes;
 	}
 
 	public abstract ObjectDefinitionSource obtainObjectDefinitionSource();
 
 	public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) {
 		this.accessDecisionManager = accessDecisionManager;
 	}
 
 	public void setAfterInvocationManager(AfterInvocationManager afterInvocationManager) {
 		this.afterInvocationManager = afterInvocationManager;
 	}
 
 	/**
 	 * Indicates whether the <code>AbstractSecurityInterceptor</code> should
 	 * ignore the {@link Authentication#isAuthenticated()} property. Defaults to
 	 * <code>false</code>, meaning by default the
 	 * <code>Authentication.isAuthenticated()</code> property is trusted and
 	 * re-authentication will not occur if the principal has already been
 	 * authenticated.
 	 * 
 	 * @param alwaysReauthenticate <code>true</code> to force
 	 * <code>AbstractSecurityInterceptor</code> to disregard the value of
 	 * <code>Authentication.isAuthenticated()</code> and always
 	 * re-authenticate the request (defaults to <code>false</code>).
 	 */
 	public void setAlwaysReauthenticate(boolean alwaysReauthenticate) {
 		this.alwaysReauthenticate = alwaysReauthenticate;
 	}
 
 	public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
 		this.eventPublisher = applicationEventPublisher;
 	}
 
 	public void setAuthenticationManager(AuthenticationManager newManager) {
 		this.authenticationManager = newManager;
 	}
 
 	public void setMessageSource(MessageSource messageSource) {
 		this.messages = new MessageSourceAccessor(messageSource);
 	}
 
 	/**
 	 * By rejecting public invocations (and setting this property to
 	 * <code>true</code>), essentially you are ensuring that every secure
 	 * object invocation advised by <code>AbstractSecurityInterceptor</code>
 	 * has a configuration attribute defined. This is useful to ensure a "fail
 	 * safe" mode where undeclared secure objects will be rejected and
 	 * configuration omissions detected early. An
 	 * <code>IllegalArgumentException</code> will be thrown by the
 	 * <code>AbstractSecurityInterceptor</code> if you set this property to
 	 * <code>true</code> and an attempt is made to invoke a secure object that
 	 * has no configuration attributes.
 	 * 
 	 * @param rejectPublicInvocations set to <code>true</code> to reject
 	 * invocations of secure objects that have no configuration attributes (by
 	 * default it is <code>false</code> which treats undeclared secure objects
 	 * as "public" or unauthorized)
 	 */
 	public void setRejectPublicInvocations(boolean rejectPublicInvocations) {
 		this.rejectPublicInvocations = rejectPublicInvocations;
 	}
 
 	public void setRunAsManager(RunAsManager runAsManager) {
 		this.runAsManager = runAsManager;
 	}
 
 	public void setValidateConfigAttributes(boolean validateConfigAttributes) {
 		this.validateConfigAttributes = validateConfigAttributes;
 	}
 
 	private void publishEvent(ApplicationEvent event) {
 		if (this.eventPublisher != null) {
 			this.eventPublisher.publishEvent(event);
 		}
 	}
 }