/**
 * Copyright 2014 Tampere University of Technology, Pori Department
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *   http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package core.tut.pori.context;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.log4j.Logger;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

import service.tut.pori.users.UserCore;
import core.tut.pori.http.Response;
import core.tut.pori.http.Response.Status;
import core.tut.pori.users.UserIdentity;

/**
 * This class handles to basic login/logout functionality and session creation/destruction.
 * 
 * This class defines the APIs available for client authentication. Note that it is also possible to authenticate by IP address without username or password check, but the functionality must be enabled per IP basis using the front-end system configuration, and is in general recommended only for analysis back-ends. The IP authentication configuration is out of scope for this documentation.
 * The user authorization is done by checking the presence and validity of a session ID in the header list (cookie) of the executed HTTP request. The session ID can be generated by any of the login methods documented in this specification. It is also possible to provide the authentication details, such as username and password for HTTP basic authentication, for each request, though this is not necessary.
 * The default configuration prevents multiple logins, and re-authentication will automatically invalidate the previous session, creating a new a session and a new session ID.
 * 
 * This class is generally bound using web.xml to be outside of REST handler, working independently from the service invocation functionality.
 */
public class LoginHandler extends HttpServlet{
  private static final Logger LOGGER = Logger.getLogger(LoginHandler.class);
  private static final String METHOD_LOGIN = "login";
  /** serialization id */
  private static final long serialVersionUID = 956966155730567889L;

  @Override
  protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    handleRequest(req, resp);
  }

  @Override
  protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    handleRequest(req, resp);
  }

  /**
   * 
   * @param request
   * @param response
   */
  private void handleRequest(HttpServletRequest request, HttpServletResponse response){
    if(request.getRequestURI().endsWith(METHOD_LOGIN)){
      login(getAuthentication(), request, response);
    }else{ // ther are only two mappings in the web.xml, if this is not login, it must be logout
      logout(getAuthentication(), request, response);
    }
  }
  
  /**
   * Login the user using HTTP Basic authentication. Successful authentication attempt will return a new session ID (as a response cookie) that can be used for further authentication.
   * 
   * @param auth
   * @param request
   * @param response
   */
  private void login(Authentication auth, HttpServletRequest request, HttpServletResponse response){
    LOGGER.debug("Received login request "+request.getMethod()+" from "+request.getRemoteAddr()); 
    if(auth == null){
      new Response(Status.UNAUTHORIZED).writeTo(response);
      return;
    }
    new Response().writeTo(response);
  }
  
  /**
   * Log out the user. This will invalidate the session Id (cookie) currently used by the user. Note that in many cases the only noticeable effect of calling this method is to invalidate the session Id, as most web browsers will automatically re-authenticate the user on any following calls if user credentials are known, thus creating a new session.
   * 
   * @param auth
   * @param request
   * @param response
   */
  private void logout(Authentication auth, HttpServletRequest request, HttpServletResponse response){
    LOGGER.debug("Received logout request "+request.getMethod()+" from "+request.getRemoteAddr());  
    if(auth == null){
      LOGGER.debug("User was not logged in.");
      new Response().writeTo(response);
      return;
    }
    auth.setAuthenticated(false);
    HttpSession session = request.getSession(false);
    if(session == null){
      LOGGER.debug("No valid session.");
    }else{
      LOGGER.debug("Invalidating session.");
      session.invalidate();
    }

    SecurityContextHolder.clearContext();
    new Response().writeTo(response);
  }
  
  /**
   * 
   * @return authentication or null if user has not authenticated
   */
  private Authentication getAuthentication(){
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if(auth != null && auth.isAuthenticated()){
      Object principal = auth.getPrincipal();
      if(principal.getClass() == UserIdentity.class){
        return auth;
      }else{
        LOGGER.debug("UserDetails not available.");
      }     
    }
    return null;
  }
  
  /**
   * Set this user as authenticated for the current security context
   * 
   * @param userId
   * @throws IllegalArgumentException on bad userId
   */
  public static void authenticate(UserIdentity userId) throws IllegalArgumentException{
    userId = UserCore.getUserIdentity(userId.getUserId()); // retrieve all details
    if(!UserIdentity.isValid(userId)){
      throw new IllegalArgumentException("Bad user, id: "+userId.getUserId());
    }
    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(userId, userId.getPassword(), userId.getAuthorities()));
  }
}