/*
    * NISAccountMapper.java
    *
    * Created on May 25, 2004, 2:25 PM
    */
   
   package gov.bnl.gums.account;
   
   import gov.bnl.gums.GUMS;
  import gov.bnl.gums.SiteUser;
  import gov.bnl.gums.configuration.Configuration;
  
  import java.util.*;
  
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.naming.ldap.InitialLdapContext;
  import javax.persistence.Entity;
  import javax.persistence.Transient;
  
  import org.apache.log4j.Logger;
  
  
  /** 
   * Maps a user to a local account based on the CN of the certificate and the
   * gecos field in the NIS/YP database. The mapping can't be perfect, but contains
   * a series of heuristics that solve up to 90% of the cases, depending on how
   * the NIS database itself is kept.
   * <p>
   * It's suggested not to use this policy by itself, but to have it part of a 
   * CompositeAccountMapper in which a ManualAccountMapper comes first. This allows
   * to override those user mapping that are not satisfying.
   *
   * @author Jay Packard
   */
  @Entity
  public class LdapAccountMapper extends AccountMapper {
  	static private Logger log = Logger.getLogger(LdapAccountMapper.class);
  	static private List<DirContext> contexts = Collections.synchronizedList(new LinkedList<DirContext>());// *** LDAP connection pool management
      static private Logger gumsAdminLog = Logger.getLogger(GUMS.gumsAdminLogName);
  
  	protected boolean skipReleaseContext = false;
  	protected String peopleContext = null;
  	protected String groupContext = null; 
  	protected String peopleObject = "ou=People";
  	protected String groupObject = "ou=Group";
  
  	// persistent variables
  	protected String jndiLdapUrl;
  	protected String dnField = "description";
  	protected String accountField = "uid";
  	protected String memberUidField = "memberUid";
  	protected String gidNumberField = "gidNumber";
  	protected String groupCnField = "cn";
  	protected String peopleTree;
  	protected String groupTree;
  	protected boolean synchGroups;
  	
  	public LdapAccountMapper() {
  		super();
  	}
  
  	public LdapAccountMapper(Configuration configuration, String name) {
  		super(configuration, name);
  	}
  
  	/** 
       * Adds the account to the given secondary group.
       * 
       * @param account the account to add to the secondary group (i.e. "carcassi")
       * @param groupname the secondary group name (i.e. "usatlas")
       */
      public void addToSecondaryGroup(String account, String groupname) {
          DirContext context = null;
          try {
              context = retrieveGroupContext();
              SearchControls ctrls = new SearchControls();
              ctrls.setSearchScope(SearchControls.SUBTREE_SCOPE);
              NamingEnumeration<SearchResult> result;
              result = context.search(groupCnField+"="+groupname+","+groupObject, "("+memberUidField+"={0})", new Object[] {account}, ctrls);
              if (result.hasMore()) return;
              ModificationItem[] mods = new ModificationItem[1];
              mods[0] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute(memberUidField, account));
              context.modifyAttributes(groupCnField+"="+groupname+","+groupObject, mods);
              log.trace("Added secondary group to user - user '" + account + "' to group '" + groupname + "'");
          } catch (Exception e) {
              log.info("Couldn't add user to secondary group - user '" + account + "' to group '" + groupname + "'", e);
              throw new RuntimeException("Couldn't add user to secondary group - user '" + account + "' to group '" + groupname + "': " + e.getMessage(), e);
          } finally {
          	releaseContext(context);
          }
  }
  	
      /** 
  	 * Changes the primary gid for the given account.
  	 * 
  	 * @param account the account to change the primary group (i.e. "carcassi")
  	 * @param groupname the primary group name (i.e. "usatlas")
  	 */
 	public void changeGroup(String account, String groupname) {
 		try { 
 			String gid = findGID(groupname);
 			if (gid == null) {
 				log.error("GID for group '" + groupname + "' wasn't found.");
 				throw new RuntimeException("GID for group '" + groupname + "' wasn't found.");
 			}
 			updateGID(account, gid);
 		}
 		catch(NamingException e) {
 			log.error(e.getMessage());
 			throw new RuntimeException(e.getMessage());
 		}
 	}
 
 	public String getAccountField() {
 		return accountField;
 	}
 
 	public String getDnField() {
 		return dnField;
 	}
 
 	public String getGidNumberField() {
 		return gidNumberField;
 	}
 
 	public String getGroupCnField() {
 		return groupCnField;
 	}
 
 	public String getGroupTree() {
 		return groupTree;
 	}
 
 	public String getJndiLdapUrl() {
 		return jndiLdapUrl;
 	}
 	
 	public String getMemberUidField() {
 		return memberUidField;
 	}
 	
 	public String getPeopleTree() {
 		return peopleTree;
 	}
 	
 	public boolean isSynchGroups() {
 		return synchGroups;
 	}
 	
 	public SiteUser mapDn(String dn, boolean createIfDoesNotExist) {
 		Properties jndiProperties = getProperties();
 		String userDNWithSubject = "subject="+dn;
 		int nTries = 5;
 		int i = 0;
 		for (; i < nTries; i++) {
 			log.debug("Attempt " + i + " to retrieve map at '" + jndiLdapUrl + "'");
 			try {
 				DirContext jndiCtx = new InitialDirContext(jndiProperties);
 				NamingEnumeration<SearchResult> nisMap = jndiCtx.search(peopleObject, "("+accountField+"=*)", null);
 				log.debug("Server responded");
 				while (nisMap.hasMore()) {
 					SearchResult res = (SearchResult) nisMap.next();
 					Attributes atts = res.getAttributes();
 					Attribute dnAtt = atts.get(dnField);
 					if (dnAtt != null) {
 						if (dn.equals(dnAtt.get().toString()) || userDNWithSubject.equals(dnAtt.get().toString())) {
 							String account = (String) atts.get(accountField).get();
 							log.debug("Found account '" + account + "' for DN '" + dn + "'");
 							return new SiteUser(account);
 						}
 					}
 				}
 				jndiCtx.close();
 			} catch (javax.naming.NamingException ne) {
 				log.warn("Error searching LDAP at "+jndiLdapUrl, ne);
 				try {
 					Thread.sleep(100);
 				} catch (InterruptedException e) {
 					log.warn("Interrupted", e);
 				}
 			} catch (Exception e) {
 				log.warn("Error searching LDAP at "+jndiLdapUrl, e);
 				try {
 					Thread.sleep(100);
 				} catch (InterruptedException ie) {
 					log.warn("Interrupted", e);
 				}
 			}
 		}
 		return null;       
 	}
 	
 	public DirContext retrieveGroupContext() {
 		DirContext context;
 		while (contexts.size() != 0) {
 			context = (DirContext) contexts.remove(0);
 			if (isGroupContextValid(context)) {
 				log.trace("Using LDAP connection from pool " + context);
 				return context;
 			}
 		}
 		context = createGroupContext();
 		log.trace("New LDAP connection created " + context);
 		return context;	
 	}
 	
 	@ConfigFieldAnnotation(label="Account UID Field", example="uid")
 	public void setAccountField(String accountField) {
 		this.accountField = accountField;
 	}
 
 	@ConfigFieldAnnotation (label="Certificate DN Field", example="description")
 	public void setDnField(String dnField) {
 		this.dnField = dnField;
 	}
 
 	@ConfigFieldAnnotation(label="GID Number Field", example="gidNumber", help="group ID number field in 'People' object")
 	public void setGidNumberField(String gidNumberField) {
 		this.gidNumberField = gidNumberField;
 	}
 
 	@ConfigFieldAnnotation(label="Group CN Field", example="cn")
 	public void setGroupCnField(String groupCnField) {
 		this.groupCnField = groupCnField;
 	}
 
 	@ConfigFieldAnnotation(label="Group Tree", example="ou=Group,dc=usatlas,dc=bnl,dc=gov", help="relative to context in LDAP URL - optional")
 	public void setGroupTree(String groupTree) {
 		if (groupTree != null) {
 			this.groupTree = groupTree;
 			if (groupTree.indexOf(',')!=-1) {
 				this.groupObject = groupTree.substring(0, groupTree.indexOf(','));
 				this.groupContext = groupTree.substring(groupTree.indexOf(',')+1);   
 			}
 			else
 				this.groupObject = groupTree;
 		} 
 	}
 
 	@ConfigFieldAnnotation(label="JNDI LDAP URL", example="ldap://localhost/dc=usatlas,dc=bnl,dc=gov") 
 	public void setJndiLdapUrl(String jndiLdapUrl) {
 		this.jndiLdapUrl = jndiLdapUrl;
 	}
 	
 	@ConfigFieldAnnotation(label="Member Field", example="memberUid", help="field containing user ID in 'Group' object")
 	public void setMemberUidField(String memberUidField) {
 		this.memberUidField = memberUidField;
 	}
 	
 	@ConfigFieldAnnotation(label="People Tree", example="ou=People,dc=usatlas,dc=bnl,dc=gov", help="relative to context in LDAP URL - optional")
 	public void setPeopleTree(String peopleTree) {
 		if (peopleTree != null) {
 			this.peopleTree = peopleTree;
 			if (peopleTree.indexOf(',')!=-1) {
 				this.peopleObject = peopleTree.substring(0, peopleTree.indexOf(','));
 				this.peopleContext = peopleTree.substring(peopleTree.indexOf(',')+1);   
 			}
 			else
 				this.peopleObject = peopleTree;
 		} 
 	}
 
 	@ConfigFieldAnnotation(label="Update group and email for every access")
 	public void setSynchGroups(boolean synchGroups) {
 		this.synchGroups = synchGroups;
 	}
 
 	protected String findGID(String groupname) throws NamingException {
 		DirContext context = retrieveGroupContext();
 		try {
 			NamingEnumeration<SearchResult> result = context.search(groupObject, "("+groupCnField+"={0})", new Object[] {groupname}, null);
 			String gid = null;
 			if (result.hasMore()) {
 				SearchResult item = result.next();
 				Attributes atts = item.getAttributes();
 				Attribute gidAtt = atts.get(gidNumberField);
 				if (gidAtt != null) {
 					gid = (String) gidAtt.get();
 				}
 			}
 			log.trace("Found gid '" + gid + "' for group '" + groupname + "'");
 			return gid;
 		} catch (Exception e) {
 			log.info("Couldn't retrieve gid for '" + groupname + "'", e);
 			throw new RuntimeException("Couldn't retrieve gid for '" + groupname + "': " + e.getMessage(), e);
 		} finally {
 			releaseContext(context);
 		}
 	}
 
 	protected void updateGID(String account, String gid) throws NamingException {
 		DirContext context = retrievePeopleContext();
 		try {
 			ModificationItem[] mods = new ModificationItem[1];
 			mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute(gidNumberField, gid));
 			context.modifyAttributes(accountField+"="+account+","+peopleObject, mods);
 			log.trace("Changed primary gid for user '" + account + "' to gid '" + gid + "''");
 		} catch (Exception e) {
 			log.warn("Couldn't change gid for user '" + account + "' to gid '" + gid + "''", e);
 			throw new RuntimeException("Couldn't change gid for user '" + account + "' to gid '" + gid + "''", e);
 		} finally {
 			releaseContext(context);
 		}
 	}
 
 	
 	protected DirContext createGroupContext() {
 		Properties properties = (Properties)getProperties();
 		try {
 			log.info("Trying to create LDAP connection with properties: " + properties);
 			return (DirContext)new InitialLdapContext(properties, null);
 		} catch (NamingException e) {
 			log.warn("Couldn't create LDAP connection: " + e.getMessage() + " - parameters: " + properties, e);
 			throw new RuntimeException("Couldn't create LDAP connection: " + e.getMessage());
 		}
 	}
 
 	protected DirContext createPeopleContext() {
 		Properties properties = (Properties)getProperties();
 		try {
 			log.info("Trying to create LDAP connection with properties: " + properties);
 			return (DirContext)new InitialLdapContext(properties, null);
 		} catch (NamingException e) {
 			log.warn("Couldn't create LDAP connection: " + e.getMessage() + " - parameters: " + getProperties(), e);
 			throw new RuntimeException("Couldn't create LDAP connection: " + e.getMessage());
 		}
 	}
 
 	@Transient
 	protected Properties getProperties() {
 		Properties properties = new Properties();
 		properties.setProperty("java.naming.provider.url", jndiLdapUrl+(groupContext!=null?"/"+groupContext:""));
 		properties.setProperty("java.naming.factory.initial","com.sun.jndi.ldap.LdapCtxFactory");
 		properties.setProperty(Context.SECURITY_PROTOCOL, "none");
 		System.out.println(properties);
 		return properties;
 	}
 
 	protected boolean isGroupContextValid(DirContext context) {
 		try {
 			context.search(groupObject, "(" + groupCnField + "=*)", null);
 			return true;
 		} catch (Exception e) {
 			log.trace("Removing stale LDAP connection from pool " + context, e);
 			gumsAdminLog.warn("LDAP connection test failed, discarding connection from pool: " + e.getMessage());
 			return false;
 		}
 	}
 
 	protected boolean isPeopleContextValid(DirContext context) {
 		try {
 			context.search(peopleObject, "(" + gidNumberField + "=*)", null);
 			return true;
 		} catch (Exception e) {
 			log.trace("Removing stale LDAP connection from pool " + context, e);
 			gumsAdminLog.warn("LDAP connection test failed, discarding connection from pool: " + e.getMessage());
 			return false;
 		}
 	}
 
 	/** Returns the LDAP DirContext to the pool, so that it can be reused.
 	 * 
 	 * @param context the LDAP context to be returned
 	 */
 	protected void releaseContext(DirContext context) {
 		if (skipReleaseContext) {
 			skipReleaseContext = false;
 			return;
 		}
 		contexts.add(0, context);
 		log.trace("LDAP connection returned to pool " + context);
 	}
 
 	protected DirContext retrievePeopleContext() {
 		DirContext context;
 		while (contexts.size() != 0) {
 			context = (DirContext) contexts.remove(0);
 			if (isPeopleContextValid(context)) {
 				log.trace("Using LDAP connection from pool " + context);
 				return context;
 			}
 		}
 		context = createPeopleContext();
 		log.trace("New LDAP connection created " + context);
 		return context;		
 	}
 }