<?php
/* $Id$ */
namespace MCMS\Plugin;

(defined('MCMS') && (basename(__FILE__) != basename($_SERVER['PHP_SELF']))) or die('ACCESS DENIED');

use Mammut\StrictObject;
use Mammut\DB\Sql\Elements\Condition;
use Mammut\DB\Sql\Expression\Parameter;
use Mammut\DB\Sql\Expression\SQLFunction;

use MCMS\System;
use MCMS\User\AuthEvent;
use MCMS\User\iAuthListener;
use MCMS\User\iUser;
use MCMS\User\iGroup;
use MCMS\User\iRole;

/**
 * Base for authentication plugins.
 * Some common methods are provided.
 *
 * @author Stefan Daurer <s.daurer@q-spot.org>
 * @package MCMS\System\Plugin
 */
abstract class PlugInAuthBase extends StrictObject implements iPlugInAuth {
	private $listener = array();
	
	protected $DEF_USER_CLASS;
	protected $DEF_GROUP_CLASS;

	public function getUserAttrKeys($type = 0) {
		return [
			'cname' => 'ro' // readonly common name/visible name/...
		];
	}
	
	public function getGroupAttrKeys($type = 0) {
		return [
		];
	}
	
	// #### Default implementations which uses the acl table with the nummeric user id #####
	
	public function userGrantPriv(iUser $usr, $siteId, $instance, $key, $value = null) {
		$system = System::getInstance();
		$db = $system->getDB();
		$id = (int) $usr->getId();
		
		$db->table('acls')->insert([
				'site_id' => $siteId,
				'account_id' => $id,
				'group_id' => null,
				'role_id' => null,
				'instance' => $instance,
				'key' => $key,
				'value' => is_null($value) ? 0 : (int) $value
		]);
	}
	
	public function userHasPriv(iUser $usr, $siteId = null, $instance = false, $key = false, $strict = false) {
		$system = System::getInstance();
		$db = $system->getDB();
		
		// anonymous user cannot have privileges
		if(empty($usr))
			return false;
		// sysadmins are always privileged if no strict checking is required
		if($usr->isMasterAdmin() && !$strict)
			return true;
		// TODO: validate this
		if (is_null($siteId))
			return false;
		
		$id = (int) $usr->getId();
		if(!$strict) {
			$select = $db->select();
			$select->columns([
					'c' => SQLFunction::count([['groupmembers','account_id']])
			]);
			$select->from('groups');
			$select->join('groupmembers', Condition::newAndSet()->equalToIdent(['groups','id'],['groupmembers','group_id']));
			$select->where(Condition::newAndSet()
					->equalTo(['groups','masteradmin'], 1)
					->equalTo(['groupmembers','account_id'], new Parameter())
			);
				
			// check if the number of master admin groups is bigger than none
			if($db->getObjectP($select, [$id])->c > 0)
				return true;
	
			// get all groups which contains the user and have the privileges
			// $condition = $f_site_id . '=' . $db->escapeValue($siteId) . ' AND ' . $f_instance . (empty($instance) ? ' IS NULL' : '=' . $db->escapeValue($instance)) . ' AND ' . $f_key . (empty($instance) ? ' IS NULL' : '=' . $db->escapeValue($key));
				
			$select = $db->select()->distinct()->from('acls')
			->columns([
					'account_id',
					'group_id',
					'role_id',
					'site_id',
					'instance',
					'key',
					'value',
			])->where(
					Condition::newAndSet()
					->equalTo('account_id', $id)
					->equalTo('site_id', $siteId)
					->nest(Condition::OP_OR)->isNull('group_id')->equalTo('group_id', 0)->unnest()
					->nest(Condition::OP_OR)->isNull('role_id')->equalTo('role_id', 0)->unnest()
					->equalTo('instance', $instance)
			);
	
			$select2 = $db->select()->distinct()->columns([
					['groupmembers','account_id'],
					['groupmembers','group_id'],
					'role_id' => null,
					['acls','site_id'],
					['acls','instance'],
					['acls','key'],
					['acls','value'],
			])->from('acls')
			->join('groupmembers', Condition::newAndSet()->equalToIdent(['acls','group_id'], ['groupmembers','group_id']))
			->where(
					Condition::newAndSet()
					->equalTo(['groupmembers','account_id'], $id)
					->equalTo(['acls','site_id'], $siteId)
					->equalTo(['acls','instance'], $instance)
			)->combine($select);
				
			$privs = $db->getObjectList($select2);
				
			foreach($privs as $p) {
				if($p->site_id == $siteId && $p->instance == $instance && $p->key == $key) // check to be sure
					return true;
			}
		}
		else {
			$select = $db->select()->distinct()->from('acls')->where(
					Condition::newAndSet()
					->equalTo('account_id', $id)
					->equalTo('site_id', $siteId)
					->nest(Condition::OP_OR)->isNull('group_id')->equalTo('group_id', 0)->unnest()
			);
			$privs = $db->getObjectListP($select, []);
			foreach($privs as $p) {
				if($p->instance == $instance && $p->key == $key) // check to be sure
					return true;
			}
		}
		return false; // nothing found, not privileged
	}
	
	public function userClearPriv(iUser $usr, $siteId = null) {
		$system = System::getInstance();
		$db = $system->getDB();
		$id = (int) $usr->getId();
		
		if(empty($siteId))
			$db->table('acls')->delete([
					'account_id' => $id,
					'group_id' => null,
					'role_id' => null,
			]);
		else
			$db->table('acls')->delete([
					'account_id' => $id,
					'group_id' => null,
					'role_id' => null,
					'site_id' => $siteId
			]);
	}

	public function groupGrantPriv(iGroup $grp, $siteId, $instance, $key, $value = null) {
		$system = System::getInstance();
		$db = $system->getDB();
		$id = (int) $grp->getId();
		
		$db->table('acls')->insert([
				'site_id' => $siteId,
				'account_id' => null,
				'group_id' => $id,
				'role_id' => null,
				'instance' => $instance,
				'key' => $key,
				'value' => is_null($value) ? 0 : (int) $value
		]);
	}
	
	public function groupHasPriv(iGroup $grp, $siteId = null, $instance = false, $key = false, $strict = false) {
		$system = System::getInstance();
		$db = $system->getDB();
		$id = (int) $grp->getId();
	
		$select = $db->select()->distinct()->from('acls')->where([
				'account_id' => null,
				'group_id' => $id,
				'role_id' => null
		]);
	
		$privs = $db->getObjectList($select);
		foreach($privs as $p) {
			if($p->site_id == $siteId && $p->instance == $instance && $p->key == $key) // check to be sure
				return true;
		}
	
		return false; // nothing found, not privileged
	}
	
	public function groupClearPriv(iGroup $grp, $siteId = -1) {
		$system = System::getInstance();
		$db = $system->getDB();
		$id = (int) $grp->getId();
		
		if($siteId <= 0)
			$db->table('acls')->delete([
					'account_id' => null,
					'group_id' => $id,
					'role_id' => null,
					'site_id' => null
			]);
		else
			$db->table('acls')->delete([
					'account_id' => null,
					'group_id' => $id,
					'role_id' => null,
					'site_id' => $siteId
			]);
	}

	public function roleGrantPriv(iRole $role, $siteId, $instance, $key, $value = null) {
		$system = System::getInstance();
		$db = $system->getDB();
		$id = (int) $grp->getId();
		
		$db->table('acls')->insert([
				'site_id' => $siteId,
				'account_id' => null,
				'group_id' => null,
				'role_id' => $id,
				'instance' => $instance,
				'key' => $key,
				'value' => is_null($value) ? 0 : (int) $value
		]);
	}
	
	public function roleHasPriv(iRole $role, $siteId = null, $instance = false, $key = false, $strict = false) {
		$system = System::getInstance();
		$db = $system->getDB();	
		$id = (int) $grp->getId();
	
		$select = $db->select()->distinct()->from('acls')->where([
				'account_id' => null,
				'group_id' => null,
				'role_id' => $id
		]);
	
		$privs = $db->getObjectList($select);
		foreach($privs as $p) {
			if($p->site_id == $siteId && $p->instance == $instance && $p->key == $key) // check to be sure
				return true;
		}
	
		return false; // nothing found, not privileged
	}
	
	public function roleClearPriv(iRole $role, $siteId = -1) {
		$system = System::getInstance();
		$db = $system->getDB();
		$id = (int) $role->getId();
		
		if($siteId <= 0)
			$db->table('acls')->delete([
					'account_id' => null,
					'group_id' => null,
					'role_id' => $id,
					'site_id' => null
			]);
			else
				$db->table('acls')->delete([
						'account_id' => null,
						'group_id' => null,
						'role_id' => $id,
						'site_id' => $siteId
				]);
	}	
	// ###### END OF ACL DEFAULT IMPLEMENTATION ######
	
	public function setUserPasswd($newPasswd, $id = -1) {
		throw new \BadMethodCallException('unsupported operation', 901);
	}

	public function addAuthListener(iAuthListener $listener) {
		$this->listener[] = $listener;
	}

	public function removeAuthListener(iAuthListener $listener) {
		foreach($this->listener as $id=>$l) {
			if($l === $listener)
				unset($this->listener[$id]);
		}
	}

	protected function fireAuthEvent(AuthEvent $event) {
		foreach($this->listener as $id=>$l) {
			$l->handleAuthEvent($event);
		}
	}

	public function getAuthListener() {
		return $this->listener;
	}

	public function clearAuthListener() {
		$this->listener = array();
	}
}