/*
 * The contents of this file are subject to the terms of the Common Development and
 * Distribution License (the License). You may not use this file except in compliance with the
 * License.
 *
 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
 * specific language governing permission and limitations under the License.
 *
 * When distributing Covered Software, include this CDDL Header Notice in each file and include
 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
 * Header, with the fields enclosed by brackets [] replaced by your own identifying
 * information: "Portions Copyright [year] [name of copyright owner]".
 *
 * Copyright 2008-2010 Sun Microsystems, Inc.
 * Portions Copyright 2011-2016 ForgeRock AS.
 */
package org.opends.server.authorization.dseecompat;

import org.forgerock.opendj.ldap.DN;
import org.opends.server.types.Entry;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.opends.server.api.Group;

import java.net.InetAddress;
import java.util.List;

/**
 * Interface that provides a view of the AciContainer that is
 * used by the ACI evaluation code to evaluate an ACI.
 */
public interface AciEvalContext
{
    /**
     * Get client DN. The client DN is the authorization DN.
     * @return   The client DN.
     */
    DN getClientDN();

    /**
     * Get the client entry. The client entry is the entry that corresponds
     * to the client DN.
     * @return The client entry corresponding to the client DN.
     */
    Entry getClientEntry();

    /**
     * Get the resource DN. The resource DN is the DN of the entry being
     * evaluated.
     * @return   The resource DN.
     */
    DN getResourceDN();

    /**
     * Get the list of deny ACIs.
     * @return The deny ACI list.
     */
    List<Aci> getDenyList();

    /**
     * Get the list allow ACIs.
     * @return The allow ACI list.
     */
    List<Aci> getAllowList();

    /**
     * Returns true if the deny list is being evaluated.
     * @return True if the deny list is being evaluated.
     */
    boolean isDenyEval();

    /**
     * Check if the remote client is bound anonymously.
     * @return {@code true} if client is bound anonymously.
     */
    boolean isAnonymousUser();

    /**
     * Return the rights set for this container's LDAP operation.
     * @return  The rights set for the container's LDAP operation.
     */
    int getRights();

    /**
     * Return the entry being evaluated
     * .
     * @return The evaluation entry.
     */
    Entry getResourceEntry();

    /**
     * Get the hostname of the bound connection.
     * @return The hostname of the connection.
     */
    String getHostName();

    /**
     * Determine whether the client connection has been authenticated using
     * a specified authentication method.  This method is used for the
     * authmethod bind rule keyword.
     *
     * @param authMethod The required authentication method.
     * @param saslMech The required SASL mechanism if the authentication method
     * is SASL.
     *
     * @return An evaluation result indicating whether the client connection
     * has been authenticated using the required authentication method.
     */
    EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod,
                                                  String saslMech);

    /**
     * Get the  address of the bound connection.
     * @return The address of the bound connection.
     */
    InetAddress getRemoteAddress();

    /**
     * Return true if this is an add operation needed by the userattr
     * USERDN parent inheritance level 0 processing.
     *
     * @return {@code true} if this is an add operation.
     */
    boolean isAddOperation();

    /**
     * Return true if the operation associated with this evaluation
     * context is a member of the specified group. Calls the
     * ClientConnection.isMemberOf() method, which checks authorization
     * DN membership in the specified group.
     * @param group The group to check membership in.
     * @return {@code true} if the authorization DN of the operation is a
     * member of the specified group.
     */
    boolean isMemberOf(Group<?> group);

  /**
   * Returns true if the hashtable of ACIs that matched the targattrfilters
   * keyword evaluation is empty.  Used in a geteffectiverights control
   * evaluation to determine the access value to put in the "write" rights
   * evaluation field.
   *
   * @return {@code true} if there were not any ACIs that matched
   *         targattrfilters keyword evaluation.
   */
    boolean isTargAttrFilterMatchAciEmpty();

  /**
   * The context maintains a hashtable of ACIs that matched the targattrfilters
   * keyword evaluation.  The hasTargAttrFiltersMatchAci method returns true if
   * the specified ACI is contained in that hashtable. Used in a
   * geteffectiverights control evaluation to determine the access value to put
   * in the "write" rights evaluation field.
   *
   * @param aci The ACI that to evaluate if it contains a match during
   *            targattrfilters keyword evaluation.
   *
   * @return {@code true} if a specified ACI matched targattrfilters evaluation.
   */
    boolean hasTargAttrFiltersMatchAci(Aci aci);

  /**
   * Return true if an ACI that evaluated to deny or allow has an
   * targattrfilters keyword. Used by geteffectiverights control
   * evaluation to determine the access value to put in the "write" rights
   * evaluation field.
   *
   * @param flag  The integer value specifying either a deny or allow, but not
   * both.
   *
   * @return  {@code true} if the ACI has an targattrfilters keyword.
   */
    boolean hasTargAttrFiltersMatchOp(int flag);

  /**
   * Returns {@code true} if the evaluation context is being used in a
   * geteffectiverights control evaluation.
   *
   * @return  {@code true} if the evaluation context is being used in a
   * geteffectiverights control evaluation.
   */
    boolean isGetEffectiveRightsEval();

  /**
   * Set the name of the ACI that last matched a targattrfilters rule. Used
   * in geteffectiverights control targattrfilters "write" evaluation.
   *
   * @param name The ACI name string matching the targattrfilters rule.
   */
    void setTargAttrFiltersAciName(String name);

  /**
   * Set a flag that specifies that a ACI that evaluated to either deny or
   * allow contains a targattrfilters keyword. Used by geteffectiverights
   * control evaluation to determine the access value to put in the "write"
   * rights evaluation field.
   *
   * @param flag Either the integer value representing an allow or a deny,
   *             but not both.
   */
    void setTargAttrFiltersMatchOp(int flag);

  /**
   * Set the reason and the ACI that decided why the last access evaluation was
   * evaluated the way it was. Used by geteffectiverights control evaluation to
   * eventually build the summary string.
   *
   * @param reason
   *          The enumeration representing the reason of the last access
   *          evaluation.
   * @param decidingAci
   *          The ACI that decided the last access evaluation.
   */
  void setEvaluationResult(EnumEvalReason reason, Aci decidingAci);

  /**
   * Return the reason the last access evaluation was evaluated the way it
   * was. Used by geteffectiverights control evaluation to build the summary
   * string.
   *
   * @return The enumeration representing the reason of the last access
   * evaluation.
   */
    EnumEvalReason getEvalReason();

  /**
   * Check if an evaluation context contains a set of access rights.
   *
   * @param rights The rights mask to check.
   *
   * @return {@code true} if the evaluation context contains a access right set.
   */
    boolean hasRights(int rights);

  /**
   * Return the name of the ACI that decided the last access evaluation. Used
   * by geteffectiverights control evaluation to build the summary string.
   *
   * @return The name of the ACI that decided the last access evaluation.
   */
    String getDecidingAciName();

  /**
   * Return true if a evaluation context is being used in proxied authorization
   * control evaluation.
   *
   * @return  {@code true} if evaluation context is being used in proxied
   *          authorization control evaluation.
   */
    boolean isProxiedAuthorization();

    /**
     * Get the current attribute type being evaluated.
     *
     * @return  The attribute type currently being evaluated.
     */
    AttributeType getCurrentAttributeType();

  /**
   * Set the value of the summary string to the specified string.
   * Used in get effective rights evaluation to build summary string.
   *
   * @param summary The string to set the summary string to
   */
    void setEvalSummary(String summary);

  /**
   * Return the access evaluation summary string. Used in a geteffectiverights
   * control evaluation when an aclRightsInfo attribute was specified in a
   * search request.
   *
   * @return   The string describing the access evaluation.
   */
    String getEvalSummary();

  /**
   * Return a string representation of the current right being evaluated.
   * Used in geteffectiverights control evaluation to build summary string.
   *
   * @return  String representation of the current right being evaluated.
   */
    String rightToString();

    /**
     * Return the name of the ACI that last matched a targattrfilters rule. Used
     * in geteffectiverights control evaluation.
     *
     * @return The name of the ACI that last matched a targattrfilters rule.
     */
    String getTargAttrFiltersAciName();


    /**
     * Return the current SSF (Security Strength Factor) of the underlying
     * connection.
     *
     * @return The current SSF of the connection.
     */
    int getCurrentSSF();
}