/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.hadoop.hbase.security.access;

import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;

import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.KeyValue;
import org.apache.hadoop.hbase.TableName;
import org.apache.yetus.audience.InterfaceAudience;
import org.apache.hadoop.hbase.util.Bytes;

/**
 * Represents an authorization for access for the given actions, optionally
 * restricted to the given column family or column qualifier, over the
 * given table.  If the family property is <code>null</code>, it implies
 * full table access.
 */
@InterfaceAudience.Private
public class TablePermission extends Permission {

  private TableName table;
  private byte[] family;
  private byte[] qualifier;

  //TODO refactor this class
  //we need to refacting this into three classes (Global, Table, Namespace)
  private String namespace;

  /** Nullary constructor for Writable, do not use */
  public TablePermission() {
    super();
  }

  /**
   * Create a new permission for the given table and (optionally) column family,
   * allowing the given actions.
   * @param table the table
   * @param family the family, can be null if a global permission on the table
   * @param assigned the list of allowed actions
   */
  public TablePermission(TableName table, byte[] family, Action... assigned) {
    this(table, family, null, assigned);
  }

  /**
   * Creates a new permission for the given table, restricted to the given
   * column family and qualifier, allowing the assigned actions to be performed.
   * @param table the table
   * @param family the family, can be null if a global permission on the table
   * @param assigned the list of allowed actions
   */
  public TablePermission(TableName table, byte[] family, byte[] qualifier,
      Action... assigned) {
    super(assigned);
    this.table = table;
    this.family = family;
    this.qualifier = qualifier;
  }

  /**
   * Creates a new permission for the given table, family and column qualifier,
   * allowing the actions matching the provided byte codes to be performed.
   * @param table the table
   * @param family the family, can be null if a global permission on the table
   * @param actionCodes the list of allowed action codes
   */
  public TablePermission(TableName table, byte[] family, byte[] qualifier,
      byte[] actionCodes) {
    super(actionCodes);
    this.table = table;
    this.family = family;
    this.qualifier = qualifier;
  }

  /**
   * Creates a new permission for the given namespace or table, restricted to the given
   * column family and qualifier, allowing the assigned actions to be performed.
   * @param namespace
   * @param table the table
   * @param family the family, can be null if a global permission on the table
   * @param assigned the list of allowed actions
   */
  public TablePermission(String namespace, TableName table, byte[] family, byte[] qualifier,
      Action... assigned) {
    super(assigned);
    this.namespace = namespace;
    this.table = table;
    this.family = family;
    this.qualifier = qualifier;
  }

  /**
   * Creates a new permission for the given namespace or table, family and column qualifier,
   * allowing the actions matching the provided byte codes to be performed.
   * @param namespace
   * @param table the table
   * @param family the family, can be null if a global permission on the table
   * @param actionCodes the list of allowed action codes
   */
  public TablePermission(String namespace, TableName table, byte[] family, byte[] qualifier,
      byte[] actionCodes) {
    super(actionCodes);
    this.namespace = namespace;
    this.table = table;
    this.family = family;
    this.qualifier = qualifier;
  }

  /**
   * Creates a new permission for the given namespace,
   * allowing the actions matching the provided byte codes to be performed.
   * @param namespace
   * @param actionCodes the list of allowed action codes
   */
  public TablePermission(String namespace, byte[] actionCodes) {
    super(actionCodes);
    this.namespace = namespace;
  }

  /**
   * Create a new permission for the given namespace,
   * allowing the given actions.
   * @param namespace
   * @param assigned the list of allowed actions
   */
  public TablePermission(String namespace, Action... assigned) {
    super(assigned);
    this.namespace = namespace;
  }

  public boolean hasTable() {
    return table != null;
  }

  public TableName getTableName() {
    return table;
  }

  public void setTableName(TableName table) {
    this.table = table;
  }

  public boolean hasFamily() {
    return family != null;
  }

  public byte[] getFamily() {
    return family;
  }

  public boolean hasQualifier() {
    return qualifier != null;
  }

  public byte[] getQualifier() {
    return qualifier;
  }

  public boolean hasNamespace() {
    return namespace != null;
  }

  public String getNamespace() {
    return namespace;
  }

  /**
   * Checks that a given table operation is authorized by this permission
   * instance.
   *
   * @param namespace the namespace where the operation is being performed
   * @param action the action being requested
   * @return <code>true</code> if the action within the given scope is allowed
   *   by this permission, <code>false</code>
   */
  public boolean implies(String namespace, Action action) {
    if (this.namespace == null || !this.namespace.equals(namespace)) {
      return false;
    }

    // check actions
    return super.implies(action);
  }

  /**
   * Checks that a given table operation is authorized by this permission
   * instance.
   *
   * @param table the table where the operation is being performed
   * @param family the column family to which the operation is restricted,
   *   if <code>null</code> implies "all"
   * @param qualifier the column qualifier to which the action is restricted,
   *   if <code>null</code> implies "all"
   * @param action the action being requested
   * @return <code>true</code> if the action within the given scope is allowed
   *   by this permission, <code>false</code>
   */
  public boolean implies(TableName table, byte[] family, byte[] qualifier,
      Action action) {
    if (this.table == null || !this.table.equals(table)) {
      return false;
    }

    if (this.family != null &&
        (family == null ||
         !Bytes.equals(this.family, family))) {
      return false;
    }

    if (this.qualifier != null &&
        (qualifier == null ||
         !Bytes.equals(this.qualifier, qualifier))) {
      return false;
    }

    // check actions
    return super.implies(action);
  }

  /**
   * Checks if this permission grants access to perform the given action on
   * the given table and key value.
   * @param table the table on which the operation is being performed
   * @param kv the KeyValue on which the operation is being requested
   * @param action the action requested
   * @return <code>true</code> if the action is allowed over the given scope
   *   by this permission, otherwise <code>false</code>
   */
  public boolean implies(TableName table, KeyValue kv, Action action) {
    if (this.table == null || !this.table.equals(table)) {
      return false;
    }

    if (family != null && !(CellUtil.matchingFamily(kv, family))) {
      return false;
    }

    if (qualifier != null && !(CellUtil.matchingQualifier(kv, qualifier))) {
      return false;
    }

    // check actions
    return super.implies(action);
  }

  /**
   * Returns <code>true</code> if this permission matches the given column
   * family at least.  This only indicates a partial match against the table
   * and column family, however, and does not guarantee that implies() for the
   * column same family would return <code>true</code>.  In the case of a
   * column-qualifier specific permission, for example, implies() would still
   * return false.
   */
  public boolean matchesFamily(TableName table, byte[] family, Action action) {
    if (this.table == null || !this.table.equals(table)) {
      return false;
    }

    if (this.family != null &&
        (family == null ||
         !Bytes.equals(this.family, family))) {
      return false;
    }

    // ignore qualifier
    // check actions
    return super.implies(action);
  }

  /**
   * Returns if the given permission matches the given qualifier.
   * @param table the table name to match
   * @param family the column family to match
   * @param qualifier the qualifier name to match
   * @param action the action requested
   * @return <code>true</code> if the table, family and qualifier match,
   *   otherwise <code>false</code>
   */
  public boolean matchesFamilyQualifier(TableName table, byte[] family, byte[] qualifier,
                                Action action) {
    if (!matchesFamily(table, family, action)) {
      return false;
    } else {
      if (this.qualifier != null &&
          (qualifier == null ||
           !Bytes.equals(this.qualifier, qualifier))) {
        return false;
      }
    }
    return super.implies(action);
  }

  public boolean tableFieldsEqual(TablePermission other){
    if (!(((table == null && other.getTableName() == null) ||
           (table != null && table.equals(other.getTableName()))) &&
         ((family == null && other.getFamily() == null) ||
           Bytes.equals(family, other.getFamily())) &&
         ((qualifier == null && other.getQualifier() == null) ||
          Bytes.equals(qualifier, other.getQualifier())) &&
         ((namespace == null && other.getNamespace() == null) ||
          (namespace != null && namespace.equals(other.getNamespace())))
    )) {
      return false;
    }
    return true;
  }

  @Override
  @edu.umd.cs.findbugs.annotations.SuppressWarnings(value="NP_NULL_ON_SOME_PATH",
    justification="Passed on construction except on constructor not to be used")
  public boolean equals(Object obj) {
    if (!(obj instanceof TablePermission)) {
      return false;
    }
    TablePermission other = (TablePermission)obj;

    if(!this.tableFieldsEqual(other)){
      return false;
    }

    // check actions
    return super.equals(other);
  }

  @Override
  public int hashCode() {
    final int prime = 37;
    int result = super.hashCode();
    if (table != null) {
      result = prime * result + table.hashCode();
    }
    if (family != null) {
      result = prime * result + Bytes.hashCode(family);
    }
    if (qualifier != null) {
      result = prime * result + Bytes.hashCode(qualifier);
    }
    if (namespace != null) {
      result = prime * result + namespace.hashCode();
    }
    return result;
  }

  @Override
  public String toString() {
    StringBuilder str = new StringBuilder("[TablePermission: ");
    if(namespace != null) {
      str.append("namespace=").append(namespace)
         .append(", ");
    }
    if(table != null) {
       str.append("table=").append(table)
          .append(", family=")
          .append(family == null ? null : Bytes.toString(family))
          .append(", qualifier=")
          .append(qualifier == null ? null : Bytes.toString(qualifier))
          .append(", ");
    }
    if (actions != null) {
      str.append("actions=");
      for (int i=0; i<actions.length; i++) {
        if (i > 0)
          str.append(",");
        if (actions[i] != null)
          str.append(actions[i].toString());
        else
          str.append("NULL");
      }
    }
    str.append("]");

    return str.toString();
  }

  @Override
  public void readFields(DataInput in) throws IOException {
    super.readFields(in);
    byte[] tableBytes = Bytes.readByteArray(in);
    if(tableBytes.length > 0) {
      table = TableName.valueOf(tableBytes);
    }
    if (in.readBoolean()) {
      family = Bytes.readByteArray(in);
    }
    if (in.readBoolean()) {
      qualifier = Bytes.readByteArray(in);
    }
    if(in.readBoolean()) {
      namespace = Bytes.toString(Bytes.readByteArray(in));
    }
  }

  @Override
  public void write(DataOutput out) throws IOException {
    super.write(out);
    // Explicitly writing null to maintain se/deserialize backward compatibility.
    Bytes.writeByteArray(out, (table == null) ? null : table.getName());
    out.writeBoolean(family != null);
    if (family != null) {
      Bytes.writeByteArray(out, family);
    }
    out.writeBoolean(qualifier != null);
    if (qualifier != null) {
      Bytes.writeByteArray(out, qualifier);
    }
    out.writeBoolean(namespace != null);
    if(namespace != null) {
      Bytes.writeByteArray(out, Bytes.toBytes(namespace));
    }
  }
}