/*
 * Copyright @ 2013 CurisTEC, S.A.S. All Rights Reserved.
 */
package net.curisit.securis;

import java.io.IOException;
import java.security.Principal;

import jakarta.enterprise.context.ApplicationScoped;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.annotation.WebFilter;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/**
* AuthFilter
* <p>
* Simple authentication/role wrapper for development and lightweight scenarios.
* If a request parameter <code>user</code> or a session attribute <code>user</code>
* is present, this filter wraps the current request with a custom {@link Principal}
* and an ad-hoc role. The role assignment is temporary and follows the rule:
* <ul>
* <li>user == "advance" → role "advance"</li>
* <li>otherwise → role "normal"</li>
* </ul>
* If no user is present, the request continues unmodified.
*
* <p><b>Security note:</b> This filter trusts a user name coming from a request parameter,
* which must not be used in production. Replace with a proper authentication mechanism
* (e.g., JWT, container security, SSO) and derive roles from authoritative claims.
*
* @author JRA
* Last reviewed by JRA on Oct 6, 2025.
*/
@ApplicationScoped
@WebFilter(urlPatterns = "/*")
public class AuthFilter implements Filter {

    private static final Logger LOG = LogManager.getLogger(AuthFilter.class);

    // ---------------------------------------------------------------------
    // Lifecycle
    // ---------------------------------------------------------------------
    
    /** 
     * init<p>
     * Filter initialization hook (unused). 
     */
    @Override
    public void init(FilterConfig fc) throws ServletException {
    }

    // ---------------------------------------------------------------------
    // Filtering
    // ---------------------------------------------------------------------


    /**
     * doFilter
     * <p>
     * If a user is detected (request param or session attribute), wrap the request to:
     * <ul>
     * <li>Expose a {@link Principal} with the provided username.</li>
     * <li>Report a single role through {@link HttpServletRequest#isUserInRole(String)}.</li>
     * </ul>
     * Otherwise, pass-through.
     *
     * @param sr incoming request
     * @param sr1 outgoing response
     * @param fc filter chain
     */
    @Override
    public void doFilter(ServletRequest sr, ServletResponse sr1, FilterChain fc) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) sr;

        if (sr.getParameter("user") != null || req.getSession().getAttribute("user") != null) {
            String username = sr.getParameter("user");
            if (username == null) {
                username = (String) req.getSession().getAttribute("user");
            }
            // Role management is temporal
            String role = "advance".equals(username) ? "advance" : "normal";
            LOG.info("Role for user: {} = {}", username, role);
            fc.doFilter(new UserRoleRequestWrapper(role, sr.getParameter("user"), req), sr1);
        } else {
            fc.doFilter(req, sr1);
        }

    }

    /** 
     * destroy<p>
     * Filter destruction hook (unused). 
     */
    @Override
    public void destroy() {
    }

     // ---------------------------------------------------------------------
     // Wrapper
     // ---------------------------------------------------------------------

     /**
      * UserRoleRequestWrapper
      * <p>
      * Wrapper that overrides role checks and the user principal when a synthetic user is present.
      */
    private class UserRoleRequestWrapper extends HttpServletRequestWrapper {

        private String role;
        private String user;

        /**
        * Constructor
        * <p>
        * @param role single role to expose via {@link #isUserInRole(String)}
        * @param user user name to expose via {@link #getUserPrincipal()}
        * @param request original request to wrap
        */
        public UserRoleRequestWrapper(String role, String user, HttpServletRequest request) {
            super(request);
            this.role = role;
            this.user = user;
        }

        /**
        * isUserInRole
        * <p>
        * Returns {@code true} if the requested role equals the configured synthetic role.
        */
        @Override
        public boolean isUserInRole(String role) {
            LOG.info("isUserRole METHOD: {}, {}", role, this.role);
            if (this.role == null) {
                return super.isUserInRole(role);
            }
            return this.role.equals(role);
        }

        /**
        * getUserPrincipal
        * <p>
        * Returns a minimal {@link Principal} with the configured user name; delegates otherwise.
        */
        @Override
        public Principal getUserPrincipal() {
            if (this.user == null) {
                return super.getUserPrincipal();
            }

            return new Principal() {
                @Override
                public String getName() {
                    return user;
                }
            };
        }
    }
}