#!/usr/bin/python2.5

#

# Copyright 2008 the Melange authors.

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#   http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

"""Access control helper.

The functions in this module can be used to check access control

related requirements. When the specified required conditions are not

met, an exception is raised. This exception contains a views that

either prompts for authentication, or informs the user that they

do not meet the required criteria.

"""

__authors__ = [

  '"Madhusudan.C.S" <madhusudancs@gmail.com>',

  '"Todd Larsen" <tlarsen@google.com>',

  '"Sverre Rabbelier" <sverre@rabbelier.nl>',

  '"Lennard de Rijk" <ljvderijk@gmail.com>',

  '"Pawel Solyga" <pawel.solyga@gmail.com>',

  ]

from django.utils.translation import ugettext

from soc.logic import dicts

from soc.logic.helper import timeline as timeline_helper

from soc.logic.models.club_admin import logic as club_admin_logic

from soc.logic.models.club_member import logic as club_member_logic

from soc.logic.models.document import logic as document_logic

from soc.logic.models.host import logic as host_logic

from soc.logic.models.mentor import logic as mentor_logic

from soc.logic.models.org_admin import logic as org_admin_logic

from soc.logic.models.organization import logic as org_logic

from soc.logic.models.program import logic as program_logic

from soc.logic.models.request import logic as request_logic

from soc.logic.models.role import logic as role_logic

from soc.logic.models.site import logic as site_logic

from soc.logic.models.sponsor import logic as sponsor_logic

from soc.logic.models.student import logic as student_logic

from soc.logic.models.student_project import logic as student_project_logic

from soc.logic.models.student_proposal import logic as student_proposal_logic

from soc.logic.models.timeline import logic as timeline_logic

from soc.logic.models.user import logic as user_logic

from soc.modules import callback

from soc.views.helper import redirects

from soc.views import out_of_band

from soc.modules.ghop.logic.models.mentor import logic as ghop_mentor_logic

from soc.modules.ghop.logic.models.organization import logic as ghop_org_logic

from soc.modules.ghop.logic.models.org_admin import logic as \

    ghop_org_admin_logic

from soc.modules.ghop.logic.models.program import logic as ghop_program_logic

from soc.modules.ghop.logic.models.student import logic as ghop_student_logic

DEF_NO_USER_LOGIN_MSG = ugettext(

    'Please create <a href="/user/create_profile">User Profile</a>'

    ' in order to view this page.')

DEF_AGREE_TO_TOS_MSG_FMT = ugettext(

    'You must agree to the <a href="%(tos_link)s">site-wide Terms of'

    ' Service</a> in your <a href="/user/edit_profile">User Profile</a>'

    ' in order to view this page.')

DEF_DEV_LOGOUT_LOGIN_MSG_FMT = ugettext(

    'Please <a href="%%(sign_out)s">sign out</a>'

    ' and <a href="%%(sign_in)s">sign in</a>'

    ' again as %(role)s to view this page.')

DEF_NEED_MEMBERSHIP_MSG_FMT = ugettext(

    'You need to be in the %(status)s group to %(action)s'

    ' documents in the %(prefix)s prefix.')

DEF_NEED_ROLE_MSG = ugettext(

    'You do not have the required role.')

DEF_NOT_YOUR_ENTITY_MSG = ugettext(

    'This entity does not belong to you.')

DEF_NO_ACTIVE_ENTITY_MSG = ugettext(

    'There is no such active entity.')

DEF_NO_ACTIVE_GROUP_MSG = ugettext(

    'There is no such active group.')

DEF_NO_ACTIVE_ROLE_MSG = ugettext(

    'There is no such active role.')

DEF_ALREADY_PARTICIPATING_MSG = ugettext(

    'You cannot become a Student because you are already participating '

    'in this program.')

DEF_ALREADY_STUDENT_ROLE_MSG = ugettext(

    'You cannot become a Mentor or Organization Admin because you already are '

    'a Student in this program.')

DEF_NO_ACTIVE_PROGRAM_MSG = ugettext(

    'There is no such active program.')

DEF_NO_REQUEST_MSG = ugettext(

    'There is no accepted request that would allow you to visit this page. '

    'Perhaps you already accepted this request?')

DEF_NO_APPLICATION_MSG = ugettext(

    'There is no application that would allow you to visit this page.')

DEF_NEED_PICK_ARGS_MSG = ugettext(

    'The "continue" and "field" args are not both present.')

DEF_REVIEW_COMPLETED_MSG = ugettext('This Application can not be reviewed '

    'anymore (it has been completed or rejected).')

DEF_REQUEST_COMPLETED_MSG = ugettext(

    'This request cannot be accepted (it is either completed or denied).')

DEF_REQUEST_NOT_ACCEPTED_MSG = ugettext(

    'This request has not been accepted by the group (it can also be completed already).')

DEF_SCOPE_INACTIVE_MSG = ugettext(

    'The scope for this request is not active.')

DEF_SIGN_UP_AS_STUDENT_MSG = ugettext(

    'You need to sign up as a Student first.')

DEF_MAX_PROPOSALS_REACHED = ugettext(

    'You have reached the maximum number of Proposals allowed '

    'for this program.')

DEF_NO_LIST_ACCESS_MSG = ugettext('You do not have the required rights to '

    'list documents for this scope and prefix.')

DEF_PAGE_DENIED_MSG = ugettext(

    'Access to this page has been restricted.')

DEF_PREFIX_NOT_IN_ARGS_MSG = ugettext(

    'A required GET url argument ("prefix") was not specified.')

DEF_PAGE_INACTIVE_MSG = ugettext(

    'This page is inactive at this time.')

DEF_LOGOUT_MSG_FMT = ugettext(

    'Please <a href="%(sign_out)s">sign out</a> in order to view this page.')

DEF_GROUP_NOT_FOUND_MSG = ugettext(

    'The requested Group can not be found.')

DEF_NOT_ALLOWED_PROJECT_FOR_SURVEY_MSG = ugettext(

    'You are not allowed to take this Survey for the specified Student'

    ' Project.')

DEF_NO_VALID_RECORD_ID = ugettext('No valid numeric record ID given.')

DEF_NOT_YOUR_RECORD = ugettext(

    'This is not your Survey Record. If you feel you should have access to '

    'this page please notify the administrators.')

DEF_USER_ACCOUNT_INVALID_MSG_FMT = ugettext(

    'The <b><i>%(email)s</i></b> account cannot be used with this site, for'

    ' one or more of the following reasons:'

    '<ul>'

    ' <li>the account is invalid</li>'

    ' <li>the account is already attached to a User profile and cannot be'

    ' used to create another one</li>'

    ' <li>the account is a former account that cannot be used again</li>'

    '</ul>')

class Error(Exception):

  """Base class for all exceptions raised by this module.

  """

  pass

class InvalidArgumentError(Error):

  """Raised when an invalid argument is passed to a method.

  For example, if an argument is None, but must always be non-False.

  """

  pass

def allowSidebar(fun):

  """Decorator that allows access if the sidebar is calling.

  """

  from functools import wraps

  @wraps(fun)

  def wrapper(self, django_args, *args, **kwargs):

    """Decorator wrapper method.

    """

    if django_args.get('SIDEBAR_CALLING'):

      return

    return fun(self, django_args, *args, **kwargs)

  return wrapper

def denySidebar(fun):

  """Decorator that denies access if the sidebar is calling.

  """

  from functools import wraps

  @wraps(fun)

  def wrapper(self, django_args, *args, **kwargs):

    """Decorator wrapper method.

    """

    if django_args.get('SIDEBAR_CALLING'):

      raise out_of_band.Error("Sidebar Calling")

    return fun(self, django_args, *args, **kwargs)

  return wrapper

def allowIfCheckPasses(checker_name):

  """Returns a decorator that allows access if the specified checker passes.

  """

  from functools import wraps

  def decorator(fun):

    """Decorator that allows access if the current user is a Developer.

    """

    @wraps(fun)

    def wrapper(self, django_args=None, *args, **kwargs):

      """Decorator wrapper method.

      """

      try:

        # if the check passes we allow access regardless

        return self.doCheck(checker_name, django_args, [])

      except out_of_band.Error:

        # otherwise we run the original check

        return fun(self, django_args, *args, **kwargs)

    return wrapper

  return decorator

# pylint: disable-msg=C0103

allowDeveloper = allowIfCheckPasses('checkIsDeveloper') 

class Checker(object):

  """

  The __setitem__() and __getitem__() methods are overloaded to DTRT

  when adding new access rights, and retrieving them, so use these

  rather then modifying rights directly if so desired.

  """

  MEMBERSHIP = {

    'anyone': 'allow',

    'club_admin': ('checkHasActiveRoleForScope', club_admin_logic),

    'club_member': ('checkHasActiveRoleForScope', club_member_logic),

    'host': ('checkHasDocumentAccess', [host_logic, 'sponsor']),

    'org_admin': ('checkHasDocumentAccess', [org_admin_logic, 'org']),

    'org_mentor': ('checkHasDocumentAccess', [mentor_logic, 'org']),

    'org_student': ('checkHasDocumentAccess', [student_logic, 'org']),

    'ghop_org_admin': ('checkHasDocumentAccess', [ghop_org_admin_logic, 'org']),

    'ghop_org_mentor': ('checkHasDocumentAccess', [ghop_mentor_logic, 'org']),

    'ghop_org_student': ('checkHasDocumentAccess', [ghop_student_logic, 'org']),

    'user': 'checkIsUser',

    'user_self': ('checkIsUserSelf', 'scope_path'),

    }

  #: the depths of various scopes to other scopes

  # the 0 entries are not used, and are for clarity purposes only

  SCOPE_DEPTH = {

      'site': None,

      'sponsor': (sponsor_logic, {'sponsor': 0}),

      'program': (program_logic, {'sponsor': 1, 'program': 0}),

      'ghop_program': (

          ghop_program_logic, {'sponsor': 1, 'ghop_program': 0}),

      'org': (org_logic, {'sponsor': 2, 'program': 1, 'org': 0}),

      'ghop_org': (

          ghop_org_logic, {'sponsor': 2, 'ghop_program': 1, 'ghop_org': 0}),

      }

  def __init__(self, params):

    """Adopts base.rights as rights if base is set.

    """

    base = params.get('rights') if params else None

    self.rights = base.rights if base else {}

    self.id = None

    self.user = None

  def normalizeChecker(self, checker):

    """Normalizes the checker to a pre-defined format.

    The result is guaranteed to be a list of 2-tuples, the first element is a

    checker (iff there is an checker with the specified name), the second

    element is a list of arguments that should be passed to the checker when

    calling it in addition to the standard django_args.

    """

    # Be nice an repack so that it is always a list with tuples

    if isinstance(checker, tuple):

      name, arg = checker

      return (name, (arg if isinstance(arg, list) else [arg]))

    else:

      return (checker, [])

  def __setitem__(self, key, value):

    """Sets a value only if no old value exists.

    """

    oldvalue = self.rights.get(key)

    self.rights[key] = oldvalue if oldvalue else value

  def __getitem__(self, key):

    """Retrieves and normalizes the right checkers.

    """

    return [self.normalizeChecker(i) for i in self.rights.get(key, [])]

  def key(self, checker_name):

    """Returns the key for the specified checker for the current user.

    """

    return "checker.%s.%s" % (self.id, checker_name)

  def put(self, checker_name, value):

    """Puts the result for the specified checker in the cache.

    """

    cache_key = self.key(checker_name)

    callback.getCore().setRequestValue(cache_key, value)

  def get(self, checker_name):

    """Retrieves the result for the specified checker from cache.

    """

    cache_key = self.key(checker_name)

    return callback.getCore().getRequestValue(cache_key)

  def doCheck(self, checker_name, django_args, args):

    """Runs the specified checker with the specified arguments.

    """

    checker = getattr(self, checker_name)

    checker(django_args, *args)

  def doCachedCheck(self, checker_name, django_args, args):

    """Retrieves from cache or runs the specified checker.

    """

    cached = self.get(checker_name)

    if cached is None:

      try:

        self.doCheck(checker_name, django_args, args)

        self.put(checker_name, True)

        return

      except out_of_band.Error, exception:

        self.put(checker_name, exception)

        raise

    if cached is True:

      return

    # re-raise the cached exception

    raise cached

  def check(self, use_cache, checker_name, django_args, args):

    """Runs the checker, optionally using the cache.

    """

    if use_cache:

      self.doCachedCheck(checker_name, django_args, args)

    else:

      self.doCheck(checker_name, django_args, args)

  def setCurrentUser(self, id, user):

    """Sets up everything for the current user.

    """

    self.id = id

    self.user = user

  def checkAccess(self, access_type, django_args):

    """Runs all the defined checks for the specified type.

    Args:

      access_type: the type of request (such as 'list' or 'edit')

      rights: a dictionary containing access check functions

      django_args: a dictionary with django's arguments

    Rights usage:

      The rights dictionary is used to check if the current user is allowed

      to view the page specified. The functions defined in this dictionary

      are always called with the provided django_args dictionary as argument. On any

      request, regardless of what type, the functions in the 'any_access' value

      are called. If the specified type is not in the rights dictionary, all

      the functions in the 'unspecified' value are called. When the specified

      type _is_ in the rights dictionary, all the functions in that access_type's

      value are called.

    """

    use_cache = django_args.get('SIDEBAR_CALLING')

    # Call each access checker

    for checker_name, args in self['any_access']:

      self.check(use_cache, checker_name, django_args, args)

    if access_type not in self.rights:

      # No checks defined, so do the 'generic' checks and bail out

      for checker_name, args in self['unspecified']:

        self.check(use_cache, checker_name, django_args, args)

      return

    for checker_name, args in self[access_type]:

      self.check(use_cache, checker_name, django_args, args)

  def hasMembership(self, roles, django_args):

    """Checks whether the user has access to any of the specified roles.

    Makes use of self.MEMBERSHIP, which defines checkers specific to

    document access, as such this method should only be used when checking

    document access.

    Args:

      roles: a list of roles to check

      django_args: the django args that should be passed to doCheck

    """

    try:

      # we need to check manually, as we must return True!

      self.checkIsDeveloper(django_args)

      return True

    except out_of_band.Error:

      pass

    for role in roles:

      try:

        checker_name, args = self.normalizeChecker(self.MEMBERSHIP[role])

        self.doCheck(checker_name, django_args, args)

        # the check passed, we can stop now

        return True

      except out_of_band.Error:

        continue

    return False

  @allowDeveloper

  def checkMembership(self, action, prefix, status, django_args):

    """Checks whether the user has access to the specified status.

    Args:

      action: the action that was performed (e.g., 'read')

      prefix: the prefix, determines what access set is used

      status: the access status (e.g., 'public')

      django_args: the django args to pass on to the checkers

    """

    checker = callback.getCore().getRightsChecker(prefix)

    roles = checker.getMembership(status)

    message_fmt = DEF_NEED_MEMBERSHIP_MSG_FMT % {

        'action': action,

        'prefix': prefix,

        'status': status,

        }

    # try to see if they belong to any of the roles, if not, raise an

    # access violation for the specified action, prefix and status.

    if not self.hasMembership(roles, django_args):

      raise out_of_band.AccessViolation(message_fmt)

  def checkHasAny(self, django_args, checks):

    """Checks if any of the checks passes.

    If none of the specified checks passes, the exception that the first of the

    checks raised is reraised.

    """