package acl

import (
	"bytes"
	"log"
)

const (
	read   = "read"
	write  = "write"
	manage = "manage"
)

type ACL interface {
	// Read checks the permission to read the prefix.
	// Read permission can read the value of the prefix as a key or list the keys under prefix.
	Read(prefix []byte) bool
	// Write checks the permission to write the prefix.
	// Write permission can write a key under the given prefix (including the prefix as a key).
	Write(prefix []byte) bool
	// Manage checks the permission to grant /revoke permission for the prefix.
	Manage(prefix []byte) bool

	// Manage the ACL
	// Before call these functions, the caller must check the management permission on its own.
	// For example, A wants to grant B read permission for prefix "foo". A must check its own manage
	// permission before calling GrantRead("foo") on B.
	GrantRead(prefix []byte)
	GrantWrite(prefix []byte)
	GrantManage(prefix []byte)
	RevokeRead(prefix []byte)
	RevokeWrite(prefix []byte)
	RevokeManage(prefix []byte)
	Clear()
}

type acl struct {
	write  [][]byte
	read   [][]byte
	manage [][]byte

	parent ACL
}

func (a *acl) Read(prefix []byte) bool {
	if a.check(read, prefix) {
		return true
	}
	if a.parent != nil {
		return a.parent.Read(prefix)
	}
	return false
}

func (a *acl) Write(prefix []byte) bool {
	if a.check(write, prefix) {
		return true
	}
	if a.parent != nil {
		return a.parent.Write(prefix)
	}
	return false
}

func (a *acl) Manage(prefix []byte) bool {
	if a.check(manage, prefix) {
		return true
	}
	if a.parent != nil {
		return a.parent.Manage(prefix)
	}
	return false
}

func (a *acl) GrantRead(prefix []byte)   { a.grant(read, prefix) }
func (a *acl) GrantWrite(prefix []byte)  { a.grant(write, prefix) }
func (a *acl) GrantManage(prefix []byte) { a.grant(manage, prefix) }

func (a *acl) RevokeRead(prefix []byte)   { a.revoke(read, prefix) }
func (a *acl) RevokeWrite(prefix []byte)  { a.revoke(write, prefix) }
func (a *acl) RevokeManage(prefix []byte) { a.revoke(manage, prefix) }

func (a *acl) Clear() {
	a.read = nil
	a.write = nil
	a.manage = nil
}

func (a *acl) check(op string, prefix []byte) bool {
	list := a.list(op)
	for _, pp := range list {
		if len(pp) == 0 {
			continue
		}
		if bytes.HasPrefix(prefix, pp) {
			return true
		}
	}
	return false
}

func (a *acl) grant(op string, prefix []byte) {
	list := a.list(op)
	for _, pp := range list {
		if bytes.Equal(prefix, pp) {
			return
		}
	}

	switch op {
	case read:
		a.read = append(a.read, prefix)
	case write:
		a.write = append(a.write, prefix)
	case manage:
		a.manage = append(a.manage, prefix)
	default:
		log.Panicf("acl: unexpected check operation %s", op)
	}
	return
}

func (a *acl) revoke(op string, prefix []byte) {
	list := a.list(op)
	for i, pp := range list {
		if bytes.Equal(prefix, pp) {
			list[i] = nil
		}
	}
}

func (a *acl) list(op string) [][]byte {
	switch op {
	case read:
		return a.read
	case write:
		return a.write
	case manage:
		return a.manage
	default:
		log.Panicf("acl: unexpected check operation %s", op)
	}
	return nil
}