////////////////////////////////////////////////////////////////////////////////
/// DISCLAIMER
///
/// Copyright 2016 ArangoDB GmbH, Cologne, Germany
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
///     http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
///
/// Copyright holder is ArangoDB GmbH, Cologne, Germany
///
/// @author Jan Steemann
////////////////////////////////////////////////////////////////////////////////

#include "GeneralServer/ServerSecurityFeature.h"
#include "Logger/Logger.h"
#include "ProgramOptions/ProgramOptions.h"
#include "ProgramOptions/Section.h"
#include "Utils/ExecContext.h"

using namespace arangodb;
using namespace arangodb::basics;
using namespace arangodb::options;

ServerSecurityFeature::ServerSecurityFeature(application_features::ApplicationServer& server)
    : ApplicationFeature(server, "ServerSecurity"),
      _enableFoxxApi(true),
      _enableFoxxStore(true),
      _hardenedRestApi(false) {
  setOptional(false);
  startsAfter("ServerPlatform");
}

void ServerSecurityFeature::collectOptions(std::shared_ptr<ProgramOptions> options) {
  options->addSection("server", "Server features");
  options->addOption("--server.harden",
                     "lock down REST APIs that reveal version information or server "
                     "internals for non-admin users",
                     new BooleanParameter(&_hardenedRestApi))
                     .setIntroducedIn(30500);

  options->addSection("foxx", "Configure Foxx");
  options->addOption("--foxx.api", "enables Foxx management REST APIs",
                     new BooleanParameter(&_enableFoxxApi))
                     .setIntroducedIn(30500);
  options->addOption("--foxx.store", "enables Foxx store in web interface",
                     new BooleanParameter(&_enableFoxxStore))
                     .setIntroducedIn(30500);

}

bool ServerSecurityFeature::isFoxxApiDisabled() const {
  return !_enableFoxxApi;
}

bool ServerSecurityFeature::isFoxxStoreDisabled() const {
  return !_enableFoxxStore || !_enableFoxxApi;
}

bool ServerSecurityFeature::isRestApiHardened() const {
  return _hardenedRestApi;
}

bool ServerSecurityFeature::canAccessHardenedApi() const {
  bool allowAccess = !isRestApiHardened();

  if (!allowAccess) {
    ExecContext const* exec = ExecContext::CURRENT;
    if (exec == nullptr || exec->isAdminUser()) {
      // also allow access if there is not authentication
      // enabled or when the user is an administrator
      allowAccess = true;
    }
  }
  return allowAccess;
}