From a53a0a0f957fd7ca04d194f44dd07456158e3f28 Mon Sep 17 00:00:00 2001
From: Cameron Purdy <699204+cpurdy@users.noreply.github.com>
Date: Fri, 22 Nov 2024 18:04:46 -0500
Subject: [PATCH] WIP (it compiles!)

---
 lib_xenia/src/main/x/xenia/ChainBundle.x | 25 ++++++++++++++++--------
 lib_xenia/src/main/x/xenia/SessionImpl.x | 12 +++++++-----
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/lib_xenia/src/main/x/xenia/ChainBundle.x b/lib_xenia/src/main/x/xenia/ChainBundle.x
index 5a30f2660..4c027d461 100644
--- a/lib_xenia/src/main/x/xenia/ChainBundle.x
+++ b/lib_xenia/src/main/x/xenia/ChainBundle.x
@@ -17,6 +17,7 @@ import web.AcceptList;
 import web.Body;
 import web.BodyParam;
 import web.ErrorHandler;
+import web.Header;
 import web.HttpMethod;
 import web.HttpStatus;
 import web.MediaType;
@@ -354,10 +355,10 @@ service ChainBundle {
                         // is it a principal or an entitlement?
                         val claim = attempt.claim;
                         if (claim.is(Principal)) {
-                            principals = principals.addIfAbsent(claim);
+                            principals := principals.addIfAbsent(claim);
                         } else {
                             assert claim.is(Entitlement);
-                            entitlements = entitlements.addIfAbsent(claim);
+                            entitlements := entitlements.addIfAbsent(claim);
                         }
                         break;
                 }
@@ -392,10 +393,10 @@ service ChainBundle {
                 SimpleResponse response = new SimpleResponse(status);
                 for (Attempt attempt : failures) {
                     if (String header := attempt.response.is(String)) {
-                        response.header.add(WWWAuthenticate, header);
+                        response.header.add(Header.WWWAuthenticate, header);
                     } else if (String[] headers := attempt.response.is(String[])) {
                         for (String header : headers) {
-                            response.header.add(WWWAuthenticate, header);
+                            response.header.add(Header.WWWAuthenticate, header);
                         }
                     }
                 }
@@ -407,8 +408,8 @@ service ChainBundle {
                 for (Entitlement entitlement : entitlements) {
                     Int pid = entitlement.principalId;
                     if (entitlement.conferIdentity && !principals.any(p -> p.principalId == pid)) {
-                        if (Principal principal := realm.readPrincipal(pid)) {
-                            principals = principals.addIfAbsent(principal);
+                        if (Principal principal := authenticator.realm.readPrincipal(pid)) {
+                            principals := principals.addIfAbsent(principal);
                         } else {
                             // TODO log failure?
                         }
@@ -442,12 +443,19 @@ service ChainBundle {
             return True, new SimpleResponse(Forbidden);
         };
 
+        /**
+         * Log a failed authentication.
+         */
+        private void failedAuth(RequestIn request, Session? session, Attempt attempt) {
+            // TODO
+        }
+
         /**
          * Determine if the specified [Permission]/check is allowed using information from the
          * session.
          */
         private Boolean checkSessionApproval(Session session,
-                Permission permission, (function Boolean())? accessGranted) {
+                Permission? permission, (function Boolean())? accessGranted) {
             return checkApproval(session.principal, session.entitlements, permission, accessGranted);
         }
 
@@ -455,8 +463,9 @@ service ChainBundle {
          * Determine if the specified [Permission]/check is allowed.
          */
         private Boolean checkApproval(Principal? principal, Entitlement[] entitlements,
-                Permission permission, (function Boolean())? accessGranted) {
+                Permission? permission, (function Boolean())? accessGranted) {
             if (permission != Null) {
+                Realm realm = authenticator.realm;
                 return principal?.permitted(realm, permission);
                 return entitlements.any(e -> e.permitted(realm, permission));
             }
diff --git a/lib_xenia/src/main/x/xenia/SessionImpl.x b/lib_xenia/src/main/x/xenia/SessionImpl.x
index 41e21c5dc..cc1254bab 100644
--- a/lib_xenia/src/main/x/xenia/SessionImpl.x
+++ b/lib_xenia/src/main/x/xenia/SessionImpl.x
@@ -396,16 +396,18 @@ service SessionImpl
 
     @Override
     void deauthenticate() {
-        if (String oldUser ?= userId) {
-            userId            = Null;
+        Principal?    oldPrincipal    = principal;
+        Entitlement[] oldEntitlements = entitlements;
+        if (oldPrincipal != Null || !oldEntitlements.empty) {
+            principal         = Null;
+            entitlements      = [];
             exclusiveAgent    = False;
             trustLevel        = None;
-            roles             = [];
             lastAuthenticated = Null;
 
-            issueEvent_(SessionDeauthenticated, Void, &sessionDeauthenticated(oldUser),
+            issueEvent_(SessionDeauthenticated, Void, &sessionDeauthenticated(oldPrincipal, oldEntitlements),
                         () -> $|An exception in session {this.internalId_} occurred during a\
-                               | deauthentication event for user {oldUser.quoted()}
+                               | deauthentication event
                        );
         }
     }