package aeusadmin

import (
	"context"
	"slices"

	"git.nobla.cn/golang/aeus-admin/internal/logic"
	"git.nobla.cn/golang/aeus-admin/models"
	"git.nobla.cn/golang/aeus-admin/types"
	"git.nobla.cn/golang/aeus/middleware/auth"
	"git.nobla.cn/golang/aeus/pkg/cache"
	"git.nobla.cn/golang/aeus/pkg/errors"
	"gorm.io/gorm"
)

type PermissionChecker struct {
	db   *gorm.DB
	user *logic.User
	role *logic.Role
}

func (p *PermissionChecker) CheckPermission(ctx context.Context, permission string) (err error) {
	var (
		uid string
		ps  []string
	)
	claims, ok := auth.FromContext(ctx)
	if !ok {
		return errors.ErrAccessDenied
	}
	if cl, ok := claims.(*types.Claims); ok {
		if cl.Admin {
			return
		} else {
			var pms []*models.Permission
			if pms, err = p.role.GetPermissions(ctx, cl.Role); err == nil {
				for _, pm := range pms {
					if pm.Permission == permission {
						return
					}
				}
			} else {
				return errors.ErrPermissionDenied
			}
		}
	}
	if uid, err = claims.GetSubject(); err != nil {
		return
	}
	if ps, err = p.user.GetPermissions(ctx, uid); err != nil {
		return
	}
	if !slices.Contains(ps, permission) {
		err = errors.ErrPermissionDenied
	}
	return
}

func NewPermissionChecker(db *gorm.DB, ch cache.Cache) *PermissionChecker {
	return &PermissionChecker{
		db:   db,
		user: logic.NewUserLogic(db, ch),
		role: logic.NewRoleLogic(db, ch),
	}
}