package endpointroles

import (
	"context"

	"go-micro.dev/v4/errors"
	"go-micro.dev/v4/server"
	"jochum.dev/jo-micro/auth2"

	"github.com/sirupsen/logrus"
)

type EndpointRolesVerifier struct {
	rules         map[string]Rule
	endpointnames []string
	options       Options
}

func NewVerifier(opts ...Option) *EndpointRolesVerifier {
	options := NewOptions(opts...)

	return &EndpointRolesVerifier{
		rules:         make(map[string]Rule, 0),
		endpointnames: []string{},
		options:       options,
	}
}

func (v *EndpointRolesVerifier) AddRules(rules ...Rule) {
	for _, rule := range rules {
		v.endpointnames = append(v.endpointnames, rule.Endpoint)
		v.rules[rule.Endpoint] = rule
	}
}

func (v *EndpointRolesVerifier) logrus() *logrus.Logger {
	if v.options.Logrus == nil {
		return logrus.StandardLogger()
	}

	return v.options.Logrus
}

func (v *EndpointRolesVerifier) Verify(ctx context.Context, u *auth2.User, req server.Request) (error, bool) {
	if ep, ok := v.rules[req.Endpoint()]; ok {
		if auth2.IntersectsRoles(u, ep.RolesDeny...) {
			v.logrus().WithField("endpoint", req.Endpoint()).WithField("rolesDeny", ep.RolesDeny).WithField("userRoles", u.Roles).Debug("Unauthorized")
			return errors.Unauthorized("auth2/plugins/verifier/endpointroles/EndpointRolesVerifier.Verify|Denied by rule", "Unauthorized"), false
		}
		if auth2.IntersectsRoles(u, ep.RolesAllow...) {
			v.logrus().WithField("endpoint", req.Endpoint()).WithField("rolesAllow", ep.RolesAllow).WithField("userRoles", u.Roles).Trace("Authorized")
			// Allowed by role
			return nil, false
		}

		if v.options.DefaultDeny {
			v.logrus().WithField("endpoint", req.Endpoint()).WithField("user_roles", u.Roles).WithField("roles_allow", ep.RolesAllow).Debug("DefaultDeny: No matching role")
			return errors.Unauthorized("auth2/plugins/verifier/endpointroles/EndpointRolesVerifier.Verify|No matching role", "Unauthorized"), true
		}
	}

	if !v.options.DefaultDeny {
		v.logrus().WithField("endpoint", req.Endpoint()).WithField("endpoints", v.endpointnames).Trace("DefaultAllow: No rule")
		return nil, true
	}

	v.logrus().WithField("endpoint", req.Endpoint()).WithField("endpoints", v.endpointnames).Debug("DefaultDeny: no rule")
	return errors.Unauthorized("auth2/plugins/verifier/endpointroles/EndpointRolesVerifier.Verify|No rule", "Unauthorized"), false
}