package rbac2

import (
	"slices"
	"strings"

	"github.com/bluesky-social/indigo/atproto/syntax"
	"tangled.org/core/api/tangled"
)

// AddRepo adds new repo with its owner to rbac enforcer
func (e *Enforcer) AddRepo(repo syntax.ATURI) error {
	if err := validateAtUri(repo, tangled.RepoNSID); err != nil {
		return err
	}
	user := repo.Authority()

	return e.setRoleForUser(user.String(), "repo:owner", repo.String())
}

// DeleteRepo deletes all policies related to the repo
func (e *Enforcer) DeleteRepo(repo syntax.ATURI) error {
	if err := validateAtUri(repo, tangled.RepoNSID); err != nil {
		return err
	}

	_, err := e.e.DeleteDomains(repo.String())
	return err
}

// AddRepoCollaborator adds new collaborator to the repo
func (e *Enforcer) AddRepoCollaborator(user syntax.DID, repo syntax.ATURI) error {
	if err := validateAtUri(repo, tangled.RepoNSID); err != nil {
		return err
	}

	_, err := e.e.AddRoleForUser(user.String(), "repo:collaborator", repo.String())
	return err
}

// RemoveRepoCollaborator removes the collaborator from the repo.
// This won't remove inherited roles like repository owner.
func (e *Enforcer) RemoveRepoCollaborator(user syntax.DID, repo syntax.ATURI) error {
	if err := validateAtUri(repo, tangled.RepoNSID); err != nil {
		return err
	}

	_, err := e.e.DeleteRoleForUser(user.String(), "repo:collaborator", repo.String())
	return err
}

func (e *Enforcer) GetRepoCollaborators(repo syntax.ATURI) ([]syntax.DID, error) {
	var collaborators []syntax.DID
	members, err := e.e.GetImplicitUsersForRole("repo:collaborator", repo.String())
	if err != nil {
		return nil, err
	}
	for _, m := range members {
		if !strings.HasPrefix(m, "did:") { // skip non-user subjects like 'repo:owner'
			continue
		}
		collaborators = append(collaborators, syntax.DID(m))
	}

	slices.Sort(collaborators)
	return slices.Compact(collaborators), nil
}

func (e *Enforcer) IsRepoOwner(user syntax.DID, repo syntax.ATURI) (bool, error) {
	return e.e.HasRoleForUser(user.String(), "repo:owner", repo.String())
}

func (e *Enforcer) IsRepoCollaborator(user syntax.DID, repo syntax.ATURI) (bool, error) {
	return e.hasImplicitRoleForUser(user.String(), "repo:collaborator", repo.String())
}

func (e *Enforcer) IsRepoWriteAllowed(user syntax.DID, repo syntax.ATURI) (bool, error) {
	return e.e.Enforce(user.String(), repo.String(), "/", "write")
}

func (e *Enforcer) IsRepoSettingsWriteAllowed(user syntax.DID, repo syntax.ATURI) (bool, error) {
	return e.e.Enforce(user.String(), repo.String(), "/settings", "write")
}

func (e *Enforcer) IsRepoCollaboratorInviteAllowed(user syntax.DID, repo syntax.ATURI) (bool, error) {
	return e.e.Enforce(user.String(), repo.String(), "/collaborator", "write")
}

func (e *Enforcer) IsRepoGitPushAllowed(user syntax.DID, repo syntax.ATURI) (bool, error) {
	return e.e.Enforce(user.String(), repo.String(), "/git", "write")
}