package services

import (
	"context"
	"fmt"

	"go.uber.org/zap"

	"github.com/RyanCopley/skybridge/faas/internal/domain"
)

type authService struct {
	logger *zap.Logger
}

func NewAuthService(logger *zap.Logger) AuthService {
	return &authService{
		logger: logger,
	}
}

// Mock implementation for now - this should integrate with the KMS auth system
func (s *authService) GetAuthContext(ctx context.Context) (*domain.AuthContext, error) {
	// For now, return a mock auth context
	// In a real implementation, this would extract auth info from the request context
	// that was set by middleware that validates tokens with the KMS service
	
	return &domain.AuthContext{
		UserID:      "admin@example.com",
		AppID:       "faas-service",
		Permissions: []string{"faas.read", "faas.write", "faas.execute", "faas.deploy", "faas.delete"},
		Claims: map[string]string{
			"user_type": "admin",
		},
	}, nil
}

func (s *authService) HasPermission(ctx context.Context, permission string) bool {
	authCtx, err := s.GetAuthContext(ctx)
	if err != nil {
		s.logger.Warn("Failed to get auth context for permission check", zap.Error(err))
		return false
	}

	// Check for exact permission match
	for _, perm := range authCtx.Permissions {
		if perm == permission {
			return true
		}
		
		// Check for wildcard permissions (e.g., "faas.*" grants all faas permissions)
		if len(perm) > 2 && perm[len(perm)-1] == '*' {
			prefix := perm[:len(perm)-1]
			if len(permission) >= len(prefix) && permission[:len(prefix)] == prefix {
				return true
			}
		}
	}

	s.logger.Debug("Permission denied", 
		zap.String("user_id", authCtx.UserID),
		zap.String("permission", permission),
		zap.Strings("user_permissions", authCtx.Permissions))

	return false
}

func (s *authService) ValidatePermissions(ctx context.Context, permissions []string) error {
	for _, permission := range permissions {
		if !s.HasPermission(ctx, permission) {
			return fmt.Errorf("insufficient permission: %s", permission)
		}
	}
	return nil
}