using Connected.Entities;
using Connected.Middleware;
using Connected.Security.Authorization;
using Connected.Security.Identity;
using System.Collections.Immutable;
using System.Security;

namespace Connected.Services.Authorization;

public abstract class ServiceAuthorizationMiddleware : MiddlewareComponent, IServiceAuthorizationMiddleware
{
	protected ServiceAuthorizationMiddleware(IAuthorizationService authorizationService, IIdentityService identityService)
	{
		AuthorizationService = authorizationService;
		IdentityService = identityService;
	}

	protected IAuthorizationService AuthorizationService { get; }
	protected IIdentityService IdentityService { get; }

	public Task<ImmutableArray<string>> ResolveClaims(ImmutableArray<string> claims)
	{
		return OnResolveClaims(claims);
	}

	protected virtual Task<ImmutableArray<string>> OnResolveClaims(ImmutableArray<string> claims)
	{
		return Task.FromResult(claims);
	}

	public async Task Authorize<TArgs>(ServiceAuthorizationMiddlewareArgs<TArgs> args) where TArgs : IDto
	{
		await OnAuthorize(args);
	}

	protected virtual async Task OnAuthorize<TArgs>(ServiceAuthorizationMiddlewareArgs<TArgs> args) where TArgs : IDto
	{
		foreach (var claim in args.Claims)
		{
			var result = await AuthorizationService.Authorize(new AuthorizationArgs
			{
				User = IdentityService.CurrentUser?.Id,
				Claim = claim,
				Component = args.Context.Sender.GetType().Name,
				Method = args.Context.Method,
				Schema = new AuthorizationSchema
				{
					EmptyPolicy = EmptyPolicyBehavior.Alow,
					Strategy = AuthorizationStrategy.Pessimistic
				}
			});

			if (!result.Success)
				throw new AccessViolationException($"{SR.PolicyAuthorizationFailed} ({result.Reason})");
		}
	}

	public async Task<TComponent> Authorize<TArgs, TComponent>(ServiceAuthorizationMiddlewareArgs<TArgs> args, TComponent component)
		where TArgs : IDto
	{
		return await OnAuthorize(args, component);
	}

	protected async Task<TComponent> OnAuthorize<TArgs, TComponent>(ServiceAuthorizationMiddlewareArgs<TArgs> args, TComponent component)
		where TArgs : IDto
	{
		var entity = component as IEntity;

		var primaryKey = entity is null ? component.ToString() : entity.PrimaryKeyValue();

		foreach (var claim in args.Claims)
		{
			var result = await AuthorizationService.Authorize(new AuthorizationArgs
			{
				User = IdentityService.CurrentUser?.Id,
				Claim = claim,
				Component = args.Context.Sender.GetType().Name,
				Method = args.Context.Method,
				Schema = new AuthorizationSchema
				{
					EmptyPolicy = EmptyPolicyBehavior.Alow,
					Strategy = AuthorizationStrategy.Pessimistic
				},
				Entity = entity.EntityId(),
				PrimaryKey = primaryKey
			});

			if (!result.Success)
				throw new SecurityException($"{SR.PolicyAuthorizationFailed} ({result.Reason})");
		}

		return component;
	}
}