package service

import (
	"context"
	"fmt"

	"tss-rocks-be/ent"
	"tss-rocks-be/ent/permission"
	"tss-rocks-be/ent/role"
)

type RBACService struct {
	client *ent.Client
}

func NewRBACService(client *ent.Client) *RBACService {
	return &RBACService{
		client: client,
	}
}

// InitializeRBAC sets up the initial RBAC configuration
func (s *RBACService) InitializeRBAC(ctx context.Context) error {
	// Create admin role if it doesn't exist
	adminRole, err := s.client.Role.Query().
		Where(role.Name("admin")).
		Only(ctx)
	if ent.IsNotFound(err) {
		adminRole, err = s.client.Role.Create().
			SetName("admin").
			Save(ctx)
		if err != nil {
			return fmt.Errorf("failed to create admin role: %w", err)
		}
	} else if err != nil {
		return fmt.Errorf("failed to query admin role: %w", err)
	}

	// Create editor role if it doesn't exist
	editorRole, err := s.client.Role.Query().
		Where(role.Name("editor")).
		Only(ctx)
	if ent.IsNotFound(err) {
		editorRole, err = s.client.Role.Create().
			SetName("editor").
			Save(ctx)
		if err != nil {
			return fmt.Errorf("failed to create editor role: %w", err)
		}
	} else if err != nil {
		return fmt.Errorf("failed to query editor role: %w", err)
	}

	// Define permissions
	permissions := []struct {
		role     *ent.Role
		resource string
		actions  []string
	}{
		{adminRole, "users", []string{"create", "read", "update", "delete", "assign_role"}},
		{adminRole, "roles", []string{"create", "read", "update", "delete"}},
		{adminRole, "media", []string{"create", "read", "update", "delete"}},
		{adminRole, "posts", []string{"create", "read", "update", "delete"}},
		{adminRole, "categories", []string{"create", "read", "update", "delete"}},
		{adminRole, "contributors", []string{"create", "read", "update", "delete"}},
		{adminRole, "dailies", []string{"create", "read", "update", "delete"}},
		
		{editorRole, "media", []string{"create", "read", "update"}},
		{editorRole, "posts", []string{"create", "read", "update"}},
		{editorRole, "categories", []string{"read"}},
		{editorRole, "contributors", []string{"read"}},
		{editorRole, "dailies", []string{"create", "read", "update"}},
	}

	// Create permissions for each role
	for _, p := range permissions {
		for _, action := range p.actions {
			// Check if permission already exists
			exists, err := s.client.Permission.Query().
				Where(
					permission.Resource(p.resource),
					permission.Action(action),
					permission.HasRolesWith(role.ID(p.role.ID)),
				).
				Exist(ctx)
			if err != nil {
				return fmt.Errorf("failed to query permission: %w", err)
			}

			if !exists {
				// Create permission and associate it with the role
				_, err = s.client.Permission.Create().
					SetResource(p.resource).
					SetAction(action).
					AddRoles(p.role).
					Save(ctx)
				if err != nil {
					return fmt.Errorf("failed to create permission: %w", err)
				}
			}
		}
	}

	return nil
}