package markitect

import "github.com/netkingdom/flex-auth/pkg/api"

const (
	GatewayEffectAllow       = "allow"
	GatewayEffectDeny        = "deny"
	GatewayEffectRedact      = "redact"
	GatewayEffectAuditDenied = "audit_denied"
)

// GatewayDecision is the Markitect-facing decision contract.
type GatewayDecision struct {
	ID                  string                         `json:"id"`
	Effect              string                         `json:"effect"`
	Reason              string                         `json:"reason,omitempty"`
	RuleID              string                         `json:"rule_id,omitempty"`
	PolicyVersion       string                         `json:"policy_version,omitempty"`
	Resource            api.ResourceRef                `json:"resource"`
	ResourceMetadata    map[string]any                 `json:"resource_metadata,omitempty"`
	Subject             api.SubjectRef                 `json:"subject"`
	Obligations         []api.Obligation               `json:"obligations,omitempty"`
	Diagnostics         map[string]any                 `json:"diagnostics,omitempty"`
	CaringDescriptor    *api.CaringAccessDescriptor    `json:"caring_descriptor,omitempty"`
	ConformanceFindings []api.CaringConformanceFinding `json:"conformance_findings,omitempty"`
	ExposureModes       []api.ExposureMode             `json:"exposure_modes,omitempty"`
}

// ToGatewayDecision projects a flex-auth decision envelope into the shape
// consumed by the Markitect policy gateway.
func ToGatewayDecision(decision api.DecisionEnvelope) GatewayDecision {
	out := GatewayDecision{
		ID:               decision.ID,
		Effect:           gatewayEffect(decision),
		Reason:           decision.Reason,
		RuleID:           decision.MatchedRule,
		PolicyVersion:    decision.MatchedPolicyVersion,
		Resource:         decision.Resource,
		ResourceMetadata: copyMap(decision.Resource.Attributes),
		Subject:          decision.Subject,
		Obligations:      append([]api.Obligation(nil), decision.Obligations...),
		Diagnostics:      copyMap(decision.Diagnostics),
	}
	if out.PolicyVersion == "" {
		out.PolicyVersion = decision.Provenance.PolicyVersion
	}
	if decision.Caring != nil {
		if decision.Caring.Descriptor != nil {
			descriptor := *decision.Caring.Descriptor
			out.CaringDescriptor = &descriptor
		}
		out.ConformanceFindings = append([]api.CaringConformanceFinding(nil), decision.Caring.ConformanceFindings...)
		out.ExposureModes = append([]api.ExposureMode(nil), decision.Caring.ExposureModes...)
	}
	return out
}

func gatewayEffect(decision api.DecisionEnvelope) string {
	if value, ok := decision.Diagnostics["markitect_effect"].(string); ok && value != "" {
		return value
	}
	if auditDenied, ok := decision.Diagnostics["audit_denied"].(bool); ok && auditDenied {
		return GatewayEffectAuditDenied
	}
	switch decision.Effect {
	case api.DecisionEffectAllow:
		return GatewayEffectAllow
	case api.DecisionEffectRedact:
		return GatewayEffectRedact
	case api.DecisionEffectAuditOnly:
		return GatewayEffectAuditDenied
	default:
		return GatewayEffectDeny
	}
}