using HyperBooru.Util;
using Microsoft.EntityFrameworkCore;
using System.Data;

namespace HyperBooru.Services;

public class SecurityService {
    private IDbContextFactory<HBContext> dbFactory;

    private MemoryCache<int, HBPrincipal> principalCache;
    private MemoryCache<int, Acl>         aclCache;

    public SecurityService(IDbContextFactory<HBContext> dbFactory) {
        this.dbFactory = dbFactory;

        // TODO: preload the principal cache
        principalCache = new() {
            MaxItems   = 10_000,
            MaxAge     = TimeSpan.FromMinutes(10),
            DataSource = (int id) => {
                using var db = dbFactory.CreateDbContext();
                return db.Principals
                    .Include(p => p.MemberOf)
                    .FirstOrDefault(p => p.ObjectId == id);
            }
        };

        aclCache = new() {
            MaxItems   = 1000,
            MaxAge     = TimeSpan.FromMinutes(10),
            DataSource = (int id) => {
                using var db = dbFactory.CreateDbContext();
                return db.Acls
                    .Include(a => a.Rules)
                    .FirstOrDefault(a => a.ObjectId == id);
            }
        };
    }

    public IEnumerable<HBObject> Filter(
        IEnumerable<HBObject> objects,
        HBPrincipal principal,
        ulong permissions) {

        foreach(var obj in objects) {
            var perms = GetPermissions(obj.Acl, principal);
            if((perms & permissions) == permissions)
                yield return obj;
        }
    }

    public IEnumerable<HBObject> Filter<T>(
        IEnumerable<HBObject> objects,
        HBPrincipal principal,
        T permissions) where T : Enum =>
        Filter(objects, principal, permissions);

    /// <summary>
    /// Resolve the specified ACL and return a bitmask representing
    /// all the permissions the specified principal has.
    /// </summary>
    /// <param name="acl">
    /// ACL to resolve (returns a bitmask consisting of all 1's if this field is null)
    /// </param>
    private ulong GetPermissions(Acl? acl, HBPrincipal principal) {
        if(acl is null)
            return ulong.MaxValue;

        bool hasAllowRules = acl.Rules
            .Any(r => r.Action == AclRuleAction.Allow);

        ulong permissions = hasAllowRules ? 0 : ulong.MaxValue;

        var principals = GetGroupMemberShip(principal)
            .Cast<HBPrincipal>()
            .Concat(new[] { principal })
            .ToArray();

        acl.Rules.IntersectBy(principals, r => r.Principal);

        foreach(var rule in acl.Rules) {
            if(!principals.Contains(rule.Principal))
                continue;

            if(rule.Action == AclRuleAction.Allow)
                permissions |= rule.Permissions;
            else
                permissions &= ~rule.Permissions;
        }

        return permissions;
    }

    /// <summary>
    /// Recursively get all groups of which the specified principal
    /// is a member, including implicit memberships.
    /// </summary>
    private List<Group> GetGroupMemberShip(HBPrincipal principal) {
        var groups = principal.MemberOf.ToList();

        while(true) {
            var toAdd = groups
                .SelectMany(g => g.MemberOf)
                .Select(g => g.ObjectId)
                .Where(id => !groups.Select(g => g.ObjectId).Contains(id))
                .ToArray();

            if(toAdd.Count() == 0)
                break;

            foreach(var id in toAdd)
                groups.Add((Group) principalCache[id]);
        }

        return groups;
    }
}