@page "/role-grants"
@attribute [Microsoft.AspNetCore.Authorization.Authorize(Policy = "FleetAdmin")]
@rendermode RenderMode.InteractiveServer
@using Microsoft.Extensions.Options
@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
@using ZB.MOM.WW.OtOpcUa.Configuration.Services
@using ZB.MOM.WW.OtOpcUa.Security.Ldap
@inject IOptionsSnapshot<LdapOptions> Ldap
@inject ILdapGroupRoleMappingService RoleMappings

<div class="d-flex justify-content-between align-items-center mb-3">
    <h4 class="mb-0">Role grants</h4>
</div>

@if (_options is not null)
{
    <section class="card-grid rise" style="animation-delay:.02s">
        <div class="metric-card">
            <div class="panel-head">LDAP binding</div>
            <div class="kv"><span class="k">Enabled</span><span class="v">@(_options.Enabled ? "yes" : "no")</span></div>
            <div class="kv"><span class="k">Server</span><span class="v mono">@_options.Server:@_options.Port</span></div>
            <div class="kv"><span class="k">Transport</span><span class="v">@_options.Transport</span></div>
            <div class="kv"><span class="k">SearchBase</span><span class="v mono small">@_options.SearchBase</span></div>
            @if (_options.Transport == ZB.MOM.WW.Auth.Abstractions.Ldap.LdapTransport.None && _options.AllowInsecure)
            {
                <div class="kv"><span class="k">Warning</span><span class="v"><span class="chip chip-alert">Plaintext credentials over LDAP — dev mode only</span></span></div>
            }
        </div>
    </section>
}

<section class="panel rise mt-3" style="animation-delay:.08s">
    <div class="panel-head">Group → role (database)</div>
    <div style="padding:1rem">
        <div class="d-flex gap-2 align-items-center flex-wrap">
            <input class="form-control form-control-sm mono" style="max-width:32rem"
                   @bind="_newGroup" placeholder="cn=fleet-admin,ou=groups,..." />
            <select class="form-select form-select-sm" style="max-width:14rem" @bind="_newRole">
                @foreach (var role in Enum.GetValues<AdminRole>())
                {
                    <option value="@role">@role</option>
                }
            </select>
            <button class="btn btn-sm btn-primary" @onclick="AddAsync" disabled="@_busy">Add</button>
        </div>
        @if (_error is not null)
        {
            <div class="text-danger small mt-2">@_error</div>
        }
    </div>
    <div class="table-wrap">
        <table class="data-table">
            <thead><tr><th>LDAP group</th><th>Role</th><th></th></tr></thead>
            <tbody>
                @if (_rows.Count == 0)
                {
                    <tr><td colspan="3" class="text-muted">No database role grants. Authentication falls back to the appsettings map below.</td></tr>
                }
                else
                {
                    @foreach (var r in _rows)
                    {
                        <tr>
                            <td><span class="mono">@r.LdapGroup</span></td>
                            <td><span class="chip chip-idle">@r.Role</span></td>
                            <td><button class="btn btn-sm btn-link text-danger" @onclick="() => DeleteAsync(r.Id)" disabled="@_busy">Delete</button></td>
                        </tr>
                    }
                }
            </tbody>
        </table>
    </div>
</section>

@if (_options is not null)
{
    <section class="panel rise mt-3" style="animation-delay:.14s">
        <div class="panel-head">Fallback (appsettings) (@(_options.GroupToRole?.Count ?? 0))</div>
        <div style="padding:1rem 1rem 0" class="text-muted small">
            These <span class="mono">Authentication:Ldap:GroupToRole</span> entries apply when a group has no database row above.
        </div>
        @if (_options.GroupToRole is null || _options.GroupToRole.Count == 0)
        {
            <div style="padding:1rem" class="text-muted">No appsettings fallback mapping configured.</div>
        }
        else
        {
            <div class="table-wrap">
                <table class="data-table">
                    <thead><tr><th>LDAP group</th><th>Resolved role</th></tr></thead>
                    <tbody>
                        @foreach (var kvp in _options.GroupToRole.OrderBy(k => k.Key, StringComparer.OrdinalIgnoreCase))
                        {
                            <tr>
                                <td><span class="mono">@kvp.Key</span></td>
                                <td><span class="chip chip-idle">@kvp.Value</span></td>
                            </tr>
                        }
                    </tbody>
                </table>
            </div>
        }
    </section>
}

@code {
    private LdapOptions? _options;
    private IReadOnlyList<LdapGroupRoleMapping> _rows = [];
    private string _newGroup = "";
    private AdminRole _newRole = AdminRole.Viewer;
    private string? _error;
    private bool _busy;

    protected override async Task OnInitializedAsync()
    {
        _options = Ldap.Value;
        await ReloadAsync();
    }

    private async Task ReloadAsync()
        => _rows = (await RoleMappings.ListAllAsync(default)).Where(r => r.IsSystemWide).ToList();

    private async Task AddAsync()
    {
        _error = null;
        if (string.IsNullOrWhiteSpace(_newGroup)) { _error = "LDAP group is required."; return; }
        _busy = true;
        StateHasChanged();
        try
        {
            await RoleMappings.CreateAsync(new LdapGroupRoleMapping
            {
                LdapGroup = _newGroup.Trim(), Role = _newRole, IsSystemWide = true, ClusterId = null,
            }, default);
            _newGroup = "";
            _newRole = AdminRole.Viewer;
            await ReloadAsync();
        }
        catch (Exception ex) { _error = ex.Message; }
        finally { _busy = false; }
    }

    private async Task DeleteAsync(Guid id)
    {
        _error = null; _busy = true;
        StateHasChanged();
        try { await RoleMappings.DeleteAsync(id, default); await ReloadAsync(); }
        catch (Exception ex) { _error = ex.Message; }
        finally { _busy = false; }
    }
}