using Microsoft.Extensions.Logging;
using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;
using ZB.MOM.WW.OtOpcUa.Security.Ldap;

namespace ZB.MOM.WW.OtOpcUa.Host.OpcUa;

/// <summary>
/// Production <see cref="IOpcUaUserAuthenticator"/> adapter that bridges OPC UA UserName
/// tokens to the same <see cref="ILdapAuthService"/> the Admin UI cookie/JWT flows use, so a
/// single LDAP source-of-truth governs both control-plane (Admin) and data-plane (OPC UA)
/// session identities. Roles flow through unchanged — the data-plane ACL evaluator reads
/// them off <c>OperationContext.UserIdentity</c> downstream.
/// </summary>
public sealed class LdapOpcUaUserAuthenticator(
    ILdapAuthService ldap,
    ILogger<LdapOpcUaUserAuthenticator> logger)
    : IOpcUaUserAuthenticator
{
    public async Task<OpcUaUserAuthResult> AuthenticateUserNameAsync(string username, string password, CancellationToken ct)
    {
        try
        {
            var result = await ldap.AuthenticateAsync(username, password, ct).ConfigureAwait(false);
            if (!result.Success)
            {
                return OpcUaUserAuthResult.Deny(result.Error ?? "Invalid credentials");
            }
            return OpcUaUserAuthResult.Allow(result.DisplayName ?? username, result.Roles);
        }
        catch (Exception ex) when (ex is not OperationCanceledException)
        {
            logger.LogWarning(ex, "LDAP authentication threw for OPC UA user {User}", username);
            return OpcUaUserAuthResult.Deny("Authentication backend error");
        }
    }
}