@page "/clusters/{ClusterId}/acls"
@attribute [Microsoft.AspNetCore.Authorization.Authorize]
@rendermode RenderMode.InteractiveServer
@using Microsoft.EntityFrameworkCore
@using ZB.MOM.WW.OtOpcUa.Configuration
@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory

<div class="d-flex justify-content-between align-items-center mb-3">
    <h4 class="mb-0">ACLs &middot; <span class="mono">@ClusterId</span></h4>
    <a href="/clusters/@ClusterId/acls/new" class="btn btn-primary btn-sm">New ACL grant</a>
</div>

<ClusterNav ClusterId="@ClusterId" ActiveTab="acls" />

@if (_rows is null)
{
    <p>Loading…</p>
}
else
{
    <section class="panel notice rise" style="animation-delay:.02s">
        ACL rows grant LDAP groups specific <span class="mono">NodePermissions</span> on a scope
        (a folder, an equipment, a tag). Per-cluster role grants were dropped in favour of
        fleet-wide LDAP-group → role mapping; ACLs here are the finer-grained per-node scope.
    </section>

    <section class="panel rise mt-3" style="animation-delay:.08s">
        <div class="panel-head">@_rows.Count ACL row@(_rows.Count == 1 ? "" : "s")</div>
        @if (_rows.Count == 0)
        {
            <div style="padding:1rem" class="text-muted">No ACL rows for this cluster — default permissions from the fleet-wide LDAP group mapping apply.</div>
        }
        else
        {
            <div class="table-wrap">
                <table class="data-table">
                    <thead>
                        <tr>
                            <th>NodeAclId</th>
                            <th>LDAP group</th>
                            <th>Scope</th>
                            <th>Scope target</th>
                            <th>Permissions</th>
                            <th>Notes</th>
                            <th></th>
                        </tr>
                    </thead>
                    <tbody>
                        @foreach (var a in _rows)
                        {
                            <tr>
                                <td><span class="mono small">@a.NodeAclId</span></td>
                                <td><span class="mono">@a.LdapGroup</span></td>
                                <td>@a.ScopeKind</td>
                                <td><span class="mono small">@(a.ScopeId ?? "—")</span></td>
                                <td>
                                    @foreach (var perm in PermissionChips(a.PermissionFlags))
                                    {
                                        <span class="chip chip-idle me-1">@perm</span>
                                    }
                                </td>
                                <td class="text-muted small">@(a.Notes ?? "")</td>
                                <td><a href="/clusters/@ClusterId/acls/@a.NodeAclId" class="btn btn-sm btn-outline-primary">Edit</a></td>
                            </tr>
                        }
                    </tbody>
                </table>
            </div>
        }
    </section>
}

@code {
    [Parameter] public string ClusterId { get; set; } = "";
    private List<NodeAcl>? _rows;

    protected override async Task OnInitializedAsync()
    {
        await using var db = await DbFactory.CreateDbContextAsync();
        _rows = await db.NodeAcls.AsNoTracking()
            .Where(a => a.ClusterId == ClusterId)
            .OrderBy(a => a.NodeAclId)
            .ToListAsync();
    }

    private static IEnumerable<string> PermissionChips(ZB.MOM.WW.OtOpcUa.Configuration.Enums.NodePermissions flags)
    {
        foreach (var v in Enum.GetValues<ZB.MOM.WW.OtOpcUa.Configuration.Enums.NodePermissions>())
        {
            // Skip None (zero) and composite values that aren't single bits.
            var n = (int)v;
            if (n == 0) continue;
            if ((n & (n - 1)) != 0) continue;
            if (flags.HasFlag(v)) yield return v.ToString();
        }
    }
}