namespace ZB.MOM.WW.OtOpcUa.Admin.Security;

/// <summary>
///     LDAP + role-mapping configuration for the Admin UI. Bound from <c>appsettings.json</c>
///     <c>Authentication:Ldap</c> section. Defaults point at the local GLAuth dev instance (see
///     <c>C:\publish\glauth\auth.md</c>).
/// </summary>
public sealed class LdapOptions
{
    public const string SectionName = "Authentication:Ldap";

    public bool Enabled { get; set; } = true;
    public string Server { get; set; } = "localhost";
    public int Port { get; set; } = 3893;
    public bool UseTls { get; set; }

    /// <summary>Dev-only escape hatch — must be <c>false</c> in production.</summary>
    public bool AllowInsecureLdap { get; set; }

    public string SearchBase { get; set; } = "dc=lmxopcua,dc=local";

    /// <summary>
    ///     Service-account DN used for search-then-bind. When empty, a direct-bind with
    ///     <c>cn={user},{SearchBase}</c> is attempted.
    /// </summary>
    public string ServiceAccountDn { get; set; } = string.Empty;
    public string ServiceAccountPassword { get; set; } = string.Empty;

    public string DisplayNameAttribute { get; set; } = "cn";
    public string GroupAttribute { get; set; } = "memberOf";

    /// <summary>
    ///     Maps LDAP group name → Admin role. Group match is case-insensitive. A user gets every
    ///     role whose source group is in their membership list. Example dev mapping:
    ///     <code>"ReadOnly":"ConfigViewer","ReadWrite":"ConfigEditor","AlarmAck":"FleetAdmin"</code>
    /// </summary>
    public Dictionary<string, string> GroupToRole { get; set; } = new(StringComparer.OrdinalIgnoreCase);
}