using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using ZB.MOM.WW.Auth.Abstractions.Roles;
using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;
using ZB.MOM.WW.OtOpcUa.Security.Ldap;

namespace ZB.MOM.WW.OtOpcUa.Host.OpcUa;

/// <summary>
/// Production <see cref="IOpcUaUserAuthenticator"/> adapter that bridges OPC UA UserName
/// tokens to the same <see cref="ILdapAuthService"/> the Admin UI cookie/JWT flows use, so a
/// single LDAP source-of-truth governs both control-plane (Admin) and data-plane (OPC UA)
/// session identities. Roles are resolved through the shared
/// <see cref="IGroupRoleMapper{TRole}"/> seam from the LDAP groups returned by the directory —
/// the same seam the login endpoint uses — and the resolved set is attached to the OPC UA
/// session identity for the downstream data-plane ACL evaluator.
/// </summary>
/// <remarks>
/// This authenticator is registered as a singleton, but <see cref="IGroupRoleMapper{TRole}"/>
/// (and its DbContext-backed mapping service) is scoped. A per-call DI scope is opened to
/// resolve the mapper so the singleton never captures a scoped dependency.
/// </remarks>
public sealed class LdapOpcUaUserAuthenticator(
    ILdapAuthService ldap,
    IServiceScopeFactory scopeFactory,
    ILogger<LdapOpcUaUserAuthenticator> logger)
    : IOpcUaUserAuthenticator
{
    /// <summary>Authenticates an OPC UA UserName token via LDAP, resolving roles through the mapper.</summary>
    /// <param name="username">The username to authenticate.</param>
    /// <param name="password">The password to authenticate.</param>
    /// <param name="ct">Cancellation token.</param>
    public async Task<OpcUaUserAuthResult> AuthenticateUserNameAsync(string username, string password, CancellationToken ct)
    {
        try
        {
            var result = await ldap.AuthenticateAsync(username, password, ct).ConfigureAwait(false);
            if (!result.Success)
            {
                return OpcUaUserAuthResult.Deny(result.Error ?? "Invalid credentials");
            }

            var roles = await ResolveRolesAsync(result.Groups, result.Roles, username, ct).ConfigureAwait(false);
            return OpcUaUserAuthResult.Allow(result.DisplayName ?? username, roles);
        }
        catch (Exception ex) when (ex is not OperationCanceledException)
        {
            logger.LogWarning(ex, "LDAP authentication threw for OPC UA user {User}", username);
            return OpcUaUserAuthResult.Deny("Authentication backend error");
        }
    }

    /// <summary>
    /// Resolves the user's roles from their LDAP groups via the scoped
    /// <see cref="IGroupRoleMapper{TRole}"/>, unioned with any pre-resolved roles (the DevStub
    /// FleetAdmin grant). A mapper fault (e.g. a DB outage) must not deny an otherwise-authenticated
    /// session: it falls back to the pre-resolved roles, matching the login endpoint's behaviour.
    /// </summary>
    /// <param name="groups">The LDAP groups returned by the directory.</param>
    /// <param name="preResolved">Pre-resolved roles (empty on the real path; FleetAdmin under DevStub).</param>
    /// <param name="username">The login name, for diagnostics.</param>
    /// <param name="ct">Cancellation token.</param>
    private async Task<IReadOnlyList<string>> ResolveRolesAsync(
        IReadOnlyList<string> groups, IReadOnlyList<string> preResolved, string username, CancellationToken ct)
    {
        try
        {
            await using var scope = scopeFactory.CreateAsyncScope();
            var mapper = scope.ServiceProvider.GetRequiredService<IGroupRoleMapper<string>>();
            var mapping = await mapper.MapAsync(groups, ct).ConfigureAwait(false);

            var roles = new HashSet<string>(preResolved, StringComparer.OrdinalIgnoreCase);
            foreach (var role in mapping.Roles)
                roles.Add(role);
            return [.. roles];
        }
        catch (Exception ex) when (ex is not OperationCanceledException)
        {
            logger.LogWarning(ex,
                "Role-map lookup failed for OPC UA user {User}; using pre-resolved baseline roles", username);
            return preResolved;
        }
    }
}