namespace ZB.MOM.WW.OtOpcUa.Admin.Security;

/// <summary>A cluster-scoped Admin-role grant — the <see cref="Role"/> binds only within <see cref="ClusterId"/>.</summary>
public sealed record ClusterRoleGrant(string ClusterId, string Role);

/// <summary>
///     The Admin roles a user holds after sign-in, split by scope. <see cref="FleetRoles"/> apply
///     across every cluster; each entry in <see cref="ClusterRoles"/> binds only within its named
///     cluster. Resolved by <see cref="IAdminRoleGrantResolver"/> from the user's LDAP groups.
/// </summary>
public sealed record AdminRoleGrants(
    IReadOnlyList<string> FleetRoles,
    IReadOnlyList<ClusterRoleGrant> ClusterRoles)
{
    /// <summary>No grants — sign-in is blocked when a resolution yields this.</summary>
    public static readonly AdminRoleGrants Empty = new([], []);

    /// <summary>True when the user holds no Admin role at any scope.</summary>
    public bool IsEmpty => FleetRoles.Count == 0 && ClusterRoles.Count == 0;
}

/// <summary>
///     Resolves the Admin-role grants a set of LDAP groups confers. Augments the static
///     <see cref="LdapOptions.GroupToRole"/> bootstrap dictionary (always fleet-wide) with the
///     DB-backed <c>LdapGroupRoleMapping</c> rows authored on the role-grants page — fleet-wide
///     and cluster-scoped. The static dictionary is the lock-out-proof fallback; DB grants stack
///     additively on top of it.
/// </summary>
public interface IAdminRoleGrantResolver
{
    Task<AdminRoleGrants> ResolveAsync(IReadOnlyList<string> ldapGroups, CancellationToken cancellationToken);
}