@page "/role-grants"
@* Per Q4 of the AdminUI rebuild plan, v2 replaced v1's per-cluster RoleGrants table with a
   fleet-wide LDAP-group → role map. This page surfaces the mapping read-only; the source of
   truth is Authentication:Ldap:GroupToRole in appsettings (editable on the host filesystem, not
   from the UI yet). *@
@attribute [Microsoft.AspNetCore.Authorization.Authorize]
@rendermode RenderMode.InteractiveServer
@using Microsoft.Extensions.Options
@using ZB.MOM.WW.OtOpcUa.Security.Ldap
@inject IOptionsSnapshot<LdapOptions> Ldap

<div class="d-flex justify-content-between align-items-center mb-3">
    <h4 class="mb-0">Role grants</h4>
</div>

<section class="panel notice rise" style="animation-delay:.02s">
    LDAP group membership determines fleet roles. Edit the mapping in
    <span class="mono">appsettings.json</span> under <span class="mono">Authentication:Ldap:GroupToRole</span>
    and restart the admin node (or sign out + back in for cached claims to refresh). UI-driven
    editing of the mapping is deferred — it implies a config-reload mechanism that doesn't exist
    yet.
</section>

@if (_options is null)
{
    <p>Loading…</p>
}
else
{
    <section class="card-grid rise mt-3" style="animation-delay:.08s">
        <div class="metric-card">
            <div class="panel-head">LDAP binding</div>
            <div class="kv"><span class="k">Enabled</span><span class="v">@(_options.Enabled ? "yes" : "no")</span></div>
            <div class="kv"><span class="k">Server</span><span class="v mono">@_options.Server:@_options.Port</span></div>
            <div class="kv"><span class="k">UseTls</span><span class="v">@_options.UseTls</span></div>
            <div class="kv"><span class="k">SearchBase</span><span class="v mono small">@_options.SearchBase</span></div>
            @if (!_options.UseTls && _options.AllowInsecureLdap)
            {
                <div class="kv"><span class="k">Warning</span><span class="v"><span class="chip chip-alert">Plaintext credentials over LDAP — dev mode only</span></span></div>
            }
        </div>
    </section>

    <section class="panel rise mt-3" style="animation-delay:.14s">
        <div class="panel-head">Group → role mapping (@(_options.GroupToRole?.Count ?? 0))</div>
        @if (_options.GroupToRole is null || _options.GroupToRole.Count == 0)
        {
            <div style="padding:1rem" class="text-muted">
                No mapping configured. Every authenticated user lands with zero roles —
                the fallback authorization policy will refuse every request. Add a
                <span class="mono">GroupToRole</span> entry before deploying.
            </div>
        }
        else
        {
            <div class="table-wrap">
                <table class="data-table">
                    <thead><tr><th>LDAP group</th><th>Resolved role</th></tr></thead>
                    <tbody>
                        @foreach (var kvp in _options.GroupToRole.OrderBy(k => k.Key, StringComparer.OrdinalIgnoreCase))
                        {
                            <tr>
                                <td><span class="mono">@kvp.Key</span></td>
                                <td><span class="chip chip-idle">@kvp.Value</span></td>
                            </tr>
                        }
                    </tbody>
                </table>
            </div>
        }
    </section>
}

@code {
    private LdapOptions? _options;

    protected override void OnInitialized()
    {
        _options = Ldap.Value;
    }
}