using MxGateway.Contracts.Proto;

namespace MxGateway.Server.Security.Authorization;

public sealed class GatewayGrpcScopeResolver
{
    public string ResolveRequiredScope(object request)
    {
        return request switch
        {
            OpenSessionRequest => GatewayScopes.SessionOpen,
            CloseSessionRequest => GatewayScopes.SessionClose,
            StreamEventsRequest => GatewayScopes.EventsRead,
            MxCommandRequest commandRequest => ResolveCommandScope(commandRequest.Command?.Kind ?? MxCommandKind.Unspecified),
            _ => GatewayScopes.Admin
        };
    }

    private static string ResolveCommandScope(MxCommandKind kind)
    {
        return kind switch
        {
            MxCommandKind.Write or
            MxCommandKind.Write2 => GatewayScopes.InvokeWrite,

            MxCommandKind.WriteSecured or
            MxCommandKind.WriteSecured2 or
            MxCommandKind.AuthenticateUser => GatewayScopes.InvokeSecure,

            MxCommandKind.ArchestraUserToId or
            MxCommandKind.GetSessionState or
            MxCommandKind.GetWorkerInfo => GatewayScopes.MetadataRead,

            MxCommandKind.DrainEvents => GatewayScopes.EventsRead,
            MxCommandKind.ShutdownWorker => GatewayScopes.Admin,

            _ => GatewayScopes.InvokeRead
        };
    }
}