package permissions

import (
	"context"
	"fmt"
	"slices"
	"strings"

	"github.com/databricks/cli/bundle"
	"github.com/databricks/cli/bundle/config/resources"
	"github.com/databricks/cli/libs/diag"
	"github.com/databricks/cli/libs/dyn"
	"github.com/databricks/cli/libs/dyn/convert"
)

const CAN_MANAGE = "CAN_MANAGE"
const CAN_VIEW = "CAN_VIEW"
const CAN_RUN = "CAN_RUN"

var allowedLevels = []string{CAN_MANAGE, CAN_VIEW, CAN_RUN}
var levelsMap = map[string](map[string]string){
	"jobs": {
		CAN_MANAGE: "CAN_MANAGE",
		CAN_VIEW:   "CAN_VIEW",
		CAN_RUN:    "CAN_MANAGE_RUN",
	},
	"pipelines": {
		CAN_MANAGE: "CAN_MANAGE",
		CAN_VIEW:   "CAN_VIEW",
		CAN_RUN:    "CAN_RUN",
	},
	"experiments": {
		CAN_MANAGE: "CAN_MANAGE",
		CAN_VIEW:   "CAN_READ",
	},
	"models": {
		CAN_MANAGE: "CAN_MANAGE",
		CAN_VIEW:   "CAN_READ",
	},
	"model_serving_endpoints": {
		CAN_MANAGE: "CAN_MANAGE",
		CAN_VIEW:   "CAN_VIEW",
		CAN_RUN:    "CAN_QUERY",
	},
	"dashboards": {
		CAN_MANAGE: "CAN_MANAGE",
		CAN_VIEW:   "CAN_READ",
	},
	"apps": {
		CAN_MANAGE: "CAN_MANAGE",
		CAN_VIEW:   "CAN_USE",
	},
}

type bundlePermissions struct{}

func ApplyBundlePermissions() bundle.Mutator {
	return &bundlePermissions{}
}

func (m *bundlePermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
	err := validate(b)
	if err != nil {
		return diag.FromErr(err)
	}

	patterns := make(map[string]dyn.Pattern, 0)
	for key := range levelsMap {
		patterns[key] = dyn.NewPattern(
			dyn.Key("resources"),
			dyn.Key(key),
			dyn.AnyKey(),
		)
	}

	err = b.Config.Mutate(func(v dyn.Value) (dyn.Value, error) {
		for key, pattern := range patterns {
			v, err = dyn.MapByPattern(v, pattern, func(p dyn.Path, v dyn.Value) (dyn.Value, error) {
				var permissions []resources.Permission
				pv, err := dyn.Get(v, "permissions")

				// If the permissions field is not found, we set to an empty array
				if err != nil {
					pv = dyn.V([]dyn.Value{})
				}

				err = convert.ToTyped(&permissions, pv)
				if err != nil {
					return dyn.InvalidValue, fmt.Errorf("failed to convert permissions: %w", err)
				}

				permissions = append(permissions, convertPermissions(
					ctx,
					b.Config.Permissions,
					permissions,
					key,
					levelsMap[key],
				)...)

				pv, err = convert.FromTyped(permissions, dyn.NilValue)
				if err != nil {
					return dyn.InvalidValue, fmt.Errorf("failed to convert permissions: %w", err)
				}

				return dyn.Set(v, "permissions", pv)
			})

			if err != nil {
				return dyn.InvalidValue, err
			}
		}

		return v, nil
	})

	if err != nil {
		return diag.FromErr(err)
	}

	return nil
}

func validate(b *bundle.Bundle) error {
	for _, p := range b.Config.Permissions {
		if !slices.Contains(allowedLevels, p.Level) {
			return fmt.Errorf("invalid permission level: %s, allowed values: [%s]", p.Level, strings.Join(allowedLevels, ", "))
		}
	}

	return nil
}

func (m *bundlePermissions) Name() string {
	return "ApplyBundlePermissions"
}