package auth

import (
	"errors"
	"github.com/veypi/OneAuth/models"
	"github.com/veypi/OneAuth/oalib"
	"gorm.io/gorm"
)

// 定义oa系统权限

type Resource = string

const (
	// ruid 皆为app uuid
	User Resource = "user"
	APP  Resource = "app"
	Res  Resource = "resource"
	Role Resource = "role"
	Auth Resource = "auth"
)

func BindUserRole(tx *gorm.DB, userID uint, roleID uint) error {
	ur := &models.UserRole{}
	ur.RoleID = roleID
	ur.UserID = userID
	err := tx.Where(ur).First(ur).Error
	if errors.Is(err, gorm.ErrRecordNotFound) {
		err = tx.Create(ur).Error
		if err == nil {
			tx.Model(&models.Role{}).Where("ID = ?", roleID).
				Update("UserCount", gorm.Expr("UserCount + ?", 1))
		}
	}
	return err
}
func UnBindUserRole(tx *gorm.DB, userID uint, roleID uint) error {
	ur := &models.UserRole{}
	ur.RoleID = roleID
	ur.UserID = userID
	err := tx.Unscoped().Where(ur).Delete(ur).Error
	if err == nil {
		tx.Model(&models.Role{}).Where("ID = ?", roleID).
			Update("UserCount", gorm.Expr("UserCount - ?", 1))
	}
	return err
}

func BindUserAuth(tx *gorm.DB, userID uint, resID uint, level oalib.AuthLevel, ruid string) error {
	return bind(tx, userID, resID, level, ruid, false)
}

func BindRoleAuth(tx *gorm.DB, roleID uint, resID uint, level oalib.AuthLevel, ruid string) error {
	return bind(tx, roleID, resID, level, ruid, true)
}

func bind(tx *gorm.DB, id uint, resID uint, level oalib.AuthLevel, ruid string, isRole bool) error {
	r := &models.Resource{}
	r.ID = resID
	err := tx.Where(r).First(r).Error
	if err != nil {
		return err
	}
	au := &models.Auth{
		AppUUID:    r.AppUUID,
		ResourceID: resID,
		RID:        r.Name,
		RUID:       ruid,
		Level:      level,
	}
	if isRole {
		au.RoleID = &id
	} else {
		au.UserID = &id
	}
	return tx.Where(au).FirstOrCreate(au).Error
}