import { Dict } from '../common';
import {
  DEFAULT_AUTH_SUBJECT_NAME,
  MOSAIC_AUTH_END_USER_ID,
  MOSAIC_AUTH_PERMISSIONS,
  MOSAIC_AUTH_PROFILE_ID,
  MOSAIC_AUTH_SUBJECT_NAME,
  MOSAIC_AUTH_TAGS,
  MOSAIC_ENVIRONMENT_ID,
  MOSAIC_ID_SERVICE_AUTH_PERMISSIONS,
  MOSAIC_ID_SERVICE_AUTH_SUBJECT_NAME,
  MOSAIC_ID_SERVICE_AUTH_TAGS,
  MOSAIC_ID_SERVICE_ENVIRONMENT_ID,
  MOSAIC_ID_SERVICE_TENANT_ID,
  MOSAIC_TENANT_ID,
  PGMEMENTO_SESSION_INFO,
} from '../constants';
import {
  PgAuthenticatedEndUser,
  PgAuthenticatedEndUserApplication,
  PgAuthenticatedManagementSubject,
} from './authentication-subject';

/**
 * Builds a pg settings object for the currently authenticated management subject.
 * Used for RLS authentication in both PostGraphile and zapatos.
 *
 * @param subject - Currently authenticated management subject.
 * @param dbRole - The database role to switch to
 * @param serviceId - The serviceId of the current service
 */
export function buildPgSettings(
  subject: PgAuthenticatedManagementSubject | undefined,
  dbRole: string,
  serviceId: string,
): Dict<string>;

/**
 * Builds a pg settings object for the currently authenticated management subject. Excludes permissions and tags.
 * Used for RLS authentication in both PostGraphile and zapatos.
 *
 * @param subject - Currently authenticated management subject.
 * @param dbRole - The database role to switch to
 */
export function buildPgSettings(
  subject: PgAuthenticatedManagementSubject | undefined,
  dbRole: string,
): Dict<string>;

export function buildPgSettings(
  subject: PgAuthenticatedManagementSubject | undefined,
  dbRole: string,
  serviceId?: string,
): Dict<string> {
  return {
    role: dbRole, // Each GraphQL Request will run on the DB as dedicated gql role
    ...buildAuthPgSettings(subject, serviceId),
  };
}

/**
 * Builds a pg settings object for the currently authenticated management subject without role switching.
 * Used for RLS authentication in both PostGraphile and zapatos.
 *
 * @param subject - Currently authenticated management subject.
 * @param serviceId - The serviceId of the current service
 */
export function buildAuthPgSettings(
  subject: PgAuthenticatedManagementSubject | undefined,
  serviceId?: string,
): Dict<string>;

/**
 * Builds a pg settings object for the currently authenticated management subject without role switching. Excludes permissions and tags.
 * Used for RLS authentication in both PostGraphile and zapatos.
 *
 * @param subject - Currently authenticated management subject.
 * @param serviceId - The serviceId of the current service
 */
export function buildAuthPgSettings(
  subject: PgAuthenticatedManagementSubject | undefined,
): Dict<string>;

export function buildAuthPgSettings(
  subject: PgAuthenticatedManagementSubject | undefined,
  serviceId?: string,
): Dict<string> {
  const pgSettings: Dict<string> = {
    // Common settings
    [MOSAIC_AUTH_SUBJECT_NAME]: subject?.name ?? DEFAULT_AUTH_SUBJECT_NAME,
    [MOSAIC_TENANT_ID]: subject?.tenantId ?? '',
    [MOSAIC_ENVIRONMENT_ID]: subject?.environmentId ?? '',
    [PGMEMENTO_SESSION_INFO]: JSON.stringify({
      environmentId: subject?.environmentId,
      tenantId: subject?.tenantId,
      sub: subject?.sub,
    }),
    ...(serviceId && { [MOSAIC_AUTH_TAGS]: subject?.tags?.join?.(',') ?? '' }),
    ...(serviceId && {
      [MOSAIC_AUTH_PERMISSIONS]:
        subject?.permissions?.[serviceId]?.join?.(',') ?? '',
    }),

    // ID Service specific settings
    [MOSAIC_ID_SERVICE_AUTH_SUBJECT_NAME]:
      subject?.name ?? DEFAULT_AUTH_SUBJECT_NAME,
    [MOSAIC_ID_SERVICE_TENANT_ID]: subject?.tenantId ?? '',
    [MOSAIC_ID_SERVICE_ENVIRONMENT_ID]: subject?.environmentId ?? '',
    ...(serviceId && {
      [MOSAIC_ID_SERVICE_AUTH_TAGS]: subject?.tags?.join?.(',') ?? '',
    }),
    ...(serviceId && {
      [MOSAIC_ID_SERVICE_AUTH_PERMISSIONS]:
        subject?.permissions?.[serviceId]?.join?.(',') ?? '',
    }),
  };

  return pgSettings;
}

/**
 * Builds a pg settings object for the currently authenticated end-user or end-user application with a dedicated DB Role.
 * Used for End User RLS authentication in both PostGraphile and zapatos.
 *
 * @param subject - Currently Authenticated end-user or end-user application
 * @param dbRole - The database role to switch to
 */
export function buildEndUserAuthPgSettings(
  subject:
    | PgAuthenticatedEndUser
    | PgAuthenticatedEndUserApplication
    | undefined,
  dbRole: string,
): Dict<string> {
  return {
    role: dbRole,
    [MOSAIC_AUTH_SUBJECT_NAME]: subject?.name ?? DEFAULT_AUTH_SUBJECT_NAME,
    [MOSAIC_TENANT_ID]: subject?.tenantId ?? '',
    [MOSAIC_ENVIRONMENT_ID]: subject?.environmentId ?? '',
    [MOSAIC_AUTH_END_USER_ID]: subject?.sub ?? '',
    [MOSAIC_AUTH_PROFILE_ID]: subject?.profileId ?? '',
  };
}