use crate::api::ApiError;
use crate::models::User;
use crate::rbac::{self, SCOPE_GLOBAL};
use sqlx::PgPool;

pub const PERM_CONTROL_PLANES_READ: &str = "control_planes:read";
pub const PERM_CONTROL_PLANES_WRITE: &str = "control_planes:write";
pub const PERM_NETWORKS_READ: &str = "networks:read";
pub const PERM_NETWORKS_WRITE: &str = "networks:write";
pub const PERM_NODES_READ: &str = "nodes:read";
pub const PERM_NODES_WRITE: &str = "nodes:write";
pub const PERM_TOKENS_WRITE: &str = "tokens:write";
pub const PERM_ACL_READ: &str = "acl:read";
pub const PERM_ACL_WRITE: &str = "acl:write";
pub const PERM_KEY_POLICY_READ: &str = "key_policy:read";
pub const PERM_KEY_POLICY_WRITE: &str = "key_policy:write";
pub const PERM_AUDIT_READ: &str = "audit:read";
pub const PERM_USERS_READ: &str = "users:read";
pub const PERM_USERS_WRITE: &str = "users:write";
pub const PERM_ROLES_READ: &str = "roles:read";
pub const PERM_ROLES_WRITE: &str = "roles:write";

pub async fn ensure_permission_global(
    pool: &PgPool,
    user: &User,
    permission: &str,
) -> Result<(), ApiError> {
    ensure_permission(pool, user, permission, SCOPE_GLOBAL, SCOPE_GLOBAL).await
}

pub async fn ensure_permission(
    pool: &PgPool,
    user: &User,
    permission: &str,
    scope_type: &str,
    scope_id: &str,
) -> Result<(), ApiError> {
    if user.super_admin {
        return Ok(());
    }
    let allowed = rbac::user_has_permission(pool, user.id, permission, scope_type, scope_id)
        .await
        .map_err(|_| ApiError::Internal)?;
    if allowed {
        Ok(())
    } else {
        Err(ApiError::Forbidden)
    }
}