<?php

namespace App\Policies;

use App\Models\Finding;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Auth\CapabilityResolver;
use App\Support\Auth\Capabilities;
use Illuminate\Auth\Access\HandlesAuthorization;

class FindingPolicy
{
    use HandlesAuthorization;

    public function viewAny(User $user): bool
    {
        $tenant = Tenant::current();

        if (! $tenant instanceof Tenant) {
            return false;
        }

        if (! $user->canAccessTenant($tenant)) {
            return false;
        }

        return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW);
    }

    public function view(User $user, Finding $finding): bool
    {
        $tenant = Tenant::current();

        if (! $tenant) {
            return false;
        }

        if (! $user->canAccessTenant($tenant)) {
            return false;
        }

        if ((int) $finding->tenant_id !== (int) $tenant->getKey()) {
            return false;
        }

        return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW);
    }

    public function update(User $user, Finding $finding): bool
    {
        return $this->triage($user, $finding);
    }

    public function triage(User $user, Finding $finding): bool
    {
        return $this->canMutateWithAnyCapability($user, $finding, [
            Capabilities::TENANT_FINDINGS_TRIAGE,
            Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
        ]);
    }

    public function assign(User $user, Finding $finding): bool
    {
        return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_ASSIGN);
    }

    public function resolve(User $user, Finding $finding): bool
    {
        return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_RESOLVE);
    }

    public function close(User $user, Finding $finding): bool
    {
        return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_CLOSE);
    }

    public function riskAccept(User $user, Finding $finding): bool
    {
        return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_RISK_ACCEPT);
    }

    public function reopen(User $user, Finding $finding): bool
    {
        return $this->triage($user, $finding);
    }

    private function canMutateWithCapability(User $user, Finding $finding, string $capability): bool
    {
        return $this->canMutateWithAnyCapability($user, $finding, [$capability]);
    }

    /**
     * @param  array<int, string>  $capabilities
     */
    private function canMutateWithAnyCapability(User $user, Finding $finding, array $capabilities): bool
    {
        $tenant = Tenant::current();

        if (! $tenant instanceof Tenant) {
            return false;
        }

        if (! $user->canAccessTenant($tenant)) {
            return false;
        }

        if ((int) $finding->tenant_id !== (int) $tenant->getKey()) {
            return false;
        }

        /** @var CapabilityResolver $resolver */
        $resolver = app(CapabilityResolver::class);

        foreach ($capabilities as $capability) {
            if ($resolver->can($user, $tenant, $capability)) {
                return true;
            }
        }

        return false;
    }
}