<?php

namespace App\Services\Providers;

use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Support\Providers\ProviderConsentStatus;
use App\Support\Providers\ProviderReasonCodes;

final class ProviderConnectionResolver
{
    public function __construct(
        private readonly ProviderIdentityResolver $identityResolver,
    ) {}

    public function resolveDefault(Tenant $tenant, string $provider): ProviderConnectionResolution
    {
        $defaults = ProviderConnection::query()
            ->where('tenant_id', (int) $tenant->getKey())
            ->where('provider', $provider)
            ->where('is_default', true)
            ->orderBy('id')
            ->get();

        if ($defaults->count() === 0) {
            return ProviderConnectionResolution::blocked(
                ProviderReasonCodes::ProviderConnectionMissing,
                'No default provider connection is configured for this tenant/provider.',
            );
        }

        if ($defaults->count() > 1) {
            return ProviderConnectionResolution::blocked(
                ProviderReasonCodes::ProviderConnectionInvalid,
                'Multiple default provider connections were detected.',
                'ext.multiple_defaults_detected',
            );
        }

        /** @var ProviderConnection $connection */
        $connection = $defaults->first();

        return $this->validateConnection($tenant, $provider, $connection);
    }

    public function validateConnection(Tenant $tenant, string $provider, ProviderConnection $connection): ProviderConnectionResolution
    {
        if ((int) $connection->tenant_id !== (int) $tenant->getKey() || (string) $connection->provider !== $provider) {
            return ProviderConnectionResolution::blocked(
                ProviderReasonCodes::ProviderConnectionInvalid,
                'Provider connection does not match tenant/provider scope.',
                'ext.connection_scope_mismatch',
                $connection,
            );
        }

        if ((string) $connection->status === 'disabled') {
            return ProviderConnectionResolution::blocked(
                ProviderReasonCodes::ProviderConnectionInvalid,
                'Provider connection is disabled.',
                'ext.connection_disabled',
                $connection,
            );
        }

        if ($connection->entra_tenant_id === null || trim((string) $connection->entra_tenant_id) === '') {
            return ProviderConnectionResolution::blocked(
                ProviderReasonCodes::ProviderConnectionInvalid,
                'Provider connection is missing target tenant scope.',
                'ext.connection_tenant_missing',
                $connection,
            );
        }

        $consentBlocker = $this->consentBlocker($connection);

        if ($consentBlocker instanceof ProviderConnectionResolution) {
            return $consentBlocker;
        }

        $identity = $this->identityResolver->resolve($connection);

        if (! $identity->resolved) {
            return ProviderConnectionResolution::blocked(
                $identity->effectiveReasonCode(),
                $identity->message,
                connection: $connection,
            );
        }

        return ProviderConnectionResolution::resolved($connection);
    }

    private function consentBlocker(ProviderConnection $connection): ?ProviderConnectionResolution
    {
        $consentStatus = $connection->consent_status;

        if ($consentStatus instanceof ProviderConsentStatus) {
            return match ($consentStatus) {
                ProviderConsentStatus::Required => ProviderConnectionResolution::blocked(
                    ProviderReasonCodes::ProviderConsentMissing,
                    'Provider connection requires admin consent before use.',
                    'ext.connection_needs_consent',
                    $connection,
                ),
                ProviderConsentStatus::Failed => ProviderConnectionResolution::blocked(
                    ProviderReasonCodes::ProviderConsentFailed,
                    'Provider connection consent failed. Retry admin consent before use.',
                    'ext.connection_consent_failed',
                    $connection,
                ),
                ProviderConsentStatus::Revoked => ProviderConnectionResolution::blocked(
                    ProviderReasonCodes::ProviderConsentRevoked,
                    'Provider connection consent was revoked. Grant admin consent again before use.',
                    'ext.connection_consent_revoked',
                    $connection,
                ),
                default => null,
            };
        }

        if ((string) $connection->status === 'needs_consent') {
            return ProviderConnectionResolution::blocked(
                ProviderReasonCodes::ProviderConsentMissing,
                'Provider connection requires admin consent before use.',
                'ext.connection_needs_consent',
                $connection,
            );
        }

        return null;
    }
}