<?php

declare(strict_types=1);

namespace App\Support\References\Resolvers;

use App\Filament\Resources\EntraGroupResource;
use App\Models\EntraGroup;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Auth\CapabilityResolver;
use App\Services\Directory\EntraGroupLabelResolver;
use App\Support\Auth\Capabilities;
use App\Support\References\ReferenceClass;
use App\Support\References\ReferenceDescriptor;
use App\Support\References\ReferenceLinkTarget;
use App\Support\References\ResolvedReference;

final class EntraGroupReferenceResolver extends BaseReferenceResolver
{
    public function __construct(
        \App\Support\References\ReferenceTypeLabelCatalog $typeLabels,
        private readonly CapabilityResolver $capabilityResolver,
        private readonly EntraGroupLabelResolver $groupLabelResolver,
    ) {
        parent::__construct($typeLabels);
    }

    public function referenceClass(): ReferenceClass
    {
        return ReferenceClass::Group;
    }

    public function resolve(ReferenceDescriptor $descriptor): ResolvedReference
    {
        $tenantId = $descriptor->tenantId;

        if ($tenantId === null || $tenantId <= 0) {
            return $this->unresolved($descriptor, primaryLabel: 'Group');
        }

        $tenant = Tenant::query()->whereKey($tenantId)->first();

        if (! $tenant instanceof Tenant) {
            return $this->unresolved($descriptor, primaryLabel: 'Group');
        }

        $cachedDisplayName = $this->contextString($descriptor, 'cached_display_name');
        $resolvedFromCache = $descriptor->contextValue('resolved_from_cache');

        $group = EntraGroup::query()
            ->where('tenant_id', $tenantId)
            ->where('entra_id', strtolower($descriptor->rawIdentifier))
            ->first();

        if (! $group instanceof EntraGroup && $cachedDisplayName === null) {
            $cachedDisplayName = $this->groupLabelResolver->lookupOne($tenant, $descriptor->rawIdentifier);
            $resolvedFromCache = $cachedDisplayName !== null;
        }

        if ($group instanceof EntraGroup) {
            if (! $this->canOpenTenantRecord($group->tenant, Capabilities::TENANT_VIEW)) {
                return $this->inaccessible($descriptor, primaryLabel: 'Group');
            }

            return $this->resolved(
                descriptor: $descriptor,
                primaryLabel: (string) $group->display_name,
                secondaryLabel: $this->groupTypeLabel($group),
                linkTarget: new ReferenceLinkTarget(
                    targetKind: ReferenceClass::Group->value,
                    url: EntraGroupResource::scopedUrl('view', ['record' => $group], $group->tenant),
                    actionLabel: 'View group',
                    contextBadge: 'Tenant',
                ),
            );
        }

        if ($cachedDisplayName !== null) {
            return ($resolvedFromCache === true)
                ? $this->partiallyResolved($descriptor, primaryLabel: $cachedDisplayName, secondaryLabel: 'Cached group')
                : $this->externalLimited($descriptor, primaryLabel: $cachedDisplayName, secondaryLabel: 'Captured group');
        }

        return $this->unresolved($descriptor, primaryLabel: 'Group');
    }

    private function canOpenTenantRecord(?Tenant $tenant, string $capability): bool
    {
        $user = auth()->user();

        return $tenant instanceof Tenant
            && $user instanceof User
            && $this->capabilityResolver->isMember($user, $tenant)
            && $this->capabilityResolver->can($user, $tenant, $capability);
    }

    private function groupTypeLabel(EntraGroup $group): string
    {
        $groupTypes = $group->group_types;

        if (is_array($groupTypes) && in_array('Unified', $groupTypes, true)) {
            return 'Microsoft 365 group';
        }

        if ($group->security_enabled) {
            return 'Security group';
        }

        if ($group->mail_enabled) {
            return 'Mail-enabled group';
        }

        return 'Directory group';
    }
}