<?php

namespace App\Services\Providers;

use App\Models\ProviderConnection;
use App\Models\ProviderCredential;
use App\Support\Providers\ProviderConnectionType;
use App\Support\Providers\ProviderCredentialSource;
use App\Support\Providers\ProviderReasonCodes;
use InvalidArgumentException;
use RuntimeException;

final class ProviderIdentityResolver
{
    public function __construct(
        private readonly PlatformProviderIdentityResolver $platformResolver,
        private readonly CredentialManager $credentials,
    ) {}

    public function resolve(ProviderConnection $connection): ProviderIdentityResolution
    {
        $tenantContext = trim((string) $connection->entra_tenant_id);
        $connectionType = $this->resolveConnectionType($connection);

        if ($connectionType === null) {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                tenantContext: $tenantContext !== '' ? $tenantContext : 'organizations',
                credentialSource: 'unknown',
                reasonCode: ProviderReasonCodes::ProviderConnectionTypeInvalid,
                message: 'Provider connection type is invalid.',
            );
        }

        if ($tenantContext === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: $connectionType,
                tenantContext: 'organizations',
                credentialSource: $connectionType === ProviderConnectionType::Platform ? 'platform_config' : ProviderCredentialSource::DedicatedManual->value,
                reasonCode: ProviderReasonCodes::ProviderConnectionInvalid,
                message: 'Provider connection is missing target tenant scope.',
            );
        }

        if ((bool) $connection->migration_review_required) {
            return ProviderIdentityResolution::blocked(
                connectionType: $connectionType,
                tenantContext: $tenantContext,
                credentialSource: $connectionType === ProviderConnectionType::Platform ? 'platform_config' : ProviderCredentialSource::LegacyMigrated->value,
                reasonCode: ProviderReasonCodes::ProviderConnectionReviewRequired,
                message: 'Provider connection requires migration review before use.',
            );
        }

        if ($connectionType === ProviderConnectionType::Platform) {
            return $this->platformResolver->resolve($tenantContext);
        }

        return $this->resolveDedicatedIdentity($connection, $tenantContext);
    }

    private function resolveConnectionType(ProviderConnection $connection): ?ProviderConnectionType
    {
        $value = $connection->connection_type;

        if ($value instanceof ProviderConnectionType) {
            return $value;
        }

        if (! is_string($value)) {
            return null;
        }

        return ProviderConnectionType::tryFrom(trim($value));
    }

    private function resolveDedicatedIdentity(
        ProviderConnection $connection,
        string $tenantContext,
    ): ProviderIdentityResolution {
        try {
            $credentials = $this->credentials->getClientCredentials($connection);
        } catch (InvalidArgumentException|RuntimeException $exception) {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Dedicated,
                tenantContext: $tenantContext,
                credentialSource: $this->credentialSource($connection),
                reasonCode: $exception instanceof InvalidArgumentException
                    ? ProviderReasonCodes::DedicatedCredentialInvalid
                    : ProviderReasonCodes::DedicatedCredentialMissing,
                message: $exception->getMessage(),
            );
        }

        return ProviderIdentityResolution::resolved(
            connectionType: ProviderConnectionType::Dedicated,
            tenantContext: $tenantContext,
            effectiveClientId: $credentials['client_id'],
            credentialSource: $this->credentialSource($connection),
            clientSecret: $credentials['client_secret'],
            authorityTenant: $tenantContext,
            redirectUri: trim((string) route('admin.consent.callback')),
        );
    }

    private function credentialSource(ProviderConnection $connection): string
    {
        $credential = $connection->credential;

        if (! $credential instanceof ProviderCredential) {
            return ProviderCredentialSource::DedicatedManual->value;
        }

        $source = $credential->source;

        if ($source instanceof ProviderCredentialSource) {
            return $source->value;
        }

        if (is_string($source) && $source !== '') {
            return $source;
        }

        return ProviderCredentialSource::DedicatedManual->value;
    }
}