<?php

declare(strict_types=1);

namespace App\Support\ReviewPublicationResolution;

use App\Models\ManagedEnvironment;
use App\Models\ReviewPublicationResolutionCase;
use App\Models\ReviewPublicationResolutionStep;
use App\Models\User;
use App\Services\Auth\CapabilityResolver;
use App\Support\Auth\Capabilities;

final class ReviewPublicationResolutionStepAuthorizer
{
    public function __construct(
        private readonly CapabilityResolver $capabilities,
    ) {}

    public function canExecuteCurrentStep(User $user, ReviewPublicationResolutionCase $case): bool
    {
        $case->loadMissing(['tenant', 'steps.operationRun']);

        $tenant = $case->tenant;
        $step = $case->currentStep();

        if (! $tenant instanceof ManagedEnvironment || ! $step instanceof ReviewPublicationResolutionStep) {
            return false;
        }

        return $this->canExecuteStep($user, $tenant, $step);
    }

    public function canExecuteStep(User $user, ManagedEnvironment $tenant, ReviewPublicationResolutionStep $step): bool
    {
        $capability = $this->requiredCapability($step);

        return is_string($capability) && $this->capabilities->can($user, $tenant, $capability);
    }

    public function requiredCapability(ReviewPublicationResolutionStep $step): ?string
    {
        $stepKey = $step->stepKeyEnum();

        return match ($stepKey) {
            ReviewPublicationResolutionStepKey::CompleteRequiredReports => $this->requiredReportCapability($step),
            ReviewPublicationResolutionStepKey::CollectEvidenceSnapshot => Capabilities::EVIDENCE_MANAGE,
            ReviewPublicationResolutionStepKey::RefreshReviewComposition,
            ReviewPublicationResolutionStepKey::GenerateReviewPack,
            ReviewPublicationResolutionStepKey::ReturnToPublication => Capabilities::ENVIRONMENT_REVIEW_MANAGE,
            ReviewPublicationResolutionStepKey::ValidateReviewReadiness,
            null => null,
        };
    }

    private function requiredReportCapability(ReviewPublicationResolutionStep $step): ?string
    {
        $missingDimensions = array_values(array_filter(
            (array) data_get($step->summary, 'missing_report_dimensions', []),
            static fn (mixed $dimension): bool => is_string($dimension) && trim($dimension) !== '',
        ));

        return match ((string) ($missingDimensions[0] ?? '')) {
            'permission_posture' => Capabilities::PROVIDER_RUN,
            'entra_admin_roles' => Capabilities::ENTRA_ROLES_MANAGE,
            default => null,
        };
    }
}