<?php

declare(strict_types=1);

namespace App\Filament\Widgets\Tenant;

use App\Jobs\ScanEntraAdminRolesJob;
use App\Models\StoredReport;
use App\Models\Tenant;
use App\Models\User;
use App\Support\Auth\Capabilities;
use Filament\Facades\Filament;
use Filament\Notifications\Notification;
use Filament\Widgets\Widget;

class AdminRolesSummaryWidget extends Widget
{
    protected static bool $isLazy = false;

    protected string $view = 'filament.widgets.tenant.admin-roles-summary';

    public ?Tenant $record = null;

    private function resolveTenant(): ?Tenant
    {
        $tenant = Filament::getTenant();

        if ($tenant instanceof Tenant) {
            return $tenant;
        }

        return $this->record instanceof Tenant ? $this->record : null;
    }

    public function scanNow(): void
    {
        $user = auth()->user();

        if (! $user instanceof User) {
            abort(403);
        }

        $tenant = $this->resolveTenant();

        if (! $tenant instanceof Tenant) {
            abort(404);
        }

        if (! $user->canAccessTenant($tenant)) {
            abort(404);
        }

        if (! $user->can(Capabilities::ENTRA_ROLES_MANAGE, $tenant)) {
            abort(403);
        }

        ScanEntraAdminRolesJob::dispatch(
            tenantId: (int) $tenant->getKey(),
            workspaceId: (int) $tenant->workspace_id,
            initiatorUserId: (int) $user->getKey(),
        );

        Notification::make()
            ->title('Entra admin roles scan queued')
            ->body('The scan will run in the background. Results appear once complete.')
            ->success()
            ->send();
    }

    /**
     * @return array<string, mixed>
     */
    protected function getViewData(): array
    {
        $tenant = $this->resolveTenant();

        if (! $tenant instanceof Tenant) {
            return $this->emptyState();
        }

        $user = auth()->user();
        $isTenantMember = $user instanceof User && $user->canAccessTenant($tenant);
        $canView = $isTenantMember && $user->can(Capabilities::ENTRA_ROLES_VIEW, $tenant);
        $canManage = $isTenantMember && $user->can(Capabilities::ENTRA_ROLES_MANAGE, $tenant);

        $report = StoredReport::query()
            ->where('tenant_id', (int) $tenant->getKey())
            ->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
            ->orderByDesc('created_at')
            ->first();

        if (! $report instanceof StoredReport) {
            return [
                'tenant' => $tenant,
                'reportSummary' => null,
                'lastScanAt' => null,
                'highPrivilegeCount' => 0,
                'canManage' => $canManage,
                'canView' => $canView,
                'viewReportUrl' => null,
            ];
        }

        $payload = is_array($report->payload) ? $report->payload : [];
        $totals = is_array($payload['totals'] ?? null) ? $payload['totals'] : [];
        $highPrivilegeCount = (int) ($totals['high_privilege_assignments'] ?? 0);

        return [
            'tenant' => $tenant,
            'reportSummary' => $totals,
            'lastScanAt' => $report->created_at?->diffForHumans() ?? '—',
            'highPrivilegeCount' => $highPrivilegeCount,
            'canManage' => $canManage,
            'canView' => $canView,
            'viewReportUrl' => null,
        ];
    }

    /**
     * @return array<string, mixed>
     */
    private function emptyState(): array
    {
        return [
            'tenant' => null,
            'reportSummary' => null,
            'lastScanAt' => null,
            'highPrivilegeCount' => 0,
            'canManage' => false,
            'canView' => false,
            'viewReportUrl' => null,
        ];
    }
}