<?php

namespace App\Http\Controllers;

use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Services\Intune\AuditLogger;
use App\Support\Providers\ProviderReasonCodes;
use Illuminate\Http\Request;
use Illuminate\View\View;
use Symfony\Component\HttpFoundation\Response as ResponseAlias;

class AdminConsentCallbackController extends Controller
{
    /**
     * Handle the incoming request.
     */
    public function __invoke(
        Request $request,
        AuditLogger $auditLogger,
    ): View {
        $expectedState = $request->session()->pull('tenant_onboard_state');
        $tenantKey = $request->string('tenant')->toString();
        $state = $request->string('state')->toString();
        $tenantIdentifier = $tenantKey ?: $this->parseState($state);

        if ($expectedState && $expectedState !== $state) {
            abort(ResponseAlias::HTTP_FORBIDDEN, 'Invalid consent state');
        }

        abort_if(empty($tenantIdentifier), 404);

        $tenant = $this->resolveTenant($tenantIdentifier);

        $error = $request->string('error')->toString() ?: null;
        $consentGranted = $request->has('admin_consent')
            ? filter_var($request->input('admin_consent'), FILTER_VALIDATE_BOOLEAN)
            : null;

        $status = match (true) {
            $error !== null => 'error',
            $consentGranted === false => 'consent_denied',
            $consentGranted === true => 'ok',
            default => 'pending',
        };

        $connection = $this->upsertProviderConnectionForConsent(
            tenant: $tenant,
            status: $status,
            error: $error,
        );

        $auditLogger->log(
            tenant: $tenant,
            action: 'tenant.consent.callback',
            context: [
                'metadata' => [
                    'status' => $status,
                    'state' => $state,
                    'error' => $error,
                    'consent' => $consentGranted,
                    'provider_connection_id' => (int) $connection->getKey(),
                ],
            ],
            status: $status === 'ok' ? 'success' : 'error',
            resourceType: 'tenant',
            resourceId: (string) $tenant->id,
        );

        return view('admin-consent-callback', [
            'tenant' => $tenant,
            'status' => $status,
            'error' => $error,
            'consentGranted' => $consentGranted,
        ]);
    }

    private function resolveTenant(string $tenantIdentifier): Tenant
    {
        /** @var Tenant|null $tenant */
        $tenant = Tenant::withTrashed()
            ->forTenant($tenantIdentifier)
            ->first();

        if ($tenant?->trashed()) {
            $tenant->restore();
        }

        if ($tenant instanceof Tenant) {
            return $tenant;
        }

        return Tenant::create([
            'tenant_id' => $tenantIdentifier,
            'name' => 'New Tenant',
        ]);
    }

    private function upsertProviderConnectionForConsent(Tenant $tenant, string $status, ?string $error): ProviderConnection
    {
        $hasDefault = ProviderConnection::query()
            ->where('tenant_id', (int) $tenant->getKey())
            ->where('provider', 'microsoft')
            ->where('is_default', true)
            ->exists();

        $connectionStatus = match ($status) {
            'ok' => 'connected',
            'error' => 'error',
            'consent_denied' => 'needs_consent',
            default => 'needs_consent',
        };

        $reasonCode = match ($status) {
            'ok' => null,
            'consent_denied' => ProviderReasonCodes::ProviderConsentMissing,
            'error' => ProviderReasonCodes::ProviderAuthFailed,
            default => ProviderReasonCodes::ProviderConsentMissing,
        };

        $connection = ProviderConnection::query()->updateOrCreate(
            [
                'tenant_id' => (int) $tenant->getKey(),
                'provider' => 'microsoft',
                'entra_tenant_id' => (string) ($tenant->graphTenantId() ?? $tenant->tenant_id ?? $tenant->external_id),
            ],
            [
                'workspace_id' => (int) $tenant->workspace_id,
                'display_name' => (string) ($tenant->name ?? 'Microsoft Connection'),
                'status' => $connectionStatus,
                'health_status' => $connectionStatus === 'connected' ? 'unknown' : 'degraded',
                'last_error_reason_code' => $reasonCode,
                'last_error_message' => $error,
                'is_default' => $hasDefault ? false : true,
            ],
        );

        if (! $hasDefault && ! $connection->is_default) {
            $connection->makeDefault();
        }

        return $connection;
    }

    private function parseState(?string $state): ?string
    {
        if (empty($state)) {
            return null;
        }

        if (str_contains($state, '|')) {
            [, $value] = explode('|', $state, 2);

            return $value;
        }

        return $state;
    }
}