package authz

import (
	"context"
	"io"
	"strings"

	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
	authzed "github.com/authzed/authzed-go/v1"
	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
	"github.com/xlgmokha/x/pkg/mapper"
	"github.com/xlgmokha/x/pkg/x"
	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls"
)

func WithProjectIDs(ctx context.Context, client *authzed.Client, request *auth.CheckRequest) x.Option[*auth.CheckResponse_OkResponse] {
	return x.With[*auth.CheckResponse_OkResponse](func(response *auth.CheckResponse_OkResponse) {
		if x.IsZero(client) {
			return
		}

		stream, err := client.LookupResources(ctx, &v1.LookupResourcesRequest{
			ResourceObjectType: "project",
			Permission:         "read_project",
			Subject:            mapper.MapFrom[*auth.CheckRequest, *v1.SubjectReference](request),
		})
		if err != nil {
			pls.LogError(ctx, err)
			return
		}

		var projectIDs []string
		for {
			result, err := stream.Recv()
			if err == io.EOF {
				break
			}
			if err != nil {
				pls.LogError(ctx, err)
				break
			}
			projectIDs = append(projectIDs, result.ResourceObjectId)
		}

		response.OkResponse.Headers = append(response.OkResponse.Headers, &core.HeaderValueOption{
			Header: &core.HeaderValue{
				Key:   "x-project-ids",
				Value: strings.Join(projectIDs, ","),
			},
			AppendAction: core.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD,
		})
	})
}