package authz

import (
	"net"
	"net/http"

	cedar "github.com/cedar-policy/cedar-go"
	"github.com/xlgmokha/x/pkg/log"
	"gitlab.com/mokhax/spike/pkg/gid"
	"gitlab.com/mokhax/spike/pkg/policies"
)

func WithCedar() Authorizer {
	return AuthorizerFunc(func(r *http.Request) bool {
		host, _, err := net.SplitHostPort(r.Host)
		if err != nil {
			log.WithFields(r.Context(), log.Fields{"error": err})
			return false
		}
		subject, found := TokenFrom(r).Subject()
		if !found {
			subject = "gid://example/User/*"
		}

		return policies.Allowed(cedar.Request{
			Principal: gid.NewEntityUID(subject),
			Action:    cedar.NewEntityUID("HttpMethod", cedar.String(r.Method)),
			Resource:  cedar.NewEntityUID("HttpPath", cedar.String(r.URL.Path)),
			Context: cedar.NewRecord(cedar.RecordMap{
				"host": cedar.String(host),
			}),
		})
	})
}