package authn

import (
	"context"
	"net/http"

	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
	"forge.cadoles.com/cadoles/bouncer/internal/store"
	"github.com/expr-lang/expr"
	"github.com/pkg/errors"
)

type Vars struct {
	User *User `expr:"user"`
}

func (l *Layer) applyRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) error {
	key := string(layer.Proxy) + "-" + string(layer.Name)
	revisionedEngine := l.ruleEngineCache.Get(key)

	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
	if err != nil {
		return errors.WithStack(err)
	}

	vars := &Vars{
		User: user,
	}

	ctx = ruleHTTP.WithRequest(ctx, r)

	if _, err := engine.Apply(ctx, vars); err != nil {
		return errors.WithStack(err)
	}

	return nil
}

func getAuthnAPI() []expr.Option {
	options := make([]expr.Option, 0)

	// forbidden() allows the layer to hijack the current request and return a 403 Forbidden HTTP status
	forbidden := expr.Function(
		"forbidden",
		func(params ...any) (any, error) {
			return true, errors.WithStack(ErrForbidden)
		},
		new(func() bool),
	)

	options = append(options, forbidden)

	return options
}