defmodule WorkloadServiceWeb.Router do
  use WorkloadServiceWeb, :router

  alias WorkloadServiceWeb.TaskController
  alias WorkloadServiceWeb.HealthController

  pipeline :api do
    plug(OpenApiSpex.Plug.PutApiSpec, module: WorkloadServiceWeb.ApiSpec)
  end

  pipeline :auth do
    plug(Oidcc.Plug.ExtractAuthorization)
    plug(Oidcc.Plug.RequireAuthorization)

    plug(WorkloadServiceWeb.Plugs.RequireOrganizationId)
    plug(WorkloadServiceWeb.Plugs.ExtractOrganizationId)

    plug(:introspect)
  end

  pipeline(:read, do: plug(:authorize_roles, required_permissions: ["task:read"]))
  pipeline(:submit, do: plug(:authorize_roles, required_permissions: ["task:submit"]))

  pipeline(:request_approval,
    do: plug(:authorize_roles, required_permissions: ["task:request_approval"])
  )

  pipeline(:approve, do: plug(:authorize_roles, required_permissions: ["task:approve"]))
  pipeline(:complete, do: plug(:authorize_roles, required_permissions: ["task:complete"]))

  get("/health", HealthController, :health)
  get("/health/ready", HealthController, :ready)

  scope "/api" do
    pipe_through([:api])

    get("/openapi", OpenApiSpex.Plug.RenderSpec, [])

    scope "/v1" do
      pipe_through([:auth])

      scope "/" do
        pipe_through([:read])
        get("/tasks", TaskController, :list)
        get("/tasks/:id", TaskController, :show)
      end

      scope "/" do
        pipe_through([:submit])
        post("/tasks/:id/submit", TaskController, :submit)
      end

      scope "/" do
        pipe_through([:request_approval])
        post("/tasks/:id/request_approval", TaskController, :request_approval)
      end

      scope "/" do
        pipe_through([:approve])
        post("/tasks/:id/approve", TaskController, :approve)
      end

      scope "/" do
        pipe_through([:complete])
        post("/tasks/:id/complete", TaskController, :complete)
      end
    end
  end

  if Mix.env() == :dev do
    scope "/swaggerui" do
      get("/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi")
    end
  end

  def introspect(conn, _opts) do
    zitadel = Application.get_env(:workload_service, :zitadel)

    opts =
      Oidcc.Plug.IntrospectToken.init(
        provider: WorkloadService.ZitadelProvider,
        client_id: zitadel[:client_id],
        client_secret: zitadel[:client_secret],
        token_introspection_opts: %{client_self_only: false}
      )

    Oidcc.Plug.IntrospectToken.call(conn, opts)
  end

  def authorize_roles(conn, opts) do
    zitadel = Application.get_env(:workload_service, :zitadel)

    o =
      WorkloadServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])

    WorkloadServiceWeb.Plugs.AuthorizeRoles.call(conn, Keyword.merge(opts, o))
  end
end