using System.Security.Claims;

namespace Nuuru.Server.Auth
{
    /// <summary>
    /// Utility class for calculating effective permissions based on roles, user permissions, and denials.
    /// </summary>
    public static class PermissionCalculator
    {
        /// <summary>
        /// Computes effective permissions using the formula: (rolePermissions ∪ userPermissions) \ userDenials
        /// </summary>
        /// <param name="rolePermissions">Permissions granted by roles</param>
        /// <param name="userAllowPermissions">Permissions granted directly to the user</param>
        /// <param name="userDenyPermissions">Permissions explicitly denied to the user</param>
        /// <returns>The effective set of permissions after applying denials</returns>
        public static IEnumerable<string> ComputeEffectivePermissions(
            IEnumerable<string> rolePermissions,
            IEnumerable<string> userAllowPermissions,
            IEnumerable<string> userDenyPermissions)
        {
            var roleAllows = new HashSet<string>(rolePermissions, StringComparer.OrdinalIgnoreCase);
            var userAllows = new HashSet<string>(userAllowPermissions, StringComparer.OrdinalIgnoreCase);
            var userDenies = new HashSet<string>(userDenyPermissions, StringComparer.OrdinalIgnoreCase);

            // Effective = (roleAllows ∪ userAllows) \ userDenies
            var effective = roleAllows.Union(userAllows).Except(userDenies);

            return effective.ToList();
        }

        /// <summary>
        /// Computes effective permissions from claims.
        /// </summary>
        /// <param name="roleClaims">Claims from user's roles</param>
        /// <param name="userClaims">Claims directly assigned to the user</param>
        /// <returns>The effective set of permissions after applying denials</returns>
        public static IEnumerable<string> ComputeEffectivePermissionsFromClaims(
            IEnumerable<Claim> roleClaims,
            IEnumerable<Claim> userClaims)
        {
            var rolePermissions = roleClaims
                .Where(c => c.Type == Permissions.ClaimType)
                .Select(c => c.Value);

            var userAllowPermissions = userClaims
                .Where(c => c.Type == Permissions.ClaimType)
                .Select(c => c.Value);

            var userDenyPermissions = userClaims
                .Where(c => c.Type == Permissions.DenyClaimType)
                .Select(c => c.Value);

            return ComputeEffectivePermissions(rolePermissions, userAllowPermissions, userDenyPermissions);
        }
    }
}