use crate::handlers::AppState;
use crate::middleware::TenantId;
use crate::middleware::auth::AuthContext;
use crate::models::{CreateRoleRequest, RoleResponse};
use axum::{Json, extract::State};
use common_telemetry::{AppError, AppResponse};
use tracing::instrument;

#[utoipa::path(
    post,
    path = "/roles",
    tag = "Role",
    security(
        ("bearer_auth" = [])
    ),
    request_body = CreateRoleRequest,
    responses(
        (status = 201, description = "角色创建成功", body = RoleResponse),
        (status = 400, description = "请求参数错误"),
        (status = 401, description = "未认证"),
        (status = 403, description = "无权限")
    ),
    params(
        ("Authorization" = String, Header, description = "Bearer <access_token>（访问令牌）"),
        ("X-Tenant-ID" = String, Header, description = "租户 UUID（可选，若提供需与 Token 中 tenant_id 一致）")
    )
)]
#[instrument(skip(state, payload))]
/// 在当前租户下创建角色。
///
/// 业务规则：
/// - 角色归属到当前租户（由 `TenantId` 决定），禁止跨租户写入。
/// - 需要具备 `role:write` 权限，否则返回 403。
///
/// 输入：
/// - Header `Authorization: Bearer <access_token>`（必填）
/// - Body `CreateRoleRequest`（必填）
///
/// 输出：
/// - `201`：返回新建角色信息（含 `id`）
///
/// 异常：
/// - `401`：未认证
/// - `403`：租户不匹配或无权限
/// - `400`：请求参数错误
pub async fn create_role_handler(
    TenantId(tenant_id): TenantId,
    State(state): State<AppState>,
    AuthContext {
        tenant_id: auth_tenant_id,
        user_id,
        ..
    }: AuthContext,
    Json(payload): Json<CreateRoleRequest>,
) -> Result<AppResponse<RoleResponse>, AppError> {
    if auth_tenant_id != tenant_id {
        return Err(AppError::PermissionDenied("tenant:mismatch".into()));
    }
    state
        .authorization_service
        .require_permission(tenant_id, user_id, "role:write")
        .await?;

    let role = state.role_service.create_role(tenant_id, payload).await?;
    Ok(AppResponse::created(RoleResponse {
        id: role.id,
        name: role.name,
        description: role.description,
    }))
}

#[utoipa::path(
    get,
    path = "/roles",
    tag = "Role",
    security(
        ("bearer_auth" = [])
    ),
    responses(
        (status = 200, description = "角色列表", body = [RoleResponse]),
        (status = 401, description = "未认证"),
        (status = 403, description = "无权限")
    ),
    params(
        ("Authorization" = String, Header, description = "Bearer <access_token>（访问令牌）"),
        ("X-Tenant-ID" = String, Header, description = "租户 UUID（可选，若提供需与 Token 中 tenant_id 一致）")
    )
)]
#[instrument(skip(state))]
/// 查询当前租户下的角色列表。
///
/// 业务规则：
/// - 仅返回当前租户角色；若 `X-Tenant-ID` 与 Token 不一致则返回 403。
/// - 需要具备 `role:read` 权限。
///
/// 输入：
/// - Header `Authorization: Bearer <access_token>`（必填）
///
/// 输出：
/// - `200`：角色列表
///
/// 异常：
/// - `401`：未认证
/// - `403`：租户不匹配或无权限
pub async fn list_roles_handler(
    TenantId(tenant_id): TenantId,
    State(state): State<AppState>,
    AuthContext {
        tenant_id: auth_tenant_id,
        user_id,
        ..
    }: AuthContext,
) -> Result<AppResponse<Vec<RoleResponse>>, AppError> {
    if auth_tenant_id != tenant_id {
        return Err(AppError::PermissionDenied("tenant:mismatch".into()));
    }
    state
        .authorization_service
        .require_permission(tenant_id, user_id, "role:read")
        .await?;

    let roles = state.role_service.list_roles(tenant_id).await?;
    let response = roles
        .into_iter()
        .map(|r| RoleResponse {
            id: r.id,
            name: r.name,
            description: r.description,
        })
        .collect();
    Ok(AppResponse::ok(response))
}