package middleware

import (
	"context"
	"errors"
	"strconv"
	"strings"

	"github.com/go-kratos/kratos/v2/middleware"
	"github.com/go-kratos/kratos/v2/transport"

	pkgcasbin "kra/pkg/casbin"
)

var (
	ErrPermissionDenied = errors.New("权限不足")
)

// CasbinRBAC Casbin权限中间件
func CasbinRBAC(routerPrefix string) middleware.Middleware {
	return func(handler middleware.Handler) middleware.Handler {
		return func(ctx context.Context, req interface{}) (interface{}, error) {
			claims, ok := GetClaims(ctx)
			if !ok {
				return nil, ErrMissingToken
			}

			if tr, ok := transport.FromServerContext(ctx); ok {
				// 获取请求路径
				path := tr.Operation()
				if routerPrefix != "" {
					path = strings.TrimPrefix(path, routerPrefix)
				}

				// 获取请求方法
				act := "GET"
				if header := tr.RequestHeader(); header != nil {
					if method := header.Get(":method"); method != "" {
						act = method
					}
				}

				// 获取用户角色
				sub := strconv.Itoa(int(claims.AuthorityID))

				// 检查权限
				enforcer := pkgcasbin.GetEnforcer()
				if enforcer == nil {
					return handler(ctx, req)
				}

				success, err := enforcer.Enforce(sub, path, act)
				if err != nil {
					return nil, err
				}
				if !success {
					return nil, ErrPermissionDenied
				}
			}

			return handler(ctx, req)
		}
	}
}