// Package rbac provides role-based access control for the KnowFoolery application.
package rbac

// Role represents a user role.
type Role string

// Predefined roles
const (
	RolePlayer    Role = "player"
	RoleAdmin     Role = "admin"
	RoleModerator Role = "moderator"
)

// Permission represents a permission in the system.
type Permission string

// Game permissions
const (
	PermissionPlayGame Permission = "game:play"
	PermissionViewGame Permission = "game:view"
)

// Question permissions
const (
	PermissionViewQuestion   Permission = "question:view"
	PermissionCreateQuestion Permission = "question:create"
	PermissionUpdateQuestion Permission = "question:update"
	PermissionDeleteQuestion Permission = "question:delete"
)

// User permissions
const (
	PermissionViewOwnProfile   Permission = "user:view:own"
	PermissionUpdateOwnProfile Permission = "user:update:own"
	PermissionDeleteOwnAccount Permission = "user:delete:own"
	PermissionViewUsers        Permission = "user:view:all"
	PermissionManageUsers      Permission = "user:manage"
)

// Leaderboard permissions
const (
	PermissionViewLeaderboard Permission = "leaderboard:view"
)

// Admin permissions
const (
	PermissionViewAuditLog  Permission = "audit:view"
	PermissionViewDashboard Permission = "dashboard:view"
	PermissionManageSystem  Permission = "system:manage"
)

// rolePermissions maps roles to their permissions.
var rolePermissions = map[Role][]Permission{
	RolePlayer: {
		PermissionPlayGame,
		PermissionViewGame,
		PermissionViewQuestion,
		PermissionViewLeaderboard,
		PermissionViewOwnProfile,
		PermissionUpdateOwnProfile,
		PermissionDeleteOwnAccount,
	},
	RoleModerator: {
		PermissionPlayGame,
		PermissionViewGame,
		PermissionViewQuestion,
		PermissionCreateQuestion,
		PermissionUpdateQuestion,
		PermissionViewLeaderboard,
		PermissionViewOwnProfile,
		PermissionUpdateOwnProfile,
		PermissionDeleteOwnAccount,
		PermissionViewUsers,
	},
	RoleAdmin: {
		PermissionPlayGame,
		PermissionViewGame,
		PermissionViewQuestion,
		PermissionCreateQuestion,
		PermissionUpdateQuestion,
		PermissionDeleteQuestion,
		PermissionViewLeaderboard,
		PermissionViewOwnProfile,
		PermissionUpdateOwnProfile,
		PermissionDeleteOwnAccount,
		PermissionViewUsers,
		PermissionManageUsers,
		PermissionViewAuditLog,
		PermissionViewDashboard,
		PermissionManageSystem,
	},
}

// HasPermission checks if a role has a specific permission.
func HasPermission(role Role, permission Permission) bool {
	permissions, ok := rolePermissions[role]
	if !ok {
		return false
	}

	for _, p := range permissions {
		if p == permission {
			return true
		}
	}
	return false
}

// HasAnyPermission checks if a role has any of the specified permissions.
func HasAnyPermission(role Role, permissions ...Permission) bool {
	for _, permission := range permissions {
		if HasPermission(role, permission) {
			return true
		}
	}
	return false
}

// HasAllPermissions checks if a role has all of the specified permissions.
func HasAllPermissions(role Role, permissions ...Permission) bool {
	for _, permission := range permissions {
		if !HasPermission(role, permission) {
			return false
		}
	}
	return true
}

// UserHasPermission checks if a user with the given roles has a specific permission.
func UserHasPermission(roles []string, permission Permission) bool {
	for _, roleStr := range roles {
		if HasPermission(Role(roleStr), permission) {
			return true
		}
	}
	return false
}

// GetPermissions returns all permissions for a role.
func GetPermissions(role Role) []Permission {
	permissions, ok := rolePermissions[role]
	if !ok {
		return nil
	}

	// Return a copy to prevent modification
	result := make([]Permission, len(permissions))
	copy(result, permissions)
	return result
}

// IsValidRole checks if a role string is a valid role.
func IsValidRole(roleStr string) bool {
	role := Role(roleStr)
	_, ok := rolePermissions[role]
	return ok
}