package main

import (
	"flag"
	"fmt"
	"os"
	"strings"
)

func (t *tool) runRole(args []string) {
	if len(args) == 0 {
		fatalf("role requires a subcommand: list, grant, revoke")
	}
	switch args[0] {
	case "list":
		t.roleList(args[1:])
	case "grant":
		t.roleGrant(args[1:])
	case "revoke":
		t.roleRevoke(args[1:])
	default:
		fatalf("unknown role subcommand %q", args[0])
	}
}

func (t *tool) roleList(args []string) {
	fs := flag.NewFlagSet("role list", flag.ExitOnError)
	id := fs.String("id", "", "account UUID (required)")
	_ = fs.Parse(args)

	if *id == "" {
		fatalf("role list: --id is required")
	}

	a, err := t.db.GetAccountByUUID(*id)
	if err != nil {
		fatalf("get account: %v", err)
	}

	roles, err := t.db.GetRoles(a.ID)
	if err != nil {
		fatalf("get roles: %v", err)
	}

	if len(roles) == 0 {
		fmt.Printf("account %s has no roles\n", a.Username)
		return
	}
	fmt.Printf("roles for %s (%s):\n", a.Username, a.UUID)
	for _, r := range roles {
		fmt.Printf("  %s\n", r)
	}
}

func (t *tool) roleGrant(args []string) {
	fs := flag.NewFlagSet("role grant", flag.ExitOnError)
	id := fs.String("id", "", "account UUID (required)")
	role := fs.String("role", "", "role to grant (required)")
	_ = fs.Parse(args)

	if *id == "" {
		fatalf("role grant: --id is required")
	}
	if *role == "" {
		fatalf("role grant: --role is required")
	}
	*role = strings.TrimSpace(*role)

	a, err := t.db.GetAccountByUUID(*id)
	if err != nil {
		fatalf("get account: %v", err)
	}

	if err := t.db.GrantRole(a.ID, *role, nil); err != nil {
		fatalf("grant role: %v", err)
	}

	if err := t.db.WriteAuditEvent("role_granted", nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","role":%q}`, *role)); err != nil {
		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
	}

	fmt.Printf("granted role %q to account %s\n", *role, a.Username)
}

func (t *tool) roleRevoke(args []string) {
	fs := flag.NewFlagSet("role revoke", flag.ExitOnError)
	id := fs.String("id", "", "account UUID (required)")
	role := fs.String("role", "", "role to revoke (required)")
	_ = fs.Parse(args)

	if *id == "" {
		fatalf("role revoke: --id is required")
	}
	if *role == "" {
		fatalf("role revoke: --role is required")
	}

	a, err := t.db.GetAccountByUUID(*id)
	if err != nil {
		fatalf("get account: %v", err)
	}

	if err := t.db.RevokeRole(a.ID, *role); err != nil {
		fatalf("revoke role: %v", err)
	}

	if err := t.db.WriteAuditEvent("role_revoked", nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","role":%q}`, *role)); err != nil {
		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
	}

	fmt.Printf("revoked role %q from account %s\n", *role, a.Username)
}