package controllers

import (
	"context"

	"code.crute.us/mcrute/cloud-identity-broker/app/middleware"
	"code.crute.us/mcrute/cloud-identity-broker/app/models"
	"code.crute.us/mcrute/cloud-identity-broker/cloud/aws"

	"github.com/labstack/echo/v4"
)

type requestContext struct {
	Account   *models.Account
	Principal *models.User
	AWS       aws.AWSClient
}

// AWSAPI is a capability that all handlers talking to the AWS APIs should use.
// This capability does common permission checks and populates a request
// context with user, account, and AWS API information.
type AWSAPI struct {
	Store models.AccountStore
}

// GetContext checks that the user is authenticated and is authorized to access
// the requested AWS account. This should be the very first call in any handler
// that will eventually call the AWS APIs. Errors returned from this method are
// echo responses and can be returned directly to the client.
func (h *AWSAPI) GetContext(c echo.Context) (*requestContext, error) {
	principal, err := middleware.GetAuthorizedPrincipal(c)
	if err != nil {
		return nil, echo.ErrUnauthorized
	}

	account, err := h.Store.GetForUser(context.Background(), c.Param("account"), principal)
	if err != nil {
		return nil, echo.NotFoundHandler(c)
	}

	ac, err := aws.NewAWSClientFromAccount(account)
	if err != nil {
		c.Logger().Errorf("Error building AWS client: %w", err)
		return nil, echo.ErrInternalServerError
	}

	return &requestContext{
		Account:   account,
		Principal: principal,
		AWS:       ac,
	}, nil
}