package permission

import (
	log "IotAdmin/core/logger"
	jwtauth "IotAdmin/core/sdk/pkg/jwt-auth"
	"IotAdmin/core/sdk/pkg/response"

	"github.com/casbin/casbin/v2"
	"github.com/casbin/casbin/v2/util"
	"github.com/gin-gonic/gin"
)

func CheckRoleApi(c *gin.Context, v jwtauth.MapClaims, e *casbin.SyncedEnforcer) (res bool) {
	res = true
	//检查权限 角色为 admin 直接放行
	if v["rolekey"] == "admin" {
		return
	}
	url := c.Request.URL.Path
	if util.KeyMatch2(url, "/api/sys/*") || util.KeyMatch2(url, "/api/web/*") {
		return
	}
	res = false
	for _, i := range CasbinExclude {
		if util.KeyMatch2(url, i.Url) && c.Request.Method == i.Method {
			res = true
			break
		}
	}
	if res {
		log.Infof("Casbin exclusion, no validation method:%s path:%s", c.Request.Method, c.Request.URL.Path)
		return
	}
	res, err := e.Enforce(v["rolekey"], c.Request.URL.Path, c.Request.Method)
	if err != nil {
		log.Errorf("AuthCheckRole error:%s method:%s path:%s", err, c.Request.Method, c.Request.URL.Path)
		response.Error(c, 500, err, "")
		return false
	}
	return res
}

type UrlInfo struct {
	Url    string
	Method string
}

// CasbinExclude casbin 排除的路由列表
var CasbinExclude = []UrlInfo{
	{Url: "/", Method: "GET"},
	{Url: "/info", Method: "GET"},
	{Url: "/api/login", Method: "POST"},
	{Url: "/api/refresh-token", Method: "POST"},
	{Url: "/api/logout", Method: "POST"},
	{Url: "/api/captcha", Method: "POST"},
	{Url: "/api/metrics", Method: "GET"},
	{Url: "/api/health", Method: "GET"},
}