package repository

import (
	"context"
	"database/sql"
	"errors"

	"code.nochebuena.dev/go/rbac"
	"code.nochebuena.dev/go/sqlite"
)

// DBPermissionProvider implements rbac.PermissionProvider by reading the
// user_role table. A missing row is treated as "no permissions" (mask = 0).
type DBPermissionProvider struct {
	db sqlite.Client
}

// NewPermissionProvider returns a DBPermissionProvider backed by the given client.
func NewPermissionProvider(db sqlite.Client) *DBPermissionProvider {
	return &DBPermissionProvider{db: db}
}

// ResolveMask returns the permission bit-mask for uid on resource.
// Returns 0 (no permissions) if no row exists for the user/resource pair.
func (p *DBPermissionProvider) ResolveMask(ctx context.Context, uid, resource string) (rbac.PermissionMask, error) {
	row := p.db.GetExecutor(ctx).QueryRowContext(ctx,
		`SELECT permissions FROM user_role WHERE user_id = ? AND resource = ?`,
		uid, resource,
	)
	var bits int64
	if err := row.Scan(&bits); err != nil {
		if errors.Is(err, sql.ErrNoRows) {
			return 0, nil
		}
		return 0, err
	}
	return rbac.PermissionMask(bits), nil
}