import {
  Body,
  Controller,
  Delete,
  Get,
  Param,
  ParseUUIDPipe,
  Post,
  Query,
} from '@nestjs/common';
import { IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
import { RequirePermissions } from '@common/decorators/permissions.decorator';
import { CurrentUser } from '@common/decorators/current-user.decorator';
import { Auditable, Sensitive } from '@core/observability/audit/decorators/auditable.decorator';
import { DataScopeAdminService } from './data-scope-admin.service';

class BindRoleDataScopeDto {
  @IsUUID()
  roleId!: string;

  @IsUUID()
  dataScopeId!: string;

  @IsOptional()
  @IsString()
  @MaxLength(64)
  resource?: string;
}

/**
 * IAM 后台：Role × Resource → DataScope 绑定矩阵
 */
@Controller('iam/role-data-scopes')
export class RoleDataScopesController {
  constructor(private readonly service: DataScopeAdminService) {}

  @Get()
  @RequirePermissions('iam_admin:read')
  list(@Query('roleId') roleId?: string) {
    return this.service.listMatrix(roleId);
  }

  @Post()
  @RequirePermissions('iam_admin:manage')
  @Auditable()
  @Sensitive()
  bind(
    @Body() body: BindRoleDataScopeDto,
    @CurrentUser('userId') actor: string,
  ) {
    return this.service.bind(
      {
        roleId: body.roleId,
        dataScopeId: body.dataScopeId,
        resource: body.resource ?? '*',
      },
      actor,
    );
  }

  @Delete(':id')
  @RequirePermissions('iam_admin:manage')
  @Auditable()
  @Sensitive()
  unbind(
    @Param('id', ParseUUIDPipe) id: string,
    @CurrentUser('userId') actor: string,
  ) {
    return this.service.unbind(id, actor);
  }
}