# frozen_string_literal: true

module Clusters
  module Agents
    class RefreshAuthorizationService
      include Gitlab::Utils::StrongMemoize

      AUTHORIZED_ENTITY_LIMIT = 100

      delegate :project, to: :agent, private: true
      delegate :root_ancestor, to: :project, private: true

      def initialize(agent, config:)
        @agent = agent
        @config = config
      end

      def execute
        refresh_projects!
        refresh_groups!

        true
      end

      private

      attr_reader :agent, :config

      def refresh_projects!
        if allowed_project_configurations.present?
          project_ids = allowed_project_configurations.map { |config| config.fetch(:project_id) }

          agent.with_lock do
            agent.project_authorizations.upsert_all(allowed_project_configurations, unique_by: [:agent_id, :project_id])
            agent.project_authorizations.where.not(project_id: project_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
          end
        else
          agent.project_authorizations.delete_all(:delete_all)
        end
      end

      def refresh_groups!
        if allowed_group_configurations.present?
          group_ids = allowed_group_configurations.map { |config| config.fetch(:group_id) }

          agent.with_lock do
            agent.group_authorizations.upsert_all(allowed_group_configurations, unique_by: [:agent_id, :group_id])
            agent.group_authorizations.where.not(group_id: group_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
          end
        else
          agent.group_authorizations.delete_all(:delete_all)
        end
      end

      def allowed_project_configurations
        strong_memoize(:allowed_project_configurations) do
          project_entries = extract_config_entries(entity: 'projects')

          if project_entries
            allowed_projects.where_full_path_in(project_entries.keys).map do |project|
              { project_id: project.id, config: project_entries[project.full_path] }
            end
          end
        end
      end

      def allowed_group_configurations
        strong_memoize(:allowed_group_configurations) do
          group_entries = extract_config_entries(entity: 'groups')

          if group_entries
            allowed_groups.where_full_path_in(group_entries.keys).map do |group|
              { group_id: group.id, config: group_entries[group.full_path] }
            end
          end
        end
      end

      def extract_config_entries(entity:)
        config.dig('ci_access', entity)
          &.first(AUTHORIZED_ENTITY_LIMIT)
          &.index_by { |config| config.delete('id') }
      end

      def allowed_projects
        if group_root_ancestor?
          root_ancestor.all_projects
        else
          ::Project.id_in(project.id)
        end
      end

      def allowed_groups
        if group_root_ancestor?
          root_ancestor.self_and_descendants
        else
          ::Group.none
        end
      end

      def group_root_ancestor?
        root_ancestor.group_namespace?
      end
    end
  end
end