using StellaOps.Auth.Abstractions;
using System;
using System.Collections.Generic;
using static StellaOps.Localization.T;

namespace StellaOps.Configuration;

public sealed partial class AuthorityTenantRoleOptions
{
    private static readonly HashSet<string> _allowedAttributeKeys = new(new[]
    {
        "env",
        "owner",
        "business_tier"
    }, StringComparer.OrdinalIgnoreCase);

    internal void Validate(string tenantId, string roleName)
    {
        if (Scopes.Count == 0)
        {
            throw new InvalidOperationException(_t("config.tenant.role_scope_required", tenantId, roleName));
        }

        foreach (var scope in Scopes)
        {
            if (!StellaOpsScopes.IsKnown(scope))
            {
                throw new InvalidOperationException(_t("config.tenant.role_unknown_scope", tenantId, roleName, scope));
            }
        }

        if (Attributes.Count > 0)
        {
            foreach (var attributeName in Attributes.Keys)
            {
                if (!_allowedAttributeKeys.Contains(attributeName))
                {
                    throw new InvalidOperationException(_t("config.tenant.role_unsupported_attribute", tenantId, roleName, attributeName));
                }
            }
        }
    }
}