use anyhow::Result;
use crate::acl::AccessControlList;

pub struct AuthManager {
    acl: AccessControlList,
}

impl AuthManager {
    pub fn new(acl: AccessControlList) -> Self {
        AuthManager { acl }
    }
    
    pub fn authenticate(&self, username: &str, password: Option<&str>) -> Result<bool> {
        if self.acl.guest_access && password.is_none() {
            return Ok(true);
        }
        
        if password.is_none() {
            return Err(anyhow::anyhow!("Password required for user {}", username));
        }
        
        if self.acl.get_user(username).is_none() {
            return Err(anyhow::anyhow!("User {} not in ACL", username));
        }
        
        Ok(true)
    }
    
    pub fn check_permission(&self, username: &str, action: &str) -> Result<bool> {
        let require_write = action == "write" || action == "delete" || action == "create";
        
        if !self.acl.has_access(username, require_write) {
            return Err(anyhow::anyhow!(
                "User {} does not have {} permission",
                username,
                action
            ));
        }
        
        Ok(true)
    }
    
    pub fn get_acl(&self) -> &AccessControlList {
        &self.acl
    }
    
    pub fn update_acl(&mut self, acl: AccessControlList) {
        self.acl = acl;
    }
}