# frozen_string_literal: true

class RulesController < ApplicationController
  # Follow proper before_action order:
  # 1. Authentication/Authorization
  allow_unauthenticated_access only: [:index, :show]

  # 2. Resource loading
  before_action :set_rule, only: [:show, :edit, :update, :disable, :enable]
  before_action :set_project, only: [:index, :show]

  # GET /rules
  def index
    @rules = policy_scope(Rule).includes(:user, :network_range).order(created_at: :desc)
    @rule_types = Rule::RULE_TYPES
    @actions = Rule::ACTIONS
  end

  # GET /rules/new
  def new
    authorize Rule
    @rule = Rule.new

    # Pre-fill from URL parameters
    if params[:network_range_id].present?
      network_range = NetworkRange.find_by(id: params[:network_range_id])
      @rule.network_range = network_range if network_range
    end

    if params[:cidr].present?
      @rule.rule_type = 'network'
    end

    @rule_types = Rule::RULE_TYPES
    @actions = Rule::ACTIONS
  end

  # POST /rules
  def create
    authorize Rule
    @rule = Rule.new(rule_params)
    @rule.user = Current.user
    @rule_types = Rule::RULE_TYPES
    @actions = Rule::ACTIONS

    # Handle network range creation if CIDR is provided
    if params[:cidr].present? && @rule.network_rule?
      network_range = NetworkRange.find_or_create_by(cidr: params[:cidr]) do |range|
        range.user = Current.user
        range.source = 'manual'
        range.creation_reason = "Created for rule ##{@rule.id}"
      end
      @rule.network_range = network_range
    end

    if @rule.save
      redirect_to @rule, notice: 'Rule was successfully created.'
    else
      render :new, status: :unprocessable_entity
    end
  end

  # GET /rules/:id
  def show
    authorize @rule
  end

  # GET /rules/:id/edit
  def edit
    authorize @rule
    @rule_types = Rule::RULE_TYPES
    @actions = Rule::ACTIONS
  end

  # PATCH/PUT /rules/:id
  def update
    authorize @rule
    if @rule.update(rule_params)
      redirect_to @rule, notice: 'Rule was successfully updated.'
    else
      render :edit, status: :unprocessable_entity
    end
  end

  # POST /rules/:id/disable
  def disable
    authorize @rule, :disable?
    reason = params[:reason] || "Disabled manually"
    @rule.disable!(reason: reason)
    redirect_to @rule, notice: 'Rule was successfully disabled.'
  end

  # POST /rules/:id/enable
  def enable
    authorize @rule, :enable?
    @rule.enable!
    redirect_to @rule, notice: 'Rule was successfully enabled.'
  end

  private

  def set_rule
    @rule = Rule.find(params[:id])
  end

  def rule_params
  permitted = [
    :rule_type,
    :action,
    :metadata,
    :expires_at,
    :enabled,
    :source,
    :network_range_id
  ]

  # Only include conditions for non-network rules
  if params[:rule][:rule_type] != 'network'
    permitted << :conditions
  end

  params.require(:rule).permit(permitted)
end

  def set_project
    # For now, use the first project or create a default one
    @project = Project.first || Project.create!(
      name: 'Default Project',
      slug: 'default',
      public_key: SecureRandom.hex(32)
    )
  end

  end