// Code generated by ogen, DO NOT EDIT.

package gen

import (
	"context"
	"net/http"
	"strings"

	"github.com/go-faster/errors"
	"github.com/ogen-go/ogen/ogenerrors"
)

// SecurityHandler is handler for security parameters.
type SecurityHandler interface {
	// HandleBasicAuth handles BasicAuth security.
	// HTTP Basic аутентификация клиента ЮKassa.
	HandleBasicAuth(ctx context.Context, operationName OperationName, t BasicAuth) (context.Context, error)
	// HandleOAuth2 handles OAuth2 security.
	// Авторизация клиента ЮKassa с использованием OAuth-токена.
	HandleOAuth2(ctx context.Context, operationName OperationName, t OAuth2) (context.Context, error)
}

func findAuthorization(h http.Header, prefix string) (string, bool) {
	v, ok := h["Authorization"]
	if !ok {
		return "", false
	}
	for _, vv := range v {
		scheme, value, ok := strings.Cut(vv, " ")
		if !ok || !strings.EqualFold(scheme, prefix) {
			continue
		}
		return value, true
	}
	return "", false
}

// operationRolesBasicAuth is a private map storing roles per operation.
var operationRolesBasicAuth = map[string][]string{
	DealsDealIDGetOperation:                   []string{},
	DealsGetOperation:                         []string{},
	DealsPostOperation:                        []string{},
	MeGetOperation:                            []string{},
	PaymentMethodsPaymentMethodIDGetOperation: []string{},
	PaymentMethodsPostOperation:               []string{},
	PaymentsGetOperation:                      []string{},
	PaymentsPaymentIDCancelPostOperation:      []string{},
	PaymentsPaymentIDCapturePostOperation:     []string{},
	PaymentsPaymentIDGetOperation:             []string{},
	PaymentsPostOperation:                     []string{},
	PayoutsGetOperation:                       []string{},
	PayoutsPayoutIDGetOperation:               []string{},
	PayoutsPostOperation:                      []string{},
	PayoutsSearchGetOperation:                 []string{},
	PersonalDataPersonalDataIDGetOperation:    []string{},
	PersonalDataPostOperation:                 []string{},
	ReceiptsGetOperation:                      []string{},
	ReceiptsPostOperation:                     []string{},
	ReceiptsReceiptIDGetOperation:             []string{},
	RefundsGetOperation:                       []string{},
	RefundsPostOperation:                      []string{},
	RefundsRefundIDGetOperation:               []string{},
	SbpBanksGetOperation:                      []string{},
	WebhooksGetOperation:                      []string{},
	WebhooksPostOperation:                     []string{},
	WebhooksWebhookIDDeleteOperation:          []string{},
}

// GetRolesForBasicAuth returns the required roles for the given operation.
//
// This is useful for authorization scenarios where you need to know which roles
// are required for an operation.
//
// Example:
//
//	requiredRoles := GetRolesForBasicAuth(AddPetOperation)
//
// Returns nil if the operation has no role requirements or if the operation is unknown.
func GetRolesForBasicAuth(operation string) []string {
	roles, ok := operationRolesBasicAuth[operation]
	if !ok {
		return nil
	}
	// Return a copy to prevent external modification
	result := make([]string, len(roles))
	copy(result, roles)
	return result
}

// oauth2ScopesOAuth2 is a private map storing OAuth2 scopes per operation.
var oauth2ScopesOAuth2 = map[string][]string{
	DealsDealIDGetOperation:                   []string{},
	DealsGetOperation:                         []string{},
	DealsPostOperation:                        []string{},
	MeGetOperation:                            []string{},
	PaymentMethodsPaymentMethodIDGetOperation: []string{},
	PaymentMethodsPostOperation:               []string{},
	PaymentsGetOperation:                      []string{},
	PaymentsPaymentIDCancelPostOperation:      []string{},
	PaymentsPaymentIDCapturePostOperation:     []string{},
	PaymentsPaymentIDGetOperation:             []string{},
	PaymentsPostOperation:                     []string{},
	PayoutsGetOperation:                       []string{},
	PayoutsPayoutIDGetOperation:               []string{},
	PayoutsPostOperation:                      []string{},
	PayoutsSearchGetOperation:                 []string{},
	PersonalDataPersonalDataIDGetOperation:    []string{},
	PersonalDataPostOperation:                 []string{},
	ReceiptsGetOperation:                      []string{},
	ReceiptsPostOperation:                     []string{},
	ReceiptsReceiptIDGetOperation:             []string{},
	RefundsGetOperation:                       []string{},
	RefundsPostOperation:                      []string{},
	RefundsRefundIDGetOperation:               []string{},
	SbpBanksGetOperation:                      []string{},
	WebhooksGetOperation:                      []string{},
	WebhooksPostOperation:                     []string{},
	WebhooksWebhookIDDeleteOperation:          []string{},
}

// GetOAuth2ScopesForOAuth2 returns the required OAuth2 scopes for the given operation.
//
// This is useful for token exchange scenarios where you need to know which scopes
// to request when obtaining a token for a downstream API call.
//
// Example:
//
//	requiredScopes := GetOAuth2ScopesForOAuth2(AddPetOperation)
//	token := exchangeTokenWithScopes(requiredScopes, "https://api.example.com")
//
// Returns nil if the operation has no scope requirements or if the operation is unknown.
func GetOAuth2ScopesForOAuth2(operation string) []string {
	scopes, ok := oauth2ScopesOAuth2[operation]
	if !ok {
		return nil
	}
	// Return a copy to prevent external modification
	result := make([]string, len(scopes))
	copy(result, scopes)
	return result
}

func (s *Server) securityBasicAuth(ctx context.Context, operationName OperationName, req *http.Request) (context.Context, bool, error) {
	var t BasicAuth
	if _, ok := findAuthorization(req.Header, "Basic"); !ok {
		return ctx, false, nil
	}
	username, password, ok := req.BasicAuth()
	if !ok {
		return nil, false, errors.New("invalid basic auth")
	}
	t.Username = username
	t.Password = password
	t.Roles = operationRolesBasicAuth[operationName]
	rctx, err := s.sec.HandleBasicAuth(ctx, operationName, t)
	if errors.Is(err, ogenerrors.ErrSkipServerSecurity) {
		return nil, false, nil
	} else if err != nil {
		return nil, false, err
	}
	return rctx, true, err
}

func (s *Server) securityOAuth2(ctx context.Context, operationName OperationName, req *http.Request) (context.Context, bool, error) {
	var t OAuth2
	token, ok := findAuthorization(req.Header, "Bearer")
	if !ok {
		return ctx, false, nil
	}
	t.Token = token
	t.Scopes = oauth2ScopesOAuth2[operationName]
	rctx, err := s.sec.HandleOAuth2(ctx, operationName, t)
	if errors.Is(err, ogenerrors.ErrSkipServerSecurity) {
		return nil, false, nil
	} else if err != nil {
		return nil, false, err
	}
	return rctx, true, err
}

// SecuritySource is provider of security values (tokens, passwords, etc.).
type SecuritySource interface {
	// BasicAuth provides BasicAuth security value.
	// HTTP Basic аутентификация клиента ЮKassa.
	BasicAuth(ctx context.Context, operationName OperationName) (BasicAuth, error)
	// OAuth2 provides OAuth2 security value.
	// Авторизация клиента ЮKassa с использованием OAuth-токена.
	OAuth2(ctx context.Context, operationName OperationName) (OAuth2, error)
}

func (s *Client) securityBasicAuth(ctx context.Context, operationName OperationName, req *http.Request) error {
	t, err := s.sec.BasicAuth(ctx, operationName)
	if err != nil {
		return errors.Wrap(err, "security source \"BasicAuth\"")
	}
	req.SetBasicAuth(t.Username, t.Password)
	return nil
}
func (s *Client) securityOAuth2(ctx context.Context, operationName OperationName, req *http.Request) error {
	t, err := s.sec.OAuth2(ctx, operationName)
	if err != nil {
		return errors.Wrap(err, "security source \"OAuth2\"")
	}
	req.Header.Set("Authorization", "Bearer "+t.Token)
	return nil
}