api/auth/

guards.rs

use axum::{extract::{Path, State, FromRequestParts}, http::{Request, StatusCode}, middleware::Next, body::Body, response::{Response, IntoResponse}, Json};
use util::state::AppState;
use crate::auth::claims::AuthUser;
use crate::response::ApiResponse;
use sea_orm::DatabaseConnection;
use std::collections::HashMap;
use sea_orm::EntityTrait;
use sea_orm::QueryFilter;
use sea_orm::ColumnTrait;
use db::models::{
    module::Entity as ModuleEntity,
    plagiarism_case::{Entity as PlagiarismEntity, Column as PlagiarismColumn},
    assignment::{Entity as AssignmentEntity, Column as AssignmentColumn},
    assignment_task::{Entity as TaskEntity, Column as TaskColumn},
    assignment_submission::{Entity as SubmissionEntity, Column as SubmissionColumn},
    assignment_file::{Entity as FileEntity, Column as FileColumn},
    user::Entity as UserEntity,
    user
};

// --- Role Based Access Guards ---

#[derive(serde::Serialize, Default)]
pub struct Empty;

/// Helper to extract, validate user from request extensions and insert the back into the request
async fn extract_and_insert_authuser(
    mut req: Request<Body>
) -> Result<(Request<Body>, AuthUser), (StatusCode, Json<ApiResponse<Empty>>)> {
    let (mut parts, body) = req.into_parts();
    let user = AuthUser::from_request_parts(&mut parts, &())
        .await
        .map_err(|_| (
            StatusCode::UNAUTHORIZED,
            Json(ApiResponse::error("Authentication required"))
        ))?;
    
    req = Request::from_parts(parts, body);
    req.extensions_mut().insert(user.clone());
    Ok((req, user))
}

/// Helper to check if user has any of the specified roles
async fn user_has_any_role(
    db: &DatabaseConnection,
    user_id: i64,
    module_id: i64,
    roles: &[&str],
) -> bool {
    for role in roles {
        if user::Model::is_in_role(db, user_id, module_id, role).await.unwrap_or(false) {
            return true;
        }
    }
    false
}

/// Basic guard to ensure the request is authenticated.
pub async fn require_authenticated(
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    let (req, _user) = extract_and_insert_authuser(req).await?;

    Ok(next.run(req).await)
}

/// Admin-only guard.
pub async fn require_admin(
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    let (req, user) = extract_and_insert_authuser(req).await?;
    
    if !user.0.admin {
        return Err((
            StatusCode::FORBIDDEN,
            Json(ApiResponse::error("Admin access required"))
        ));
    }

    Ok(next.run(req).await)
}

/// Base role-based access guard that other guards can build upon
async fn require_role_base(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
    required_roles: &[&str],
    failure_msg: &str,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    let db: &DatabaseConnection =  app_state.db();

    let (req, user) = extract_and_insert_authuser(req).await?;
    
    let module_id = params.get("module_id")
        .and_then(|s| s.parse::<i64>().ok())
        .ok_or((
            StatusCode::BAD_REQUEST,
            Json(ApiResponse::error("Missing or invalid module_id"))
        ))?;

    if user.0.admin {
        return Ok(next.run(req).await);
    }

    if user_has_any_role(&db, user.0.sub, module_id, required_roles).await {
        Ok(next.run(req).await)
    } else {
        Err((StatusCode::FORBIDDEN, Json(ApiResponse::error(failure_msg))))
    }
}

/// Guard for requiring lecturer access.
pub async fn require_lecturer(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    require_role_base(
        State(app_state),
        Path(params),
        req,
        next,
        &["Lecturer"],
        "Lecturer access required for this module"
    ).await
}

/// Guard for requiring assistant lecturer access.
pub async fn require_assistant_lecturer(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    require_role_base(
        State(app_state),
        Path(params),
        req,
        next,
        &["AssistantLecturer"],
        "Assistant lecturer access required for this module"
    ).await
}

/// Guard for requiring tutor access.
pub async fn require_tutor(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    require_role_base(
        State(app_state),
        Path(params),
        req,
        next,
        &["Tutor"],
        "Tutor access required for this module"
    ).await
}

/// Guard for requiring student access.
pub async fn require_student(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    require_role_base(
        State(app_state),
        Path(params),
        req,
        next,
        &["Student"],
        "Student access required for this module"
    ).await
}

/// Guard for requiring lecturer or assistant lecturer access.
pub async fn require_lecturer_or_assistant_lecturer(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    require_role_base(
        State(app_state),
        Path(params),
        req,
        next,
        &["Lecturer", "AssistantLecturer"],
        "Lecturer or assistant lecturer access required for this module"
    ).await
}

/// Guard for requiring lecturer or tutor access.
/// TODO: Add ALs to this?
pub async fn require_lecturer_or_tutor(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    require_role_base(
        State(app_state),
        Path(params),
        req,
        next,
        &["Lecturer", "Tutor"],
        "Lecturer or tutor access required for this module"
    ).await
}

/// Guard for requiring any assigned role (lecturer, tutor, student).
pub async fn require_assigned_to_module(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    require_role_base(
        State(app_state),
        Path(params),
        req,
        next,
        &["Lecturer", "AssistantLecturer", "Tutor", "Student"],
        "User not assigned to this module"
    ).await
}

pub async fn require_ready_assignment(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    let db = app_state.db();

    let module_id = params.get("module_id")
        .and_then(|s| s.parse::<i64>().ok())
        .ok_or((
            StatusCode::BAD_REQUEST,
            Json(ApiResponse::error("Missing or invalid module_id"))
        ))?;

    let assignment_id = params.get("assignment_id")
        .and_then(|s| s.parse::<i64>().ok())
        .ok_or((
            StatusCode::BAD_REQUEST,
            Json(ApiResponse::error("Missing or invalid assignment_id"))
        ))?;

    if let Err(e) = db::models::assignment::Model::try_transition_to_ready(db, module_id, assignment_id).await {
        return Err((
            StatusCode::INTERNAL_SERVER_ERROR,
            Json(ApiResponse::error(format!("Failed to transition assignment to ready: {}", e)))
        ));
    }

    let assignment = match AssignmentEntity::find_by_id(assignment_id).one(db).await {
        Ok(Some(a)) => a,
        Ok(None) => {
            return Err((
                StatusCode::NOT_FOUND,
                Json(ApiResponse::error(format!(
                    "Assignment {} in Module {} not found.",
                    assignment_id, module_id
                ))),
            ));
        }
        Err(_) => {
            return Err((
                StatusCode::INTERNAL_SERVER_ERROR,
                Json(ApiResponse::error("Database error while checking assignment")),
            ));
        }
    };

    if assignment.status == db::models::assignment::Status::Setup {
        return Err((
            StatusCode::FORBIDDEN,
            Json(ApiResponse::error("Assignment is still in Setup stage"))
        ));
    }

    Ok(next.run(req).await)
}

// --- Path ID Guards ---

async fn check_module_exists(
    module_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    let found = ModuleEntity::find_by_id(module_id)
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking module"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("Module {} not found.", module_id))),
        ));
    }
    Ok(())
}

async fn check_user_exists(
    user_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    let found = UserEntity::find_by_id(user_id)
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking user"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("User {} not found.", user_id))),
        ));
    }
    Ok(())
}

async fn check_assignment_hierarchy(
    module_id: i32,
    assignment_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    check_module_exists(module_id, db).await?;

    let found = AssignmentEntity::find()
        .filter(AssignmentColumn::Id.eq(assignment_id))
        .filter(AssignmentColumn::ModuleId.eq(module_id))
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking assignment"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("Assignment {} in Module {} not found.", assignment_id, module_id))),
        ));
    }
    Ok(())
}

async fn check_task_hierarchy(
    module_id: i32,
    assignment_id: i32,
    task_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    check_assignment_hierarchy(module_id, assignment_id, db).await?;

    let found = TaskEntity::find()
        .filter(TaskColumn::Id.eq(task_id))
        .filter(TaskColumn::AssignmentId.eq(assignment_id))
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking task"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("Task {} in Assignment {} not found.", task_id, assignment_id))),
        ));
    }
    Ok(())
}

async fn check_submission_hierarchy(
    module_id: i32,
    assignment_id: i32,
    submission_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    check_assignment_hierarchy(module_id, assignment_id, db).await?;

    let found = SubmissionEntity::find()
        .filter(SubmissionColumn::Id.eq(submission_id))
        .filter(SubmissionColumn::AssignmentId.eq(assignment_id))
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking submission"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("Submission {} in Assignment {} not found.", submission_id, assignment_id))),
        ));
    }
    Ok(())
}

async fn check_file_hierarchy(
    module_id: i32,
    assignment_id: i32,
    file_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    check_assignment_hierarchy(module_id, assignment_id, db).await?;

    let found = FileEntity::find()
        .filter(FileColumn::Id.eq(file_id))
        .filter(FileColumn::AssignmentId.eq(assignment_id))
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking file"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("File {} in Assignment {} not found.", file_id, assignment_id))),
        ));
    }
    Ok(())
}

pub async fn check_ticket_hierarchy(
    module_id: i32,
    assignment_id: i32,
    ticket_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    check_assignment_hierarchy(module_id, assignment_id, db).await?;

    let found = db::models::tickets::Entity::find()
        .filter(db::models::tickets::Column::Id.eq(ticket_id))
        .filter(db::models::tickets::Column::AssignmentId.eq(assignment_id))
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking ticket"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("Ticket {} in Assignment {} not found.", ticket_id, assignment_id))),
        ));
    }
    Ok(())
}

pub async fn check_message_hierarchy(
    module_id: i32,
    assignment_id: i32,
    ticket_id: i32,
    message_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    check_ticket_hierarchy(module_id, assignment_id, ticket_id, db).await?;

    let found = db::models::ticket_messages::Entity::find()
        .filter(db::models::ticket_messages::Column::Id.eq(message_id))
        .filter(db::models::ticket_messages::Column::TicketId.eq(ticket_id))
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking message"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("Message {} in Ticket {} not found.", message_id, ticket_id))),
        ));
    }
    Ok(())
}

pub async fn check_plagiarism_hierarchy(
    module_id: i32,
    assignment_id: i32,
    case_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    check_assignment_hierarchy(module_id, assignment_id, db).await?;

    let found = PlagiarismEntity::find()
        .filter(PlagiarismColumn::Id.eq(case_id))
        .filter(PlagiarismColumn::AssignmentId.eq(assignment_id))
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking plagiarism case"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("Plagiarism case {} in Assignment {} not found.", case_id, assignment_id))),
        ));
    }
    Ok(())
}

pub async fn check_announcement_hierarchy(
    module_id: i32,
    announcement_id: i32,
    db: &DatabaseConnection,
) -> Result<(), (StatusCode, Json<ApiResponse<Empty>>)> {
    check_module_exists(module_id, db).await?;

    let found = db::models::announcements::Entity::find()
        .filter(db::models::announcements::Column::Id.eq(announcement_id))
        .filter(db::models::announcements::Column::ModuleId.eq(module_id))
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking announcement"))))?;

    if found.is_none() {
        return Err((
            StatusCode::NOT_FOUND,
            Json(ApiResponse::error(format!("Announcement {} in Module {} not found.", announcement_id, module_id))),
        ));
    }
    Ok(())
}

pub async fn validate_known_ids(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: Request<Body>,
    next: Next,
) -> Result<Response, Response> {
    let db = app_state.db();

    let mut module_id: Option<i32>     = None;
    let mut assignment_id: Option<i32> = None;
    let mut task_id: Option<i32>       = None;
    let mut submission_id: Option<i32> = None;
    let mut file_id: Option<i32>       = None;
    let mut user_id: Option<i32>       = None;
    let mut ticket_id: Option<i32>     = None;
    let mut message_id: Option<i32>    = None;
    let mut case_id: Option<i32>       = None;
    let mut announcement_id: Option<i32> = None;

    for (key, raw) in &params {
        let id = raw.parse::<i32>().map_err(|_| {
            (StatusCode::BAD_REQUEST, Json(ApiResponse::<Empty>::error(format!("Invalid {}: '{}'. Must be an integer.", key, raw)))).into_response()
        })?;
        match key.as_str() {
            "module_id"     => module_id = Some(id),
            "assignment_id" => assignment_id = Some(id),
            "task_id"       => task_id = Some(id),
            "submission_id" => submission_id = Some(id),
            "file_id"       => file_id = Some(id),
            "user_id"       => user_id = Some(id),
            "ticket_id"     => ticket_id = Some(id),
            "case_id" => case_id = Some(id),
            "announcement_id" => announcement_id = Some(id),
            "message_id" => message_id = Some(id),
            _ => return Err((StatusCode::BAD_REQUEST, Json(ApiResponse::<Empty>::error(format!("Unexpected parameter: '{}'.", key)))).into_response()),
        }
    }
    
    if let Some(uid) = user_id {
        check_user_exists(uid, db).await.map_err(|e| e.into_response())?;
    }
    if let Some(mid) = module_id {
        check_module_exists(mid, db).await.map_err(|e| e.into_response())?;
    }
    if let (Some(mid), Some(aid)) = (module_id, assignment_id) {
        check_assignment_hierarchy(mid, aid, db).await.map_err(|e| e.into_response())?;
    }
    if let (Some(mid), Some(aid), Some(tid)) = (module_id, assignment_id, task_id) {
        check_task_hierarchy(mid, aid, tid, db).await.map_err(|e| e.into_response())?;
    }
    if let (Some(mid), Some(aid), Some(sid)) = (module_id, assignment_id, submission_id) {
        check_submission_hierarchy(mid, aid, sid, db).await.map_err(|e| e.into_response())?;
    }
    if let (Some(mid), Some(aid), Some(fid)) = (module_id, assignment_id, file_id) {
        check_file_hierarchy(mid, aid, fid, db).await.map_err(|e| e.into_response())?;
    }
    if let (Some(mid), Some(aid), Some(tid)) = (module_id, assignment_id, ticket_id) {
        check_ticket_hierarchy(mid, aid, tid, db).await.map_err(|e| e.into_response())?;
    }
    if let (Some(mid), Some(aid), Some(sid)) = (module_id, assignment_id, case_id) {
        check_plagiarism_hierarchy(mid, aid, sid, db).await.map_err(|e| e.into_response())?;
    }

    if let (Some(mid), Some(ann_id)) = (module_id, announcement_id) {
        check_announcement_hierarchy(mid, ann_id, db).await.map_err(|e| e.into_response())?;
    }

    if let (Some(mid), Some(aid), Some(tid), Some(meid)) = (module_id, assignment_id, ticket_id, message_id) {
        check_message_hierarchy(mid, aid, tid, meid, db).await.map_err(|e| e.into_response())?;
    }

    Ok(next.run(req).await)
}

// TODO Write tests for this gaurd
pub async fn require_ticket_ws_access(
    State(app_state): State<AppState>,
    Path(params): Path<HashMap<String, String>>,
    req: axum::http::Request<Body>,
    next: Next,
) -> Result<Response, (StatusCode, Json<ApiResponse<Empty>>)> {
    let db = app_state.db();

    // Must be logged in (also inserts AuthUser into extensions)
    let (req, user) = extract_and_insert_authuser(req).await?;

    // ticket_id from path
    let ticket_id = params.get("ticket_id")
        .and_then(|s| s.parse::<i64>().ok())
        .ok_or((
            StatusCode::BAD_REQUEST,
            Json(ApiResponse::error("Missing or invalid ticket_id")),
        ))?;

    // Load ticket -> get assignment_id and author
    let ticket = db::models::tickets::Entity::find_by_id(ticket_id)
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking ticket"))))?
        .ok_or((StatusCode::NOT_FOUND, Json(ApiResponse::error("Ticket not found"))))?;

    // Author can access
    if ticket.user_id == user.0.sub {
        return Ok(next.run(req).await);
    }

    // Admin can access
    if user.0.admin {
        return Ok(next.run(req).await);
    }

    // Resolve module via assignment -> module_id
    let assignment = db::models::assignment::Entity::find_by_id(ticket.assignment_id)
        .one(db)
        .await
        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, Json(ApiResponse::error("Database error while checking assignment"))))?
        .ok_or((StatusCode::NOT_FOUND, Json(ApiResponse::error("Assignment not found for ticket"))))?;

    let module_id = assignment.module_id;

    // Allow module staff (Lecturer, AssistantLecturer, Tutor)
    if user_has_any_role(db, user.0.sub, module_id, &["Lecturer", "AssistantLecturer", "Tutor"]).await {
        return Ok(next.run(req).await);
    }

    // Otherwise, deny
    Err((StatusCode::FORBIDDEN, Json(ApiResponse::error("Not allowed to access this ticket websocket"))))
}