use actix_web::{HttpResponse, web};
use serde::Deserialize;
use utoipa::IntoParams;

use crate::api::response::{ApiErrorResponse, ApiResponse};
use crate::error::AppError;
use crate::models::repos::BranchProtectionRule;
use crate::service::AppService;
use crate::service::repo::protection::CreateProtectionRuleParams;
use crate::session::Session;

#[derive(Debug, Deserialize, IntoParams)]
pub struct PathParams {
    /// Workspace name (unique identifier)
    pub workspace_name: String,
    /// Repository name (unique within the workspace)
    pub repo_name: String,
}

/// Create a branch protection rule
///
/// Creates a new branch protection rule that enforces policies on matching branches.
/// Requires Admin role or higher in the repository.
///
/// Parameters:
/// - pattern: Branch name pattern (supports wildcards like "feature/*", "release/**")
/// - required_approvals: Number of required approvals before merging (0-10)
/// - require_status_checks: Whether status checks must pass
/// - required_status_checks: List of required status check contexts
/// - restrict_pushes: Restrict who can push to matching branches
/// - allow_force_pushes: Allow force pushes (only if restrict_pushes is false)
/// - allow_deletions: Allow branch deletion (only if restrict_pushes is false)
///
/// Returns the created protection rule with full configuration.
#[utoipa::path(
    post,
    path = "/api/v1/workspaces/{workspace_name}/repos/{repo_name}/protection-rules",
    tag = "Repos",
    operation_id = "repoCreateProtectionRule",
    params(PathParams),
    request_body(
        content = CreateProtectionRuleParams,
        description = "Protection rule creation parameters",
        content_type = "application/json"
    ),
    responses(
        (status = 201, description = "Protection rule created successfully. Returns the newly created protection rule with full configuration.", body = ApiResponse<BranchProtectionRule>),
        (status = 400, description = "Invalid parameters: invalid pattern, negative approvals count, or conflicting settings", body = ApiErrorResponse),
        (status = 401, description = "Authentication required or session expired", body = ApiErrorResponse),
        (status = 403, description = "Insufficient permissions (requires Admin role or higher)", body = ApiErrorResponse),
        (status = 404, description = "Repository or workspace not found", body = ApiErrorResponse),
        (status = 409, description = "Protection rule with this pattern already exists", body = ApiErrorResponse),
        (status = 500, description = "Internal server error", body = ApiErrorResponse),
    ),
    security(
        ("session_cookie" = [])
    )
)]
pub async fn create_protection_rule(
    service: web::Data<AppService>,
    session: Session,
    path: web::Path<PathParams>,
    params: web::Json<CreateProtectionRuleParams>,
) -> Result<HttpResponse, AppError> {
    let rule = service
        .repo
        .repo_create_protection_rule(
            &session,
            &path.workspace_name,
            &path.repo_name,
            params.into_inner(),
        )
        .await?;

    Ok(HttpResponse::Created().json(ApiResponse::new(rule)))
}