package entitlements

import (
	"github.com/pkg/errors"
)

type Entitlement string

const (
	EntitlementSecurityInsecure Entitlement = "security.insecure"
	EntitlementNetworkHost      Entitlement = "network.host"
)

var all = map[Entitlement]struct{}{
	EntitlementSecurityInsecure: {},
	EntitlementNetworkHost:      {},
}

func Parse(s string) (Entitlement, error) {
	_, ok := all[Entitlement(s)]
	if !ok {
		return "", errors.Errorf("unknown entitlement %s", s)
	}
	return Entitlement(s), nil
}

func WhiteList(allowed, supported []Entitlement) (Set, error) {
	m := map[Entitlement]struct{}{}

	var supm Set
	if supported != nil {
		var err error
		supm, err = WhiteList(supported, nil)
		if err != nil { // should not happen
			return nil, err
		}
	}

	for _, e := range allowed {
		e, err := Parse(string(e))
		if err != nil {
			return nil, err
		}
		if supported != nil {
			if !supm.Allowed(e) {
				return nil, errors.Errorf("granting entitlement %s is not allowed by build daemon configuration", e)
			}
		}
		m[e] = struct{}{}
	}

	return Set(m), nil
}

type Set map[Entitlement]struct{}

func (s Set) Allowed(e Entitlement) bool {
	_, ok := s[e]
	return ok
}