"""Service for determining resource access based on user role and team memberships."""
import uuid
from typing import List

from sqlalchemy.ext.asyncio import AsyncSession
from sqlmodel import select

from models.sql.client import ClientModel
from models.sql.team import TeamModel
from models.sql.team_membership import TeamMembershipModel
from models.sql.user import UserModel


async def get_accessible_client_ids(user: UserModel, session: AsyncSession) -> List[uuid.UUID]:
    """Return client IDs the user can access.

    super_admin: all active clients.
    Others: clients linked via team memberships.
    """
    if user.role == "super_admin":
        result = await session.execute(
            select(ClientModel.id).where(ClientModel.is_active == True)  # noqa: E712
        )
        return list(result.scalars().all())

    result = await session.execute(
        select(TeamModel.client_id)
        .join(TeamMembershipModel, TeamMembershipModel.team_id == TeamModel.id)
        .where(
            TeamMembershipModel.user_id == user.id,
            TeamModel.client_id.isnot(None),
        )
        .distinct()
    )
    return list(result.scalars().all())


async def get_accessible_clients(user: UserModel, session: AsyncSession) -> List[ClientModel]:
    """Return full ClientModel objects the user can access."""
    if user.role == "super_admin":
        result = await session.execute(
            select(ClientModel).where(ClientModel.is_active == True)  # noqa: E712
        )
        return list(result.scalars().all())

    client_ids = await get_accessible_client_ids(user, session)
    if not client_ids:
        return []

    result = await session.execute(
        select(ClientModel).where(
            ClientModel.id.in_(client_ids),
            ClientModel.is_active == True,  # noqa: E712
        )
    )
    return list(result.scalars().all())