namespace SharepointToolbox.Web.Core.Models;

public class TenantProfile
{
    public string Id { get; set; } = Guid.NewGuid().ToString();
    public string Name { get; set; } = string.Empty;

    /// <summary>https://contoso.sharepoint.com</summary>
    public string TenantUrl { get; set; } = string.Empty;

    /// <summary>Azure AD tenant GUID or domain (e.g. contoso.onmicrosoft.com). Required for app-only Graph calls.</summary>
    public string TenantId { get; set; } = string.Empty;

    /// <summary>Azure AD app registration client (application) ID.</summary>
    public string ClientId { get; set; } = string.Empty;

    public LogoData? ClientLogo { get; set; }

    // ── Certificate (app-only) credentials ──────────────────────────────────────
    // Opt-in per client by an admin. When enabled, certificate auth drives BOTH the
    // interactive session (technicians never sign in to SharePoint per profile) AND
    // the background report scheduler — all operations run under the app identity.
    // When disabled, the app falls back to the delegated refresh-token sign-in flow.
    // SharePoint CSOM app-only requires a certificate (Sites.FullControl.All
    // application permission, admin-consented). The certificate itself is NOT stored
    // here — it lives DataProtection-encrypted on disk (see AppOnlyCertStore); this
    // class only carries the metadata needed to load and display it.

    /// <summary>When true, this client uses certificate (app-only) auth for interactive and scheduled work.</summary>
    public bool AppOnlyEnabled { get; set; }

    /// <summary>Client (application) ID of the app-registration used for certificate auth. May differ from <see cref="ClientId"/>.</summary>
    public string AppOnlyClientId { get; set; } = string.Empty;

    /// <summary>Thumbprint of the stored certificate — display/verification only; the key material is stored separately.</summary>
    public string AppOnlyCertThumbprint { get; set; } = string.Empty;

    /// <summary>
    /// Clones this profile pointed at a different site/admin URL, preserving every other
    /// field (notably the certificate metadata) so the auth model is resolved identically
    /// for the derived URL. Use instead of hand-building partial copies.
    /// </summary>
    public TenantProfile CloneForSite(string siteUrl) => new()
    {
        Id                    = Id,
        Name                  = Name,
        TenantUrl             = siteUrl,
        TenantId              = TenantId,
        ClientId              = ClientId,
        ClientLogo            = ClientLogo,
        AppOnlyEnabled        = AppOnlyEnabled,
        AppOnlyClientId       = AppOnlyClientId,
        AppOnlyCertThumbprint = AppOnlyCertThumbprint,
    };
}