package client

import (
	kapierrors "k8s.io/kubernetes/pkg/api/errors"

	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
)

// LocalResourceAccessReviewsNamespacer has methods to work with LocalResourceAccessReview resources in a namespace
type LocalResourceAccessReviewsNamespacer interface {
	LocalResourceAccessReviews(namespace string) LocalResourceAccessReviewInterface
}

// LocalResourceAccessReviewInterface exposes methods on LocalResourceAccessReview resources.
type LocalResourceAccessReviewInterface interface {
	Create(policy *authorizationapi.LocalResourceAccessReview) (*authorizationapi.ResourceAccessReviewResponse, error)
}

// localResourceAccessReviews implements ResourceAccessReviewsNamespacer interface
type localResourceAccessReviews struct {
	r  *Client
	ns string
}

// newLocalResourceAccessReviews returns a localLocalResourceAccessReviews
func newLocalResourceAccessReviews(c *Client, namespace string) *localResourceAccessReviews {
	return &localResourceAccessReviews{
		r:  c,
		ns: namespace,
	}
}

func (c *localResourceAccessReviews) Create(rar *authorizationapi.LocalResourceAccessReview) (result *authorizationapi.ResourceAccessReviewResponse, err error) {
	result = &authorizationapi.ResourceAccessReviewResponse{}
	err = c.r.Post().Namespace(c.ns).Resource("localResourceAccessReviews").Body(rar).Do().Into(result)

	// if we get one of these failures, we may be talking to an older openshift.  In that case, we need to try hitting ns/namespace-name/subjectaccessreview
	if kapierrors.IsForbidden(err) || kapierrors.IsNotFound(err) {
		deprecatedRAR := &authorizationapi.ResourceAccessReview{
			Action: rar.Action,
		}
		deprecatedResponse := &authorizationapi.ResourceAccessReviewResponse{}
		deprecatedAttemptErr := c.r.Post().Namespace(c.ns).Resource("resourceAccessReviews").Body(deprecatedRAR).Do().Into(deprecatedResponse)
		if deprecatedAttemptErr == nil {
			err = nil
			result = deprecatedResponse
		}
	}

	return
}