local target_host = assert(module:get_option("authz_delegate_to"));

local this_host = module:get_host();

local array = require"util.array";

local jid_split = import("prosody.util.jid", "split");

local hosts = prosody.hosts;

function get_jids_with_role(role)  --luacheck: ignore 212/role

	return nil

end

function get_user_role(user)

	-- this is called where the JID belongs to the host this module is loaded on

	-- that means we have to delegate that to get_jid_role with an appropriately composed JID

	return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)

end

function set_user_role(user, role_name)  --luacheck: ignore 212/user 212/role_name

	-- no roles for entities on this host.

	return false, "cannot set user role on delegation target"

end

function get_user_secondary_roles(user)  --luacheck: ignore 212/user

	-- no roles for entities on this host.

	return {}

end

function add_user_secondary_role(user, role_name)  --luacheck: ignore 212/user 212/role_name

	-- no roles for entities on this host.

	return nil, "cannot set user role on delegation target"

end

function remove_user_secondary_role(user, role_name)  --luacheck: ignore 212/user 212/role_name

	-- no roles for entities on this host.

	return nil, "cannot set user role on delegation target"

end

function user_can_assume_role(user, role_name)  --luacheck: ignore 212/user 212/role_name

	-- no roles for entities on this host.

	return false

end

function get_jid_role(jid)

	local user, host = jid_split(jid);

	if host == target_host then

		return hosts[target_host].authz.get_user_role(user);

	end

	return hosts[target_host].authz.get_jid_role(jid);

end

function set_jid_role(jid)  --luacheck: ignore 212/jid

	-- TODO: figure out if there are actually legitimate uses for this...

	return nil, "cannot set jid role on delegation target"

end

local default_permission_queue = array{};

function add_default_permission(role_name, action, policy)

	-- NOTE: we always record default permissions, because the delegated-to

	-- host may be re-activated.

	default_permission_queue:push({

		role_name = role_name,

		action = action,

		policy = policy,

	});

	local target_host_object = hosts[target_host];

	local authz = target_host_object and target_host_object.authz;

	if not authz then

		module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host);

		return;

	end

	return authz.add_default_permission(role_name, action, policy)

end

function get_role_by_name(role_name)

	return hosts[target_host].authz.get_role_by_name(role_name)

end

function get_all_roles()

	return hosts[target_host].authz.get_all_roles()

end

module:hook_global("host-activated", function(host)

	if host == target_host then

		local authz = hosts[target_host].authz;

		module:log("debug", "replaying %d queued permission changes", #default_permission_queue);

		assert(authz);

		-- replay default permission changes, if any

		for i, item in ipairs(default_permission_queue) do

			authz.add_default_permission(item.role_name, item.action, item.policy);

		end

		-- NOTE: we do not clear that array here -- in case the target_host is

		-- re-activated

	end

end, -10000)