schema.resolvers.go

package graph

// This file will be automatically regenerated based on the schema, any resolver implementations
// will be copied through when generating and any unknown code will be moved to the end.
// Code generated by github.com/99designs/gqlgen version v0.17.44

import (
	"context"
	"fmt"
	"sync"
	"time"

	"entgo.io/ent/dialect/sql"
	"entgo.io/ent/dialect/sql/sqljson"
	"github.com/99designs/gqlgen/graphql"
	pgrpc "github.com/cble-platform/cble-provider-grpc/pkg/provider"
	"github.com/cble-platform/cble/backend/auth"
	"github.com/cble-platform/cble/backend/engine"
	"github.com/cble-platform/cble/backend/ent"
	"github.com/cble-platform/cble/backend/ent/blueprint"
	"github.com/cble-platform/cble/backend/ent/deployment"
	"github.com/cble-platform/cble/backend/ent/deploymentnode"
	"github.com/cble-platform/cble/backend/ent/grantedpermission"
	"github.com/cble-platform/cble/backend/ent/group"
	"github.com/cble-platform/cble/backend/ent/groupmembership"
	"github.com/cble-platform/cble/backend/ent/membership"
	"github.com/cble-platform/cble/backend/ent/project"
	"github.com/cble-platform/cble/backend/ent/resource"
	"github.com/cble-platform/cble/backend/ent/user"
	"github.com/cble-platform/cble/backend/graph/generated"
	"github.com/cble-platform/cble/backend/graph/model"
	"github.com/cble-platform/cble/backend/permission"
	"github.com/cble-platform/cble/backend/permission/actions"
	"github.com/google/uuid"
	"github.com/vektah/gqlparser/v2/gqlerror"
	yaml "gopkg.in/yaml.v3"
)

// BlueprintTemplate is the resolver for the blueprintTemplate field.
func (r *blueprintResolver) BlueprintTemplate(ctx context.Context, obj *ent.Blueprint) (string, error) {
	return string(obj.BlueprintTemplate), nil
}

// Provider is the resolver for the Provider field.
func (r *blueprintResolver) Provider(ctx context.Context, obj *ent.Blueprint) (*ent.Provider, error) {
	entProvider, err := obj.QueryProvider().Only(ctx)
	if ent.IsNotFound(err) {
		return nil, nil
	}
	return entProvider, err
}

// Project is the resolver for the project field.
func (r *blueprintResolver) Project(ctx context.Context, obj *ent.Blueprint) (*ent.Project, error) {
	return obj.QueryProject().Only(ctx)
}

// Resources is the resolver for the resources field.
func (r *blueprintResolver) Resources(ctx context.Context, obj *ent.Blueprint) ([]*ent.Resource, error) {
	return obj.QueryResources().All(ctx)
}

// Deployments is the resolver for the deployments field.
func (r *blueprintResolver) Deployments(ctx context.Context, obj *ent.Blueprint) ([]*ent.Deployment, error) {
	return obj.QueryDeployments().All(ctx)
}

// State is the resolver for the state field.
func (r *deploymentResolver) State(ctx context.Context, obj *ent.Deployment) (model.DeploymentState, error) {
	return model.DeploymentState(obj.State), nil
}

// Blueprint is the resolver for the blueprint field.
func (r *deploymentResolver) Blueprint(ctx context.Context, obj *ent.Deployment) (*ent.Blueprint, error) {
	return obj.QueryBlueprint().Only(ctx)
}

// Project is the resolver for the project field.
func (r *deploymentResolver) Project(ctx context.Context, obj *ent.Deployment) (*ent.Project, error) {
	return obj.QueryProject().Only(ctx)
}

// DeploymentNodes is the resolver for the deploymentNodes field.
func (r *deploymentResolver) DeploymentNodes(ctx context.Context, obj *ent.Deployment) ([]*ent.DeploymentNode, error) {
	return obj.QueryDeploymentNodes().All(ctx)
}

// Requester is the resolver for the requester field.
func (r *deploymentResolver) Requester(ctx context.Context, obj *ent.Deployment) (*ent.User, error) {
	return obj.QueryRequester().Only(ctx)
}

// State is the resolver for the state field.
func (r *deploymentNodeResolver) State(ctx context.Context, obj *ent.DeploymentNode) (model.DeploymentNodeState, error) {
	return model.DeploymentNodeState(obj.State), nil
}

// Deployment is the resolver for the deployment field.
func (r *deploymentNodeResolver) Deployment(ctx context.Context, obj *ent.DeploymentNode) (*ent.Deployment, error) {
	return obj.QueryDeployment().Only(ctx)
}

// Resource is the resolver for the resource field.
func (r *deploymentNodeResolver) Resource(ctx context.Context, obj *ent.DeploymentNode) (*ent.Resource, error) {
	return obj.QueryResource().Only(ctx)
}

// NextNodes is the resolver for the nextNodes field.
func (r *deploymentNodeResolver) NextNodes(ctx context.Context, obj *ent.DeploymentNode) ([]*ent.DeploymentNode, error) {
	return obj.QueryNextNodes().All(ctx)
}

// PrevNodes is the resolver for the prevNodes field.
func (r *deploymentNodeResolver) PrevNodes(ctx context.Context, obj *ent.DeploymentNode) ([]*ent.DeploymentNode, error) {
	return obj.QueryPrevNodes().All(ctx)
}

// DisplayString is the resolver for the displayString field.
func (r *grantedPermissionResolver) DisplayString(ctx context.Context, obj *ent.GrantedPermission) (string, error) {
	return permission.DisplayString(obj.SubjectType, obj.SubjectID, obj.ObjectType, obj.ObjectID, obj.Action), nil
}

// Users is the resolver for the users field.
func (r *groupResolver) Users(ctx context.Context, obj *ent.Group) ([]*ent.User, error) {
	return obj.QueryUsers().All(ctx)
}

// ID is the resolver for the id field.
func (r *groupMembershipResolver) ID(ctx context.Context, obj *ent.GroupMembership) (uuid.UUID, error) {
	panic(fmt.Errorf("not implemented: ID - id"))
}

// Project is the resolver for the project field.
func (r *groupMembershipResolver) Project(ctx context.Context, obj *ent.GroupMembership) (*ent.Project, error) {
	return obj.QueryProject().Only(ctx)
}

// Group is the resolver for the group field.
func (r *groupMembershipResolver) Group(ctx context.Context, obj *ent.GroupMembership) (*ent.Group, error) {
	return obj.QueryGroup().Only(ctx)
}

// ID is the resolver for the id field.
func (r *membershipResolver) ID(ctx context.Context, obj *ent.Membership) (uuid.UUID, error) {
	panic(fmt.Errorf("not implemented: ID - id"))
}

// Project is the resolver for the project field.
func (r *membershipResolver) Project(ctx context.Context, obj *ent.Membership) (*ent.Project, error) {
	return obj.QueryProject().Only(ctx)
}

// User is the resolver for the user field.
func (r *membershipResolver) User(ctx context.Context, obj *ent.Membership) (*ent.User, error) {
	return obj.QueryUser().Only(ctx)
}

// Change current user's password
func (r *mutationResolver) SelfChangePassword(ctx context.Context, currentPassword string, newPassword string) (bool, error) {
	panic(fmt.Errorf("not implemented: SelfChangePassword - selfChangePassword"))
}

// Create a user (requires permission `x.x.users.*.create`)
func (r *mutationResolver) CreateUser(ctx context.Context, input model.UserInput) (*ent.User, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasUserCreate(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Create the user
	entUser, err := r.ent.User.Create().
		SetEmail(input.Email).
		SetFirstName(input.FirstName).
		SetLastName(input.LastName).
		SetUsername(input.Username).
		Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to create user: %v", err)
	}

	return entUser, nil
}

// Update a user (requires permission `x.x.users.x.update`)
func (r *mutationResolver) UpdateUser(ctx context.Context, id uuid.UUID, input model.UserInput) (*ent.User, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasUserUpdate(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Update the user
	entUser, err := r.ent.User.UpdateOneID(id).
		SetEmail(input.Email).
		SetFirstName(input.FirstName).
		SetLastName(input.LastName).
		SetUsername(input.Username).
		Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to update user: %v", err)
	}

	return entUser, nil
}

// Delete a user (requires permission `x.x.users.x.delete`)
func (r *mutationResolver) DeleteUser(ctx context.Context, id uuid.UUID) (bool, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasUserDelete(ctx, r.ent, id); err != nil || !hasPerm {
		return false, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Delete the user
	err := r.ent.User.DeleteOneID(id).Exec(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to delete user: %v", err)
	}
	return true, nil
}

// Create a group (requires permission `x.x.group.*.create`)
func (r *mutationResolver) CreateGroup(ctx context.Context, input model.GroupInput) (*ent.Group, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasGroupCreate(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Create the group
	entGroup, err := r.ent.Group.Create().
		SetName(input.Name).
		Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to create group: %v", err)
	}

	return entGroup, nil
}

// Update a group (requires permission `x.x.group.x.update`)
func (r *mutationResolver) UpdateGroup(ctx context.Context, id uuid.UUID, input model.GroupInput) (*ent.Group, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasGroupUpdate(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Update the group
	entGroup, err := r.ent.Group.UpdateOneID(id).
		SetName(input.Name).
		Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to update group: %v", err)
	}

	return entGroup, nil
}

// Delete a group (requires permission `x.x.group.x.delete`)
func (r *mutationResolver) DeleteGroup(ctx context.Context, id uuid.UUID) (bool, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasGroupDelete(ctx, r.ent, id); err != nil || !hasPerm {
		return false, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Delete the group
	err := r.ent.Group.DeleteOneID(id).Exec(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to delete group: %v", err)
	}
	return true, nil
}

// Grant a permission (requires permission `x.x.permission.*.grant`)
func (r *mutationResolver) GrantPermission(ctx context.Context, subjectType grantedpermission.SubjectType, subjectID uuid.UUID, objectType grantedpermission.ObjectType, objectID *uuid.UUID, action actions.PermissionAction) (*ent.GrantedPermission, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasPermissionGrant(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Apply wildcard if objectID is nil
	objectId := uuid.Nil
	if objectID != nil {
		objectId = *objectID
	}

	// Grant the permission
	entGrantedPermission, err := permission.GrantPermission(ctx, r.ent, subjectType, subjectID, objectType, objectId, action)
	if err != nil {
		return nil, gqlerror.Errorf("failed to grant permission: %v", err)
	}

	return entGrantedPermission, nil
}

// Revoke a permission (requires permission `x.x.permission.*.revoke`)
func (r *mutationResolver) RevokePermission(ctx context.Context, subjectType grantedpermission.SubjectType, subjectID uuid.UUID, objectType grantedpermission.ObjectType, objectID *uuid.UUID, action actions.PermissionAction) (bool, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasPermissionRevoke(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return false, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Apply wildcard if objectID is nil
	objectId := uuid.Nil
	if objectID != nil {
		objectId = *objectID
	}

	// Revoke the permission
	err := permission.RevokePermission(ctx, r.ent, subjectType, subjectID, objectType, objectId, action)
	if err != nil {
		return false, gqlerror.Errorf("failed to grant permission: %v", err)
	}

	return true, nil
}

// Create a provider (requires permission `x.x.providers.*.create`)
func (r *mutationResolver) CreateProvider(ctx context.Context, input model.ProviderInput) (*ent.Provider, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProviderCreate(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	entProvider, err := r.ent.Provider.Create().
		SetDisplayName(input.DisplayName).
		SetProviderGitURL(input.ProviderGitURL).
		SetProviderVersion(input.ProviderVersion).
		SetConfigBytes([]byte(input.ConfigBytes)).
		Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to create provider: %v", err)
	}

	return entProvider, nil
}

// Update a provider (requires permission `x.x.providers.x.update`)
func (r *mutationResolver) UpdateProvider(ctx context.Context, id uuid.UUID, input model.ProviderInput) (*ent.Provider, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProviderUpdate(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Update the provider
	entProvider, err := r.ent.Provider.UpdateOneID(id).
		SetDisplayName(input.DisplayName).
		SetProviderGitURL(input.ProviderGitURL).
		SetProviderVersion(input.ProviderVersion).
		SetConfigBytes([]byte(input.ConfigBytes)).
		Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to update provider: %v", err)
	}
	return entProvider, nil
}

// Delete a provider (requires permission `x.x.providers.x.delete`)
func (r *mutationResolver) DeleteProvider(ctx context.Context, id uuid.UUID) (bool, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProviderDelete(ctx, r.ent, id); err != nil || !hasPerm {
		return false, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Check if the provider is loaded
	entProvider, err := r.ent.Provider.Get(ctx, id)
	if err != nil {
		return false, gqlerror.Errorf("failed to query provider with ID: %v", err)
	}
	// Don't allow deleting a loaded provider
	if entProvider.IsLoaded {
		return false, gqlerror.Errorf("cannot delete a provider while it is loaded")
	}
	// Delete the provider otherwise
	err = r.ent.Provider.DeleteOneID(id).Exec(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to delete provider: %v", err)
	}

	return true, nil
}

// Load a provider to connect it to CBLE (requires permission `x.x.providers.x.load`)
func (r *mutationResolver) LoadProvider(ctx context.Context, id uuid.UUID) (*ent.Provider, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProviderLoad(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Check the provider exists
	entProvider, err := r.ent.Provider.Get(ctx, id)
	if err != nil {
		return nil, gqlerror.Errorf("could not find provider with id %s", id)
	}

	// Queue the provider to load
	r.cbleServer.QueueLoadProvider(id.String())

	return entProvider, nil
}

// Unload a provider to disconnect it from CBLE (requires permission `x.x.providers.x.unload`)
func (r *mutationResolver) UnloadProvider(ctx context.Context, id uuid.UUID) (*ent.Provider, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProviderUnload(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Check the provider exists
	entProvider, err := r.ent.Provider.Get(ctx, id)
	if err != nil {
		return nil, gqlerror.Errorf("could not find provider with id %s", id)
	}

	// Queue the provider to unload
	err = r.cbleServer.QueueUnloadProvider(id.String())
	if err != nil {
		return entProvider, fmt.Errorf("failed to unload provider: %v", err)
	}

	return entProvider, nil
}

// Applies the stored configuration to the provider (requires permission `x.x.providers.x.configure`)
func (r *mutationResolver) ConfigureProvider(ctx context.Context, id uuid.UUID) (*ent.Provider, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProviderConfigure(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Get the provider
	entProvider, err := r.ent.Provider.Get(ctx, id)
	if err != nil {
		return nil, gqlerror.Errorf("could not find provider with id %s: %v", id, err)
	}

	// Check the provider is loaded
	if !entProvider.IsLoaded {
		return nil, gqlerror.Errorf("provider is not loaded")
	}

	reply, err := r.cbleServer.Configure(ctx, entProvider)
	if err != nil {
		return nil, gqlerror.Errorf("failed to configure provider: %v", err)
	}
	if !reply.Success {
		return nil, gqlerror.Errorf("failed to configure provider: unknown error")
	}

	return entProvider, nil
}

// Create a project (requires the permission `x.x.project.*.create`)
func (r *mutationResolver) CreateProject(ctx context.Context, input model.ProjectInput) (*ent.Project, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProjectCreate(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	q := r.ent.Project.Create().
		SetName(input.Name)

	// Set optional quotas with default from config
	if input.QuotaCPU != nil {
		q = q.SetQuotaCPU(*input.QuotaCPU)
	} else {
		q = q.SetQuotaCPU(r.cbleConfig.ProjectDefaults.QuotaCPU)
	}
	if input.QuotaRAM != nil {
		q = q.SetQuotaRAM(*input.QuotaRAM)
	} else {
		q = q.SetQuotaRAM(r.cbleConfig.ProjectDefaults.QuotaRAM)
	}
	if input.QuotaDisk != nil {
		q = q.SetQuotaDisk(*input.QuotaDisk)
	} else {
		q = q.SetQuotaDisk(r.cbleConfig.ProjectDefaults.QuotaDisk)
	}
	if input.QuotaNetwork != nil {
		q = q.SetQuotaNetwork(*input.QuotaNetwork)
	} else {
		q = q.SetQuotaNetwork(r.cbleConfig.ProjectDefaults.QuotaNetwork)
	}
	if input.QuotaRouter != nil {
		q = q.SetQuotaRouter(*input.QuotaRouter)
	} else {
		q = q.SetQuotaRouter(r.cbleConfig.ProjectDefaults.QuotaRouter)
	}

	entProject, err := q.Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to create project: %v", err)
	}

	return entProject, nil
}

// Update a project (requires the permission `x.x.project.x.update`)
func (r *mutationResolver) UpdateProject(ctx context.Context, id uuid.UUID, input model.ProjectInput) (*ent.Project, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProjectUpdate(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	q := r.ent.Project.UpdateOneID(id).
		SetName(input.Name)

	// Set optional quotas with default from config
	if input.QuotaCPU != nil {
		q = q.SetQuotaCPU(*input.QuotaCPU)
	} else {
		q = q.SetQuotaCPU(r.cbleConfig.ProjectDefaults.QuotaCPU)
	}
	if input.QuotaRAM != nil {
		q = q.SetQuotaRAM(*input.QuotaRAM)
	} else {
		q = q.SetQuotaRAM(r.cbleConfig.ProjectDefaults.QuotaRAM)
	}
	if input.QuotaDisk != nil {
		q = q.SetQuotaDisk(*input.QuotaDisk)
	} else {
		q = q.SetQuotaDisk(r.cbleConfig.ProjectDefaults.QuotaDisk)
	}
	if input.QuotaNetwork != nil {
		q = q.SetQuotaNetwork(*input.QuotaNetwork)
	} else {
		q = q.SetQuotaNetwork(r.cbleConfig.ProjectDefaults.QuotaNetwork)
	}
	if input.QuotaRouter != nil {
		q = q.SetQuotaRouter(*input.QuotaRouter)
	} else {
		q = q.SetQuotaRouter(r.cbleConfig.ProjectDefaults.QuotaRouter)
	}

	entProject, err := q.Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to update project: %v", err)
	}

	return entProject, nil
}

// Delete a project (requires the permission `x.x.project.x.delete`)
func (r *mutationResolver) DeleteProject(ctx context.Context, id uuid.UUID) (bool, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProjectDelete(ctx, r.ent, id); err != nil || !hasPerm {
		return false, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// Delete the project
	err := r.ent.Project.DeleteOneID(id).Exec(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to delete project: %v", err)
	}

	return true, nil
}

// Update membership to project (requires the permission `x.x.project.x.update_membership`)
func (r *mutationResolver) UpdateMembership(ctx context.Context, id uuid.UUID, users []*model.MembershipInput, groups []*model.GroupMembershipInput) (*ent.Project, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProjectUpdateMembership(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	tx, err := r.ent.Tx(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to create transactional client: %v", err)
	}

	// Clear all memberships
	entProject, err := tx.Project.UpdateOneID(id).ClearMembers().ClearGroupMembers().Save(ctx)
	if err != nil {
		tx.Rollback()
		return nil, gqlerror.Errorf("failed to clear memberships: %v", err)
	}

	// Add back user memberships
	for _, userMembership := range users {
		err = tx.Membership.Create().SetProject(entProject).
			SetUserID(userMembership.UserID).
			SetRole(userMembership.Role).Exec(ctx)
		if err != nil {
			tx.Rollback()
			return nil, gqlerror.Errorf("failed to add membership for user %s: %v", userMembership.UserID, err)
		}
	}
	// Add back group memberships
	for _, groupMembership := range groups {
		err = tx.GroupMembership.Create().SetProject(entProject).
			SetGroupID(groupMembership.GroupID).
			SetRole(groupMembership.Role).Exec(ctx)
		if err != nil {
			tx.Rollback()
			return nil, gqlerror.Errorf("failed to add membership for group %s: %v", groupMembership.GroupID, err)
		}
	}

	// Commit the transaction
	err = tx.Commit()
	if err != nil {
		tx.Rollback()
		return nil, gqlerror.Errorf("failed to commit transaction: %v", err)
	}

	return entProject.Unwrap(), nil
}

// Create a blueprint (requires `Developer` role on project)
func (r *mutationResolver) CreateBlueprint(ctx context.Context, input model.BlueprintInput) (*ent.Blueprint, error) {
	// Get the edge objects
	entProvider, err := r.ent.Provider.Get(ctx, input.ProviderID)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query provider by ID: %v", err)
	}
	entProject, err := r.ent.Project.Get(ctx, input.ProjectID)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query project by ID: %v", err)
	}

	// Check the user has developer role or higher
	hasDeveloperRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, entProject.ID, membership.RoleDeveloper)
	if err != nil {
		return nil, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasDeveloperRole {
		return nil, gqlerror.Errorf("user does not have permission to view deployments in this project")
	}

	// Create a transactional client
	tx, err := r.ent.Tx(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to create transactional client: %v", err)
	}

	// Create the blueprint
	entBlueprint, err := tx.Blueprint.Create().
		SetName(input.Name).
		SetDescription(input.Description).
		SetBlueprintTemplate([]byte(input.BlueprintTemplate)).
		// SetVariableTypes(varTypes).
		SetVariableTypes(input.VariableTypes).
		SetProvider(entProvider).
		SetProject(entProject).
		Save(ctx)
	if err != nil {
		tx.Rollback()
		return nil, gqlerror.Errorf("failed to create blueprint: %v", err)
	}

	// Load all of the blueprint resources
	err = engine.LoadResources(ctx, tx.Client(), r.cbleServer, entBlueprint)
	if err != nil {
		tx.Rollback()
		return nil, gqlerror.Errorf("failed to load resource: %v", err)
	}

	// Commit the transaction
	err = tx.Commit()
	if err != nil {
		tx.Rollback()
		return nil, gqlerror.Errorf("failed to commit transaction: %v", err)
	}

	return entBlueprint.Unwrap(), nil
}

// Update a blueprint (requires `Developer` role on project)
func (r *mutationResolver) UpdateBlueprint(ctx context.Context, id uuid.UUID, input model.BlueprintInput) (*ent.Blueprint, error) {
	// Create a transactional client
	tx, err := r.ent.Tx(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to create transactional client: %v", err)
	}

	// Get the object from ENT
	entBlueprint, err := tx.Blueprint.Get(ctx, id)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query blueprint: %v", err)
	}

	// Get the edge objects
	entProvider, err := tx.Provider.Get(ctx, input.ProviderID)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query provider by ID: %v", err)
	}
	entProject, err := entBlueprint.QueryProject().Only(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query project from blueprint: %v", err)
	}

	// Check the user has developer role or higher
	hasDeveloperRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, entProject.ID, membership.RoleDeveloper)
	if err != nil {
		return nil, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasDeveloperRole {
		return nil, gqlerror.Errorf("user does not have permission to view deployments in this project")
	}

	// Update the blueprint
	entBlueprint, err = entBlueprint.Update().
		SetName(input.Name).
		SetDescription(input.Description).
		SetBlueprintTemplate([]byte(input.BlueprintTemplate)).
		SetVariableTypes(input.VariableTypes).
		SetProvider(entProvider).
		Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to update blueprint: %v", err)
	}

	// Load all of the blueprint resources
	err = engine.LoadResources(ctx, tx.Client(), r.cbleServer, entBlueprint)
	if err != nil {
		tx.Rollback()
		return nil, gqlerror.Errorf("failed to load resource: %v", err)
	}

	// Commit the transaction
	err = tx.Commit()
	if err != nil {
		tx.Rollback()
		return nil, gqlerror.Errorf("failed to commit transaction: %v", err)
	}

	return entBlueprint.Unwrap(), nil
}

// Delete a blueprint (requires `Developer` role on project)
func (r *mutationResolver) DeleteBlueprint(ctx context.Context, id uuid.UUID) (bool, error) {
	// Get the project through blueprint ID
	entProject, err := r.ent.Blueprint.Query().Where(blueprint.ID(id)).QueryProject().Only(ctx)
	if err != nil {
		return false, fmt.Errorf("failed to query deployment: %v", err)
	}

	// Check the user has developer role or higher
	hasDeveloperRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, entProject.ID, membership.RoleDeveloper)
	if err != nil {
		return false, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasDeveloperRole {
		return false, gqlerror.Errorf("user does not have permission to view deployments in this project")
	}

	// Delete the blueprint
	err = r.ent.Blueprint.DeleteOneID(id).Exec(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to delete blueprint: %v", err)
	}

	return true, nil
}

// Deploy a blueprint (requires `Deployer` role on project)
func (r *mutationResolver) DeployBlueprint(ctx context.Context, blueprintID uuid.UUID, projectID uuid.UUID, templateVars map[string]string) (*ent.Deployment, error) {
	// Get the current authenticated user
	currentUser, err := auth.ForContext(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to get user from context: %v", err)
	}

	// Get the blueprint by ID
	entBlueprint, err := r.ent.Blueprint.Get(ctx, blueprintID)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query blueprint: %v", err)
	}

	// Check the user has deployer role or higher
	hasDeployerRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, projectID, membership.RoleDeployer)
	if err != nil {
		return nil, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasDeployerRole {
		return nil, gqlerror.Errorf("user does not have permission to deploy blueprints to this project")
	}

	// Get the provider from blueprint
	entProvider, err := entBlueprint.QueryProvider().Only(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query provider from blueprint: %v", err)
	}

	// Check the provider is loaded
	if !entProvider.IsLoaded {
		return nil, gqlerror.Errorf("provider is not loaded")
	}

	// Create a transactional client
	tx, err := r.ent.Tx(ctx)
	if err != nil {
		return nil, fmt.Errorf("failed to create transactional client: %v", err)
	}

	// Create the deployment
	entDeployment, err := engine.CreateDeployment(ctx, tx.Client(), entBlueprint, projectID, templateVars, time.Now().Add(r.cbleConfig.Deployments.LeaseTime), currentUser)
	if err != nil {
		tx.Rollback()
		return nil, fmt.Errorf("failed to create deployment: %v", err)
	}

	// Commit the transaction
	err = tx.Commit()
	if err != nil {
		tx.Rollback()
		return nil, fmt.Errorf("failed to commit transaction: %v", err)
	}

	// Re-query deployment using non-transaction client
	entDeployment, err = r.ent.Deployment.Get(ctx, entDeployment.ID)
	if err != nil {
		return nil, fmt.Errorf("failed to re-query deployment: %v", err)
	}

	// Spawn deployment routine
	go engine.StartDeployment(r.ent, r.cbleServer, entDeployment)

	return entDeployment, nil
}

// Update a deployment (requires `Deployer` role on project)
func (r *mutationResolver) UpdateDeployment(ctx context.Context, id uuid.UUID, input model.DeploymentInput) (*ent.Deployment, error) {
	// Get the project through deployment ID
	entProject, err := r.ent.Deployment.Query().Where(deployment.ID(id)).QueryProject().Only(ctx)
	if err != nil {
		return nil, fmt.Errorf("failed to query deployment: %v", err)
	}

	// Check the user has deployer role or higher
	hasDeployerRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, entProject.ID, membership.RoleDeployer)
	if err != nil {
		return nil, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasDeployerRole {
		return nil, gqlerror.Errorf("user does not have permission to deploy blueprints to this project")
	}

	return r.ent.Deployment.UpdateOneID(id).SetName(input.Name).Save(ctx)
}

// Redeploy nodes within a deployment (requires `Deployer` role on project)
func (r *mutationResolver) RedeployDeployment(ctx context.Context, id uuid.UUID, nodeIds []uuid.UUID) (*ent.Deployment, error) {
	// Get the deployment by ID
	entDeployment, err := r.ent.Deployment.Query().Where(deployment.ID(id)).WithProject().Only(ctx)
	if err != nil {
		return nil, fmt.Errorf("failed to query deployment: %v", err)
	}

	// Check the user has deployer role or higher
	hasDeployerRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, entDeployment.Edges.Project.ID, membership.RoleDeployer)
	if err != nil {
		return nil, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasDeployerRole {
		return nil, gqlerror.Errorf("user does not have permission to redeploy blueprints to this project")
	}

	// Get the provider from deployment
	entProvider, err := entDeployment.QueryBlueprint().QueryProvider().Only(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query provider from deployment: %v", err)
	}

	// Check the provider is loaded
	if !entProvider.IsLoaded {
		return nil, gqlerror.Errorf("provider is not loaded")
	}

	// Spawn destruction routine
	go engine.StartRedeploy(r.ent, r.cbleServer, entDeployment, nodeIds)

	return entDeployment, nil
}

// Destroy a deployment (requires `Deployer` role on project)
func (r *mutationResolver) DestroyDeployment(ctx context.Context, id uuid.UUID) (*ent.Deployment, error) {
	// Get the deployment by ID
	entDeployment, err := r.ent.Deployment.Query().Where(deployment.ID(id)).WithProject().Only(ctx)
	if err != nil {
		return nil, fmt.Errorf("failed to query deployment: %v", err)
	}

	// Check the user has deployer role or higher
	hasDeployerRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, entDeployment.Edges.Project.ID, membership.RoleDeployer)
	if err != nil {
		return nil, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasDeployerRole {
		return nil, gqlerror.Errorf("user does not have permission to destroy blueprints to this project")
	}

	// Get the provider from deployment
	entProvider, err := entDeployment.QueryBlueprint().QueryProvider().Only(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query provider from deployment: %v", err)
	}

	// Check the provider is loaded
	if !entProvider.IsLoaded {
		return nil, gqlerror.Errorf("provider is not loaded")
	}

	// Spawn destruction routine
	go engine.StartDestroy(r.ent, r.cbleServer, entDeployment)

	return entDeployment, nil
}

// Control the power state of a deployment node (requires `Viewer` role on project)
func (r *mutationResolver) DeploymentNodePower(ctx context.Context, id uuid.UUID, state pgrpc.PowerState) (bool, error) {
	// Get the deployment node by ID
	entDeploymentNode, err := r.ent.DeploymentNode.Get(ctx, id)
	if err != nil {
		return false, gqlerror.Errorf("failed to query deployment node: %v", err)
	}

	// Get the deployment to check permission
	entDeployment, err := entDeploymentNode.QueryDeployment().WithProject().Only(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to query deployment: %v", err)
	}

	// Check the user has viewer role or higher
	hasViewerRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, entDeployment.Edges.Project.ID, membership.RoleViewer)
	if err != nil {
		return false, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasViewerRole {
		return false, gqlerror.Errorf("user does not have permission to view deployments in this project")
	}

	// Get the provider
	entProvider, err := entDeploymentNode.QueryDeployment().QueryBlueprint().QueryProvider().Only(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to query provider: %v", err)
	}

	// Check the provider is loaded
	if !entProvider.IsLoaded {
		return false, gqlerror.Errorf("provider is not loaded")
	}

	// Update the resource power state
	reply, err := r.cbleServer.ResourcePower(ctx, entProvider, entDeploymentNode, state)
	if err != nil {
		return false, gqlerror.Errorf("transport error: %v", err)
	}
	if !reply.Success {
		if reply.Error != nil {
			return false, gqlerror.Errorf("failed to update power state: %v", *reply.Error)
		}
		return false, gqlerror.Errorf("failed to update power state: unknown error")
	}

	return true, nil
}

// Control the power state of a deployment (requires `Viewer` role on project)
func (r *mutationResolver) DeploymentPower(ctx context.Context, id uuid.UUID, state pgrpc.PowerState) (bool, error) {
	// Get the deployment by ID
	entDeployment, err := r.ent.Deployment.Query().Where(deployment.ID(id)).WithProject().Only(ctx)
	if err != nil {
		return false, fmt.Errorf("failed to query deployment: %v", err)
	}

	// Check the user has viewer role or higher
	hasViewerRole, err := CurrentUserHasMinimumProjectRole(ctx, r.ent, entDeployment.Edges.Project.ID, membership.RoleViewer)
	if err != nil {
		return false, gqlerror.Errorf("failed to check user project role: %v", err)
	}
	if !hasViewerRole {
		return false, gqlerror.Errorf("user does not have permission to view deployments in this project")
	}

	// Get the provider
	entProvider, err := entDeployment.QueryBlueprint().QueryProvider().Only(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to query provider: %v", err)
	}

	// Check the provider is loaded
	if !entProvider.IsLoaded {
		return false, gqlerror.Errorf("provider is not loaded")
	}

	// Get all of the deployment nodes which support power feature
	entDeploymentNodes, err := entDeployment.QueryDeploymentNodes().Where(
		deploymentnode.HasResourceWith(func(s *sql.Selector) {
			s.Where(sqljson.ValueEQ(resource.FieldFeatures, true, sqljson.Path("power"))) // Find where has { "power": true, ... }
		}),
	).All(ctx)
	if err != nil {
		return false, gqlerror.Errorf("failed to query deployment nodes with power support: %v", err)
	}

	var wg sync.WaitGroup

	for _, entDeploymentNode := range entDeploymentNodes {
		wg.Add(1)
		go func(wg *sync.WaitGroup, entDeploymentNode *ent.DeploymentNode) {
			defer wg.Done()
			// Update the resource power state
			reply, err := r.cbleServer.ResourcePower(ctx, entProvider, entDeploymentNode, state)
			if err != nil {
				graphql.AddErrorf(ctx, "transport error: %v", err)
			}
			if reply != nil && !reply.Success {
				if reply.Error != nil {
					graphql.AddErrorf(ctx, "failed to update power state: %v", *reply.Error)
				}
				graphql.AddErrorf(ctx, "failed to update power state: unknown error")
			}
		}(&wg, entDeploymentNode)
	}

	// Wait for all of the resources to power down
	wg.Wait()

	// If we successfully applied all power states
	if len(graphql.GetErrors(ctx)) == 0 {
		// Default set to COMPLETE
		deploymentState := deployment.StateComplete
		// If we're powering off, set to SUSPENDED
		if state == pgrpc.PowerState_OFF {
			deploymentState = deployment.StateSuspended
		}
		// Update the deployment state
		err = entDeployment.Update().SetState(deploymentState).Exec(ctx)
		if err != nil {
			return false, gqlerror.Errorf("failed to update deployment state: %v", err)
		}
	} else {
		return false, gqlerror.Errorf("failed to apply deployment power state")
	}

	return true, nil
}

// Memberships is the resolver for the memberships field.
func (r *projectResolver) Memberships(ctx context.Context, obj *ent.Project) ([]*ent.Membership, error) {
	return obj.QueryMemberships().All(ctx)
}

// GroupMemberships is the resolver for the groupMemberships field.
func (r *projectResolver) GroupMemberships(ctx context.Context, obj *ent.Project) ([]*ent.GroupMembership, error) {
	return obj.QueryGroupMemberships().All(ctx)
}

// Blueprints is the resolver for the blueprints field.
func (r *projectResolver) Blueprints(ctx context.Context, obj *ent.Project) ([]*ent.Blueprint, error) {
	return obj.QueryBlueprints().All(ctx)
}

// Deployments is the resolver for the deployments field.
func (r *projectResolver) Deployments(ctx context.Context, obj *ent.Project) ([]*ent.Deployment, error) {
	return obj.QueryDeployments().All(ctx)
}

// ConfigBytes is the resolver for the configBytes field.
func (r *providerResolver) ConfigBytes(ctx context.Context, obj *ent.Provider) (string, error) {
	return string(obj.ConfigBytes), nil
}

// Blueprints is the resolver for the blueprints field.
func (r *providerResolver) Blueprints(ctx context.Context, obj *ent.Provider) ([]*ent.Blueprint, error) {
	return obj.QueryBlueprints().All(ctx)
}

// Get current user
func (r *queryResolver) Me(ctx context.Context) (*ent.User, error) {
	return auth.ForContext(ctx)
}

// MeHasPermission is the resolver for the meHasPermission field.
func (r *queryResolver) MeHasPermission(ctx context.Context, objectType grantedpermission.ObjectType, objectID *uuid.UUID, action actions.PermissionAction) (bool, error) {
	// Convert nillable ID to uuid.Nil
	objectId := uuid.Nil
	if objectID != nil {
		objectId = *objectID
	}

	return permission.CurrentUserHasPermission(ctx, r.ent, objectType, objectId, action)
}

// List users (requires permission `x.x.users.*.list`)
func (r *queryResolver) Users(ctx context.Context, count int, offset *int) (*model.UserPage, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasUserList(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	q := r.ent.User.Query().Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entUsers, err := q.All(ctx)
	if err != nil {
		return nil, err
	}
	entUserCount, err := r.ent.User.Query().Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.UserPage{
		Users: entUsers,
		Total: entUserCount,
	}, nil
}

// Get a user (requires permission `x.x.users.x.get`)
func (r *queryResolver) User(ctx context.Context, id uuid.UUID) (*ent.User, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasUserGet(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	return r.ent.User.Get(ctx, id)
}

// List groups (requires permission `x.x.groups.*.list`)
func (r *queryResolver) Groups(ctx context.Context, count int, offset *int) (*model.GroupPage, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasGroupList(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	q := r.ent.Group.Query().Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entGroups, err := q.All(ctx)
	if err != nil {
		return nil, err
	}
	entGroupCount, err := r.ent.Group.Query().Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.GroupPage{
		Groups: entGroups,
		Total:  entGroupCount,
	}, nil
}

// Get a group (requires permission `x.x.groups.x.get`)
func (r *queryResolver) Group(ctx context.Context, id uuid.UUID) (*ent.Group, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasGroupGet(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	return r.ent.Group.Get(ctx, id)
}

// List permissions (requires permission `x.x.permission.*.list`)
func (r *queryResolver) Permissions(ctx context.Context, count int, offset *int) (*model.GrantedPermissionPage, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasPermissionList(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	q := r.ent.GrantedPermission.Query().Order(
		ent.Asc(
			grantedpermission.FieldSubjectType,
			grantedpermission.FieldObjectType,
			grantedpermission.FieldAction,
		),
	).
		Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entPermissions, err := q.All(ctx)
	if err != nil {
		return nil, err
	}
	entPermissionCount, err := r.ent.GrantedPermission.Query().Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.GrantedPermissionPage{
		Permissions: entPermissions,
		Total:       entPermissionCount,
	}, nil
}

// Get a permission (requires permission `x.x.permission.x.get`)
func (r *queryResolver) Permission(ctx context.Context, id uuid.UUID) (*ent.GrantedPermission, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasPermissionGet(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	return r.ent.GrantedPermission.Get(ctx, id)
}

// Projects is the resolver for the projects field.
func (r *queryResolver) Projects(ctx context.Context, count int, offset *int, minRole *membership.Role) (*model.ProjectPage, error) {
	// Get the current user
	currentUser, err := auth.ForContext(ctx)
	if err != nil {
		return nil, auth.AUTH_REQUIRED_GQL_ERROR
	}

	// Check if current user has permission to list all
	hasListPerm, err := permission.CurrentUserHasProjectList(ctx, r.ent, uuid.Nil)
	if err != nil {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	// If has list permission, return them all
	if hasListPerm {
		q := r.ent.Project.Query().Limit(count)
		if offset != nil {
			q = q.Offset(*offset)
		}
		entProjects, err := q.All(ctx)
		if err != nil {
			return nil, fmt.Errorf("failed to query projects: %v", err)
		}

		projectCount, err := r.ent.Project.Query().Count(ctx)
		if err != nil {
			return nil, fmt.Errorf("failed to get total project count: %v", err)
		}
		return &model.ProjectPage{
			Projects: entProjects,
			Total:    projectCount,
		}, nil
	}

	membershipRoles := []membership.Role{membership.RoleAdmin, membership.RoleDeveloper, membership.RoleDeployer, membership.RoleViewer}
	groupMembershipRoles := []groupmembership.Role{groupmembership.RoleAdmin, groupmembership.RoleDeveloper, groupmembership.RoleDeployer, groupmembership.RoleViewer}
	if minRole != nil {
		// Only allow projects with admin
		if *minRole == membership.RoleAdmin {
			membershipRoles = membershipRoles[:1]
			groupMembershipRoles = groupMembershipRoles[:1]
		}
		if *minRole == membership.RoleDeveloper {
			membershipRoles = membershipRoles[:2]
			groupMembershipRoles = groupMembershipRoles[:2]
		}
		if *minRole == membership.RoleDeployer {
			membershipRoles = membershipRoles[:3]
			groupMembershipRoles = groupMembershipRoles[:3]
		}
		if *minRole == membership.RoleViewer {
			membershipRoles = membershipRoles[:4]
			groupMembershipRoles = groupMembershipRoles[:4]
		}
	}

	// If not, only list projects the current user is a member of
	q := r.ent.Project.Query().Where(
		project.Or(
			// Direct user membership
			project.HasMembershipsWith(
				membership.HasUserWith(user.ID(currentUser.ID)),
				membership.RoleIn(
					membershipRoles...,
				),
			),
			// Group membership
			project.HasGroupMembershipsWith(
				groupmembership.HasGroupWith(group.HasUsersWith(user.ID(currentUser.ID))),
				groupmembership.RoleIn(
					groupMembershipRoles...,
				),
			),
		),
	).Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entProjects, err := q.All(ctx)
	if err != nil {
		return nil, fmt.Errorf("failed to query projects: %v", err)
	}
	projectCount, err := r.ent.Project.Query().Where(
		project.HasMembersWith(user.IDEQ(currentUser.ID)),
		project.HasGroupMembersWith(group.HasUsersWith(user.IDEQ(currentUser.ID))),
	).Count(ctx)
	if err != nil {
		return nil, fmt.Errorf("failed to get total project count: %v", err)
	}
	return &model.ProjectPage{
		Projects: entProjects,
		Total:    projectCount,
	}, nil
}

// Project is the resolver for the project field.
func (r *queryResolver) Project(ctx context.Context, id uuid.UUID) (*ent.Project, error) {
	panic(fmt.Errorf("not implemented: Project - project"))
}

// List providers (requires permission `x.x.providers.*.list`)
func (r *queryResolver) Providers(ctx context.Context, count int, offset *int) (*model.ProviderPage, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProviderList(ctx, r.ent, uuid.Nil); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	q := r.ent.Provider.Query().Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entProviders, err := q.All(ctx)
	if err != nil {
		return nil, err
	}
	entProviderCount, err := r.ent.Provider.Query().Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.ProviderPage{
		Providers: entProviders,
		Total:     entProviderCount,
	}, nil
}

// Get a provider (requires permission `x.x.providers.x.get`)
func (r *queryResolver) Provider(ctx context.Context, id uuid.UUID) (*ent.Provider, error) {
	// Check if current user has permission
	if hasPerm, err := permission.CurrentUserHasProviderGet(ctx, r.ent, id); err != nil || !hasPerm {
		return nil, auth.PERMISSION_DENIED_GQL_ERROR
	}

	return r.ent.Provider.Get(ctx, id)
}

// List blueprints (requires permission `x.x.blueprints.*.list`)
func (r *queryResolver) Blueprints(ctx context.Context, projectFilter []uuid.UUID, count int, offset *int) (*model.BlueprintPage, error) {
	// Get the current user
	currentUser, err := auth.ForContext(ctx)
	if err != nil {
		return nil, auth.AUTH_REQUIRED_GQL_ERROR
	}

	// Base query on all of current user's projects
	baseQ := r.ent.Blueprint.Query().Where(
		blueprint.HasProjectWith(
			project.Or(
				// Direct user membership
				project.HasMembershipsWith(
					membership.HasUserWith(user.ID(currentUser.ID)),
					membership.RoleIn(
						membership.RoleAdmin,
						membership.RoleDeveloper,
						membership.RoleDeployer,
					),
				),
				// Group membership
				project.HasGroupMembershipsWith(
					groupmembership.HasGroupWith(group.HasUsersWith(user.ID(currentUser.ID))),
					groupmembership.RoleIn(
						groupmembership.RoleAdmin,
						groupmembership.RoleDeveloper,
						groupmembership.RoleDeployer,
					),
				),
			),
		),
	)
	// Filter on project ID if requested
	if len(projectFilter) > 0 {
		baseQ = baseQ.Where(
			blueprint.HasProjectWith(project.IDIn(projectFilter...)),
		)
	}
	// Query blueprints from projects
	q := baseQ.Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entBlueprints, err := q.All(ctx)
	if err != nil {
		return nil, err
	}
	entBlueprintCount, err := baseQ.Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.BlueprintPage{
		Blueprints: entBlueprints,
		Total:      entBlueprintCount,
	}, nil
}

// Get a blueprint (requires permission `x.x.blueprints.x.get`)
func (r *queryResolver) Blueprint(ctx context.Context, id uuid.UUID) (*ent.Blueprint, error) {
	// Get the current user
	currentUser, err := auth.ForContext(ctx)
	if err != nil {
		return nil, auth.AUTH_REQUIRED_GQL_ERROR
	}

	return r.ent.Blueprint.Query().Where(
		blueprint.ID(id),
		blueprint.HasProjectWith(
			project.Or(
				// Direct user membership
				project.HasMembershipsWith(
					membership.HasUserWith(user.ID(currentUser.ID)),
					membership.RoleIn(
						membership.RoleAdmin,
						membership.RoleDeveloper,
						membership.RoleDeployer,
					),
				),
				// Group membership
				project.HasGroupMembershipsWith(
					groupmembership.HasGroupWith(group.HasUsersWith(user.ID(currentUser.ID))),
					groupmembership.RoleIn(
						groupmembership.RoleAdmin,
						groupmembership.RoleDeveloper,
						groupmembership.RoleDeployer,
					),
				),
			),
		),
	).Only(ctx)
}

// List deployments (requires permission `x.x.deployments.*.list`)
func (r *queryResolver) Deployments(ctx context.Context, includeExpiredAndDestroyed bool, projectFilter []uuid.UUID, count int, offset *int) (*model.DeploymentPage, error) {
	// Get the current user
	currentUser, err := auth.ForContext(ctx)
	if err != nil {
		return nil, auth.AUTH_REQUIRED_GQL_ERROR
	}

	// Base query on all of current user's projects
	baseQ := r.ent.Deployment.Query().Where(
		deployment.HasProjectWith(
			project.Or(
				// Direct user membership
				project.HasMembershipsWith(
					membership.HasUserWith(user.ID(currentUser.ID)),
					membership.RoleIn(
						membership.RoleAdmin,
						membership.RoleDeveloper,
						membership.RoleDeployer,
						membership.RoleViewer,
					),
				),
				// Group membership
				project.HasGroupMembershipsWith(
					groupmembership.HasGroupWith(group.HasUsersWith(user.ID(currentUser.ID))),
					groupmembership.RoleIn(
						groupmembership.RoleAdmin,
						groupmembership.RoleDeveloper,
						groupmembership.RoleDeployer,
						groupmembership.RoleViewer,
					),
				),
			),
		),
	)
	// Filter on project ID if requested
	if len(projectFilter) > 0 {
		baseQ = baseQ.Where(
			deployment.HasProjectWith(
				project.IDIn(projectFilter...),
			),
		)
	}
	// Filter on expired and destroyed if not requested
	if !includeExpiredAndDestroyed {
		baseQ = baseQ.Where(
			deployment.ExpiresAtGTE(time.Now()),
			deployment.StateNEQ(deployment.StateDestroyed),
		)
	}
	// Query deployments from projects
	q := baseQ.Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entDeployments, err := q.Order(ent.Desc(deployment.FieldCreatedAt)).All(ctx)
	if err != nil {
		return nil, err
	}
	entDeploymentCount, err := baseQ.Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.DeploymentPage{
		Deployments: entDeployments,
		Total:       entDeploymentCount,
	}, nil
}

// Get a deployment (requires permission `x.x.deployments.x.get`)
func (r *queryResolver) Deployment(ctx context.Context, id uuid.UUID) (*ent.Deployment, error) {
	// Get the current user
	currentUser, err := auth.ForContext(ctx)
	if err != nil {
		return nil, auth.AUTH_REQUIRED_GQL_ERROR
	}

	entDeployment, err := r.ent.Deployment.Query().Where(
		deployment.ID(id),
		deployment.HasProjectWith(
			project.Or(
				// Direct user membership
				project.HasMembershipsWith(
					membership.HasUserWith(user.ID(currentUser.ID)),
					membership.RoleIn(
						membership.RoleAdmin,
						membership.RoleDeveloper,
						membership.RoleDeployer,
					),
				),
				// Group membership
				project.HasGroupMembershipsWith(
					groupmembership.HasGroupWith(group.HasUsersWith(user.ID(currentUser.ID))),
					groupmembership.RoleIn(
						groupmembership.RoleAdmin,
						groupmembership.RoleDeveloper,
						groupmembership.RoleDeployer,
					),
				),
			),
		),
	).Only(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to query deployment: %v", err)
	}

	// Set the last access time
	entDeployment, err = entDeployment.Update().SetLastAccessed(time.Now()).Save(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to update last access time: %v", err)
	}

	return entDeployment, nil
}

// SearchUsers is the resolver for the searchUsers field.
func (r *queryResolver) SearchUsers(ctx context.Context, search string, count int, offset *int) (*model.UserPage, error) {
	q := r.ent.User.Query().Where(
		user.Or(
			IDFuzzySearch(search),
			user.UsernameContainsFold(search),
			user.EmailContainsFold(search),
			user.FirstNameContainsFold(search),
			user.LastNameContainsFold(search),
		),
	).Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entUsers, err := q.All(ctx)
	if err != nil {
		return nil, err
	}
	entUserCount, err := q.Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.UserPage{
		Users: entUsers,
		Total: entUserCount,
	}, nil
}

// SearchGroups is the resolver for the searchGroups field.
func (r *queryResolver) SearchGroups(ctx context.Context, search string, count int, offset *int) (*model.GroupPage, error) {
	q := r.ent.Group.Query().Where(
		group.Or(
			IDFuzzySearch(search),
			group.NameContainsFold(search),
		),
	).Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entGroups, err := q.All(ctx)
	if err != nil {
		return nil, err
	}
	entGroupCount, err := q.Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.GroupPage{
		Groups: entGroups,
		Total:  entGroupCount,
	}, nil
}

// Search projects (requires `Developer` or more)
func (r *queryResolver) SearchProjects(ctx context.Context, search string, count int, offset *int, minRole *membership.Role) (*model.ProjectPage, error) {
	// Get the current authenticated user
	currentUser, err := auth.ForContext(ctx)
	if err != nil {
		return nil, gqlerror.Errorf("failed to get user from context: %v", err)
	}

	membershipRoles := []membership.Role{membership.RoleAdmin, membership.RoleDeveloper, membership.RoleDeployer, membership.RoleViewer}
	groupMembershipRoles := []groupmembership.Role{groupmembership.RoleAdmin, groupmembership.RoleDeveloper, groupmembership.RoleDeployer, groupmembership.RoleViewer}
	if minRole != nil {
		// Only allow projects with admin
		if *minRole == membership.RoleAdmin {
			membershipRoles = membershipRoles[:1]
			groupMembershipRoles = groupMembershipRoles[:1]
		}
		if *minRole == membership.RoleDeveloper {
			membershipRoles = membershipRoles[:2]
			groupMembershipRoles = groupMembershipRoles[:2]
		}
		if *minRole == membership.RoleDeployer {
			membershipRoles = membershipRoles[:3]
			groupMembershipRoles = groupMembershipRoles[:3]
		}
		if *minRole == membership.RoleViewer {
			membershipRoles = membershipRoles[:4]
			groupMembershipRoles = groupMembershipRoles[:4]
		}
	}

	q := r.ent.Project.Query().Where(
		project.Or(
			IDFuzzySearch(search),
			project.NameContainsFold(search),
		),
		project.Or(
			// Direct user membership
			project.HasMembershipsWith(
				membership.HasUserWith(user.ID(currentUser.ID)),
				membership.RoleIn(
					membershipRoles...,
				),
			),
			// Group membership
			project.HasGroupMembershipsWith(
				groupmembership.HasGroupWith(group.HasUsersWith(user.ID(currentUser.ID))),
				groupmembership.RoleIn(
					groupMembershipRoles...,
				),
			),
		),
	).Limit(count)
	if offset != nil {
		q = q.Offset(*offset)
	}
	entProjects, err := q.All(ctx)
	if err != nil {
		return nil, err
	}
	entProjectCount, err := q.Count(ctx)
	if err != nil {
		return nil, err
	}
	return &model.ProjectPage{
		Projects: entProjects,
		Total:    entProjectCount,
	}, nil
}

// Type is the resolver for the type field.
func (r *resourceResolver) Type(ctx context.Context, obj *ent.Resource) (model.ResourceType, error) {
	return model.ResourceType(obj.Type), nil
}

// Object is the resolver for the object field.
func (r *resourceResolver) Object(ctx context.Context, obj *ent.Resource) (string, error) {
	objectBytes, err := yaml.Marshal(obj.Object)
	if err != nil {
		return "", err
	}
	return string(objectBytes), nil
}

// Blueprint is the resolver for the blueprint field.
func (r *resourceResolver) Blueprint(ctx context.Context, obj *ent.Resource) (*ent.Blueprint, error) {
	return obj.QueryBlueprint().Only(ctx)
}

// RequiredBy is the resolver for the requiredBy field.
func (r *resourceResolver) RequiredBy(ctx context.Context, obj *ent.Resource) ([]*ent.Resource, error) {
	return obj.QueryRequiredBy().All(ctx)
}

// DependsOn is the resolver for the dependsOn field.
func (r *resourceResolver) DependsOn(ctx context.Context, obj *ent.Resource) ([]*ent.Resource, error) {
	return obj.QueryDependsOn().All(ctx)
}

// Groups is the resolver for the groups field.
func (r *userResolver) Groups(ctx context.Context, obj *ent.User) ([]*ent.Group, error) {
	return obj.QueryGroups().All(ctx)
}

// Deployments is the resolver for the deployments field.
func (r *userResolver) Deployments(ctx context.Context, obj *ent.User) ([]*ent.Deployment, error) {
	return obj.QueryDeployments().All(ctx)
}

// Blueprint returns generated.BlueprintResolver implementation.
func (r *Resolver) Blueprint() generated.BlueprintResolver { return &blueprintResolver{r} }

// Deployment returns generated.DeploymentResolver implementation.
func (r *Resolver) Deployment() generated.DeploymentResolver { return &deploymentResolver{r} }

// DeploymentNode returns generated.DeploymentNodeResolver implementation.
func (r *Resolver) DeploymentNode() generated.DeploymentNodeResolver {
	return &deploymentNodeResolver{r}
}

// GrantedPermission returns generated.GrantedPermissionResolver implementation.
func (r *Resolver) GrantedPermission() generated.GrantedPermissionResolver {
	return &grantedPermissionResolver{r}
}

// Group returns generated.GroupResolver implementation.
func (r *Resolver) Group() generated.GroupResolver { return &groupResolver{r} }

// GroupMembership returns generated.GroupMembershipResolver implementation.
func (r *Resolver) GroupMembership() generated.GroupMembershipResolver {
	return &groupMembershipResolver{r}
}

// Membership returns generated.MembershipResolver implementation.
func (r *Resolver) Membership() generated.MembershipResolver { return &membershipResolver{r} }

// Mutation returns generated.MutationResolver implementation.
func (r *Resolver) Mutation() generated.MutationResolver { return &mutationResolver{r} }

// Project returns generated.ProjectResolver implementation.
func (r *Resolver) Project() generated.ProjectResolver { return &projectResolver{r} }

// Provider returns generated.ProviderResolver implementation.
func (r *Resolver) Provider() generated.ProviderResolver { return &providerResolver{r} }

// Query returns generated.QueryResolver implementation.
func (r *Resolver) Query() generated.QueryResolver { return &queryResolver{r} }

// Resource returns generated.ResourceResolver implementation.
func (r *Resolver) Resource() generated.ResourceResolver { return &resourceResolver{r} }

// User returns generated.UserResolver implementation.
func (r *Resolver) User() generated.UserResolver { return &userResolver{r} }

type blueprintResolver struct{ *Resolver }
type deploymentResolver struct{ *Resolver }
type deploymentNodeResolver struct{ *Resolver }
type grantedPermissionResolver struct{ *Resolver }
type groupResolver struct{ *Resolver }
type groupMembershipResolver struct{ *Resolver }
type membershipResolver struct{ *Resolver }
type mutationResolver struct{ *Resolver }
type projectResolver struct{ *Resolver }
type providerResolver struct{ *Resolver }
type queryResolver struct{ *Resolver }
type resourceResolver struct{ *Resolver }
type userResolver struct{ *Resolver }