import unittest
from datetime import datetime, timezone

from fastapi.testclient import TestClient

from admin_app.api.dependencies import get_audit_service, get_current_staff_principal
from admin_app.app_factory import create_app
from admin_app.core import AuthenticatedStaffPrincipal, AdminSettings
from admin_app.db.models import AuditLog
from shared.contracts import StaffRole


class _FakeAuditService:
    def list_recent(self, limit: int = 50) -> list[AuditLog]:
        return [
            AuditLog(
                id=1,
                actor_staff_account_id=10,
                event_type="staff.login.succeeded",
                resource_type="staff_account",
                resource_id="10",
                outcome="success",
                message="Login administrativo concluido.",
                payload_json={"session_id": 77},
                ip_address="127.0.0.1",
                user_agent="pytest",
                created_at=datetime(2026, 3, 26, 12, 0, tzinfo=timezone.utc),
            )
        ]


class AdminAuthorizationWebTests(unittest.TestCase):
    def _build_client_with_role(self, role: StaffRole) -> tuple[TestClient, object]:
        app = create_app(AdminSettings(admin_auth_token_secret="test-secret"))
        app.dependency_overrides[get_current_staff_principal] = lambda: AuthenticatedStaffPrincipal(
            id=10,
            email="staff@empresa.com",
            display_name="Equipe Interna",
            role=role,
            is_active=True,
        )
        app.dependency_overrides[get_audit_service] = lambda: _FakeAuditService()
        return TestClient(app), app

    def test_system_info_requires_authentication(self):
        app = create_app(AdminSettings(admin_auth_token_secret="test-secret"))
        client = TestClient(app)

        response = client.get("/system/info")

        self.assertEqual(response.status_code, 401)
        self.assertEqual(response.json()["detail"], "Autenticacao administrativa obrigatoria.")

    def test_viewer_can_access_system_info(self):
        client, app = self._build_client_with_role(StaffRole.VIEWER)
        try:
            response = client.get("/system/info", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.json()["service"], "orquestrador-admin")

    def test_viewer_can_access_audit_events(self):
        client, app = self._build_client_with_role(StaffRole.VIEWER)
        try:
            response = client.get("/audit/events", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.json()["events"][0]["event_type"], "staff.login.succeeded")

    def test_staff_cannot_access_admin_only_capability(self):
        client, app = self._build_client_with_role(StaffRole.STAFF)
        try:
            response = client.get("/system/admin-capabilities", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 403)
        self.assertEqual(
            response.json()["detail"],
            "Permissao administrativa insuficiente: 'manage_settings'.",
        )

    def test_admin_can_access_admin_only_capability(self):
        client, app = self._build_client_with_role(StaffRole.ADMIN)
        try:
            response = client.get("/system/admin-capabilities", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 200)
        self.assertTrue(response.json()["allowed"])
        self.assertEqual(response.json()["role"], "admin")


if __name__ == "__main__":
    unittest.main()