import unittest

from fastapi.testclient import TestClient

from admin_app.api.dependencies import get_auth_service, get_current_staff_context, get_current_staff_principal
from admin_app.app_factory import create_app
from admin_app.core import (
    AdminAuthenticatedSession,
    AdminSettings,
    AuthenticatedStaffContext,
    AuthenticatedStaffPrincipal,
)
from shared.contracts import StaffRole


class _FakeAuthService:
    def login(self, email: str, password: str, *, ip_address: str | None, user_agent: str | None):
        if email == "admin@empresa.com" and password == "SenhaMuitoSegura!123":
            principal = AuthenticatedStaffPrincipal(
                id=1,
                email="admin@empresa.com",
                display_name="Administrador",
                role=StaffRole.ADMIN,
                is_active=True,
            )
            return AdminAuthenticatedSession(
                session_id=77,
                access_token="token-abc",
                refresh_token="refresh-abc",
                token_type="bearer",
                expires_in_seconds=1800,
                principal=principal,
            )
        return None

    def refresh_session(self, refresh_token: str, *, ip_address: str | None, user_agent: str | None):
        if refresh_token == "refresh-abc":
            principal = AuthenticatedStaffPrincipal(
                id=1,
                email="admin@empresa.com",
                display_name="Administrador",
                role=StaffRole.ADMIN,
                is_active=True,
            )
            return AdminAuthenticatedSession(
                session_id=77,
                access_token="token-new",
                refresh_token="refresh-new",
                token_type="bearer",
                expires_in_seconds=1800,
                principal=principal,
            )
        return None

    def logout(
        self,
        session_id: int,
        *,
        actor_staff_account_id: int | None,
        ip_address: str | None,
        user_agent: str | None,
    ) -> bool:
        return session_id == 77 and actor_staff_account_id == 1


class AdminAuthWebTests(unittest.TestCase):
    def setUp(self):
        app = create_app(AdminSettings(admin_auth_token_secret="test-secret"))
        app.dependency_overrides[get_auth_service] = lambda: _FakeAuthService()
        app.dependency_overrides[get_current_staff_principal] = lambda: AuthenticatedStaffPrincipal(
            id=1,
            email="admin@empresa.com",
            display_name="Administrador",
            role=StaffRole.ADMIN,
            is_active=True,
        )
        app.dependency_overrides[get_current_staff_context] = lambda: AuthenticatedStaffContext(
            principal=AuthenticatedStaffPrincipal(
                id=1,
                email="admin@empresa.com",
                display_name="Administrador",
                role=StaffRole.ADMIN,
                is_active=True,
            ),
            session_id=77,
        )
        self.client = TestClient(app)
        self.app = app

    def tearDown(self):
        self.app.dependency_overrides.clear()

    def test_login_returns_tokens_and_staff_account(self):
        response = self.client.post(
            "/auth/login",
            json={"email": "admin@empresa.com", "password": "SenhaMuitoSegura!123"},
        )

        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.json()["session_id"], 77)
        self.assertEqual(response.json()["token_type"], "bearer")
        self.assertEqual(response.json()["refresh_token"], "refresh-abc")
        self.assertEqual(response.json()["staff_account"]["role"], "admin")

    def test_refresh_returns_rotated_tokens(self):
        response = self.client.post(
            "/auth/refresh",
            json={"refresh_token": "refresh-abc"},
        )

        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.json()["access_token"], "token-new")
        self.assertEqual(response.json()["refresh_token"], "refresh-new")

    def test_refresh_rejects_invalid_token(self):
        response = self.client.post(
            "/auth/refresh",
            json={"refresh_token": "refresh-invalido"},
        )

        self.assertEqual(response.status_code, 401)
        self.assertEqual(response.json()["detail"], "Refresh token administrativo invalido.")

    def test_logout_revokes_current_session(self):
        response = self.client.post(
            "/auth/logout",
            headers={"Authorization": "Bearer token-abc", "User-Agent": "pytest"},
        )

        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.json()["session_id"], 77)
        self.assertEqual(response.json()["status"], "ok")

    def test_me_returns_authenticated_staff_account(self):
        response = self.client.get("/auth/me", headers={"Authorization": "Bearer token-abc"})

        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.json()["email"], "admin@empresa.com")
        self.assertEqual(response.json()["role"], "admin")

    def test_system_access_returns_permissions_for_authenticated_staff(self):
        response = self.client.get("/system/access", headers={"Authorization": "Bearer token-abc"})

        self.assertEqual(response.status_code, 200)
        self.assertIn("manage_settings", response.json()["permissions"])
        self.assertEqual(response.json()["staff_account"]["role"], "admin")


if __name__ == "__main__":
    unittest.main()