from fastapi import APIRouter, HTTPException, status
from pydantic import BaseModel

from src.core.db import SessionDep
from src.core.deps import CurrentUserDep
from src.group_settings.repo import GroupConfigRepoDep
from src.group_settings.schemas import GroupSettingsMeta
from src.services.logging_service import log_action

router = APIRouter(prefix="/admin", tags=["admin"])


def _require_super_admin(current_user):
    if not current_user.is_admin:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Super-admin access required.",
        )


class RegisterGroupRequest(BaseModel):
    group_email: str


@router.get("/groups", response_model=list[GroupSettingsMeta])
async def list_groups(
    current_user: CurrentUserDep,
    group_config_repo: GroupConfigRepoDep,
) -> list[GroupSettingsMeta]:
    """List all registered Google Groups and their configuration status."""
    _require_super_admin(current_user)
    configs = await group_config_repo.get_all()
    return [
        GroupSettingsMeta(
            id=c.id,
            group_email=c.group_email,
            google_admin_email=c.google_admin_email,
            has_campflow_token=bool(c.campflow_api_token_enc),
            has_service_account=bool(c.service_account_json_enc),
            has_email_password=bool(c.email_password_enc),
            email_account=c.email_account,
            pdf_filename=c.pdf_filename,
            imap_server=c.imap_server,
            imap_port=c.imap_port,
            smtp_server=c.smtp_server,
            smtp_port=c.smtp_port,
            auto_mail_recipient=c.auto_mail_recipient,
            updated_at=c.updated_at,
        )
        for c in configs
    ]


@router.post("/groups", response_model=GroupSettingsMeta, status_code=status.HTTP_201_CREATED)
async def register_group(
    payload: RegisterGroupRequest,
    current_user: CurrentUserDep,
    group_config_repo: GroupConfigRepoDep,
    session: SessionDep,
) -> GroupSettingsMeta:
    """Register a new Google Group. Group admins can then configure credentials via /settings."""
    _require_super_admin(current_user)
    config = await group_config_repo.create_empty(payload.group_email)

    # Audit Log
    await log_action(
        session=session,
        group_email=payload.group_email,
        user_email=current_user.email,
        action="ADMIN_CHANGE",
        details=f"Registered new group: {payload.group_email}"
    )

    return GroupSettingsMeta(
        id=config.id,
        group_email=config.group_email,
        google_admin_email=config.google_admin_email,
        has_campflow_token=bool(config.campflow_api_token_enc),
        has_service_account=bool(config.service_account_json_enc),
        has_email_password=bool(config.email_password_enc),
        email_account=config.email_account,
        pdf_filename=config.pdf_filename,
        imap_server=config.imap_server,
        imap_port=config.imap_port,
        smtp_server=config.smtp_server,
        smtp_port=config.smtp_port,
        auto_mail_recipient=config.auto_mail_recipient,
        updated_at=config.updated_at,
    )


@router.delete("/groups/{group_email}", status_code=status.HTTP_204_NO_CONTENT)
async def remove_group(
    group_email: str,
    current_user: CurrentUserDep,
    group_config_repo: GroupConfigRepoDep,
    session: SessionDep,
) -> None:
    """Remove a registered Google Group and all its stored credentials."""
    _require_super_admin(current_user)

    # Audit Log (Do it before deletion so we have the context if needed, though we only need the email)
    await log_action(
        session=session,
        group_email=group_email,
        user_email=current_user.email,
        action="ADMIN_CHANGE",
        details=f"Removed group: {group_email}"
    )

    deleted = await group_config_repo.delete(group_email)
    if not deleted:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Group not found.")