# -*- coding: utf-8 -*-
"""
Accounts Admin Configuration

This module configures the Django admin interface for the accounts application,
providing comprehensive management interfaces for users, roles, permissions,
security logs, API keys, and user access management.

Features:
- Enhanced user management with profile integration
- Role-based access control (RBAC) management
- Permission and permission group management
- Security monitoring and audit logs
- API key management
- User session tracking
- Bulk operations and advanced filtering
- Custom admin actions and forms

Author: Adtlas Development Team
Version: 1.0.0
Created: 2024
"""

from django.contrib import admin
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
from django.contrib.auth.models import User
from django.utils.html import format_html
from django.urls import reverse
from django.utils.safestring import mark_safe
from django.db.models import Count, Q
from django.utils import timezone
from django.contrib.admin import SimpleListFilter
from django.http import HttpResponse
import csv
import json
from datetime import datetime, timedelta

from .models import (
    UserProfile, Role, Permission, UserRole, RolePermission,
    PermissionGroup, PermissionGroupMembership, UserSession,
    SecurityLog, APIKey, UserAccess
)
from .models_extended import *

# ============================================================================
# Custom Filters
# ============================================================================

class UserTypeFilter(SimpleListFilter):
    """
    Custom filter for user types in the admin interface.
    
    Allows filtering users by their type (admin, manager, operator, viewer)
    with additional options for active/inactive users.
    """
    title = 'User Type'
    parameter_name = 'user_type'

    def lookups(self, request, model_admin):
        """Define the filter options."""
        return (
            ('admin', 'Admin'),
            ('manager', 'Manager'),
            ('operator', 'Operator'),
            ('viewer', 'Viewer'),
            ('active_admin', 'Active Admin'),
            ('inactive', 'Inactive Users'),
        )

    def queryset(self, request, queryset):
        """Filter the queryset based on the selected option."""
        if self.value() == 'admin':
            return queryset.filter(userprofile__user_type='admin')
        elif self.value() == 'manager':
            return queryset.filter(userprofile__user_type='manager')
        elif self.value() == 'operator':
            return queryset.filter(userprofile__user_type='operator')
        elif self.value() == 'viewer':
            return queryset.filter(userprofile__user_type='viewer')
        elif self.value() == 'active_admin':
            return queryset.filter(
                userprofile__user_type='admin',
                is_active=True,
                last_login__gte=timezone.now() - timedelta(days=30)
            )
        elif self.value() == 'inactive':
            return queryset.filter(is_active=False)
        return queryset

class SecurityEventFilter(SimpleListFilter):
    """
    Custom filter for security events by severity and time range.
    """
    title = 'Security Event'
    parameter_name = 'security_event'

    def lookups(self, request, model_admin):
        """Define the filter options."""
        return (
            ('critical', 'Critical Events'),
            ('high', 'High Severity'),
            ('recent', 'Recent (24h)'),
            ('unresolved', 'Unresolved'),
            ('login_failures', 'Login Failures'),
        )

    def queryset(self, request, queryset):
        """Filter the queryset based on the selected option."""
        if self.value() == 'critical':
            return queryset.filter(severity='critical')
        elif self.value() == 'high':
            return queryset.filter(severity='high')
        elif self.value() == 'recent':
            return queryset.filter(
                created_at__gte=timezone.now() - timedelta(hours=24)
            )
        elif self.value() == 'unresolved':
            return queryset.filter(resolved=False)
        elif self.value() == 'login_failures':
            return queryset.filter(event_type='login_failure')
        return queryset

# ============================================================================
# Inline Admin Classes
# ============================================================================

class UserRoleInline(admin.TabularInline):
    """
    Inline admin for managing user roles directly from the user admin page.
    """
    model = UserRole
    extra = 1
    autocomplete_fields = ['role']
    verbose_name = "User Role"
    verbose_name_plural = "User Roles"
    
    def get_queryset(self, request):
        """Optimize queryset with select_related."""
        return super().get_queryset(request).select_related('role')

class RolePermissionInline(admin.TabularInline):
    """
    Inline admin for managing role permissions directly from the role admin page.
    """
    model = RolePermission
    extra = 1
    autocomplete_fields = ['permission']
    verbose_name = "Role Permission"
    verbose_name_plural = "Role Permissions"
    
    def get_queryset(self, request):
        """Optimize queryset with select_related."""
        return super().get_queryset(request).select_related('permission')

class PermissionGroupMembershipInline(admin.TabularInline):
    """
    Inline admin for managing permission group memberships.
    """
    model = PermissionGroupMembership
    extra = 1
    autocomplete_fields = ['permission']
    verbose_name = "Permission"
    verbose_name_plural = "Permissions"

class UserSessionInline(admin.TabularInline):
    """
    Inline admin for viewing user sessions (read-only).
    """
    model = UserSession
    extra = 0
    readonly_fields = [
        'session_key', 'ip_address', 'user_agent', 'device_type',
        'location', 'created_at', 'last_activity', 'is_active'
    ]
    can_delete = False
    verbose_name = "Active Session"
    verbose_name_plural = "Active Sessions"
    
    def has_add_permission(self, request, obj=None):
        """Disable adding sessions manually."""
        return False

class APIKeyInline(admin.TabularInline):
    """
    Inline admin for managing user API keys.
    """
    model = APIKey
    extra = 0
    readonly_fields = ['key_hash', 'created_at', 'last_used', 'usage_count']
    fields = [
        'name', 'key_hash', 'is_active', 'expires_at',
        'allowed_ips', 'rate_limit', 'created_at', 'last_used', 'usage_count'
    ]
    verbose_name = "API Key"
    verbose_name_plural = "API Keys"

# ============================================================================
# Main Admin Classes
# ============================================================================

class UserProfileInline(admin.StackedInline):
    """
    Inline admin for user profiles within the user admin.
    """
    model = UserProfile
    can_delete = False
    verbose_name_plural = 'Profile'
    fields = [
        ('user_type', 'phone'),
        ('avatar', 'timezone'),
        ('language', 'theme'),
        ('email_notifications', 'sms_notifications'),
        ('two_factor_enabled', 'account_locked_until'),
        ('failed_login_attempts', 'last_login_ip'),
        ('api_key', 'notes')
    ]
    readonly_fields = ['api_key', 'last_login_ip', 'failed_login_attempts']

class CustomUserAdmin(BaseUserAdmin):
    """
    Enhanced user admin with profile integration and advanced features.
    """
    inlines = (UserProfileInline, UserRoleInline, UserSessionInline, APIKeyInline)
    list_display = [
        'username', 'email', 'get_full_name', 'get_user_type',
        'get_last_login', 'is_active', 'get_role_count', 'get_session_count'
    ]
    list_filter = [
        UserTypeFilter, 'is_active', 'is_staff', 'is_superuser',
        'date_joined', 'last_login', 'userprofile__two_factor_enabled'
    ]
    search_fields = [
        'username', 'first_name', 'last_name', 'email',
        'userprofile__phone', 'userprofile__notes'
    ]
    ordering = ['-date_joined']
    actions = [
        'activate_users', 'deactivate_users', 'reset_failed_logins',
        'export_users_csv', 'send_password_reset'
    ]
    
    def get_queryset(self, request):
        """Optimize queryset with select_related and prefetch_related."""
        return super().get_queryset(request).select_related(
            'userprofile'
        ).prefetch_related(
            'userrole_set__role',
            'usersession_set',
            'apikey_set'
        )
    
    def get_user_type(self, obj):
        """Display user type with color coding."""
        try:
            user_type = obj.userprofile.user_type
            colors = {
                'admin': '#dc3545',
                'manager': '#fd7e14',
                'operator': '#20c997',
                'viewer': '#6c757d'
            }
            return format_html(
                '<span style="color: {}; font-weight: bold;">{}</span>',
                colors.get(user_type, '#000'),
                user_type.title()
            )
        except UserProfile.DoesNotExist:
            return format_html('<span style="color: #dc3545;">No Profile</span>')
    get_user_type.short_description = 'Type'
    get_user_type.admin_order_field = 'userprofile__user_type'
    
    def get_last_login(self, obj):
        """Display last login with relative time."""
        if obj.last_login:
            return format_html(
                '<span title="{}">{}</span>',
                obj.last_login.strftime('%Y-%m-%d %H:%M:%S'),
                obj.last_login.strftime('%m/%d %H:%M')
            )
        return format_html('<span style="color: #6c757d;">Never</span>')
    get_last_login.short_description = 'Last Login'
    get_last_login.admin_order_field = 'last_login'
    
    def get_role_count(self, obj):
        """Display number of roles assigned to user."""
        count = obj.userrole_set.count()
        if count > 0:
            url = reverse('admin:accounts_userrole_changelist')
            return format_html(
                '<a href="{}?user__id__exact={}">{} role{}</a>',
                url, obj.id, count, 's' if count != 1 else ''
            )
        return '0 roles'
    get_role_count.short_description = 'Roles'
    
    def get_session_count(self, obj):
        """Display number of active sessions."""
        count = obj.usersession_set.filter(is_active=True).count()
        if count > 0:
            return format_html(
                '<span style="color: #28a745; font-weight: bold;">{} active</span>',
                count
            )
        return format_html('<span style="color: #6c757d;">0 active</span>')
    get_session_count.short_description = 'Sessions'
    
    # Custom admin actions
    def activate_users(self, request, queryset):
        """Bulk activate selected users."""
        updated = queryset.update(is_active=True)
        self.message_user(
            request,
            f'{updated} user{"s" if updated != 1 else ""} successfully activated.'
        )
    activate_users.short_description = "Activate selected users"
    
    def deactivate_users(self, request, queryset):
        """Bulk deactivate selected users."""
        updated = queryset.update(is_active=False)
        self.message_user(
            request,
            f'{updated} user{"s" if updated != 1 else ""} successfully deactivated.'
        )
    deactivate_users.short_description = "Deactivate selected users"
    
    def reset_failed_logins(self, request, queryset):
        """Reset failed login attempts for selected users."""
        updated = 0
        for user in queryset:
            try:
                user.userprofile.failed_login_attempts = 0
                user.userprofile.account_locked_until = None
                user.userprofile.save()
                updated += 1
            except UserProfile.DoesNotExist:
                pass
        self.message_user(
            request,
            f'Reset failed login attempts for {updated} user{"s" if updated != 1 else ""}.'
        )
    reset_failed_logins.short_description = "Reset failed login attempts"
    
    def export_users_csv(self, request, queryset):
        """Export selected users to CSV."""
        response = HttpResponse(content_type='text/csv')
        response['Content-Disposition'] = 'attachment; filename="users.csv"'
        
        writer = csv.writer(response)
        writer.writerow([
            'Username', 'Email', 'First Name', 'Last Name',
            'User Type', 'Phone', 'Is Active', 'Date Joined', 'Last Login'
        ])
        
        for user in queryset.select_related('userprofile'):
            writer.writerow([
                user.username,
                user.email,
                user.first_name,
                user.last_name,
                getattr(user.userprofile, 'user_type', ''),
                getattr(user.userprofile, 'phone', ''),
                user.is_active,
                user.date_joined.strftime('%Y-%m-%d'),
                user.last_login.strftime('%Y-%m-%d %H:%M') if user.last_login else ''
            ])
        
        return response
    export_users_csv.short_description = "Export selected users to CSV"

@admin.register(Role)
class RoleAdmin(admin.ModelAdmin):
    """
    Admin interface for role management with hierarchy support.
    """
    list_display = [
        'name', 'code', 'get_parent', 'get_permission_count',
        'get_user_count', 'is_active', 'created_at'
    ]
    list_filter = ['is_active', 'created_at', 'parent']
    search_fields = ['name', 'code', 'description']
    ordering = ['name']
    inlines = [RolePermissionInline]
    actions = ['activate_roles', 'deactivate_roles', 'export_roles_csv']
    
    fieldsets = [
        ('Basic Information', {
            'fields': ('name', 'code', 'description')
        }),
        ('Hierarchy', {
            'fields': ('parent', 'inherit_permissions')
        }),
        ('Status', {
            'fields': ('is_active',)
        }),
        ('Metadata', {
            'fields': ('created_at', 'updated_at'),
            'classes': ('collapse',)
        })
    ]
    readonly_fields = ['created_at', 'updated_at']
    
    def get_queryset(self, request):
        """Optimize queryset with select_related and annotations."""
        return super().get_queryset(request).select_related(
            'parent'
        ).annotate(
            permission_count=Count('rolepermission'),
            user_count=Count('userrole')
        )
    
    def get_parent(self, obj):
        """Display parent role with link."""
        if obj.parent:
            url = reverse('admin:accounts_role_change', args=[obj.parent.id])
            return format_html('<a href="{}">{}</a>', url, obj.parent.name)
        return '-'
    get_parent.short_description = 'Parent Role'
    get_parent.admin_order_field = 'parent__name'
    
    def get_permission_count(self, obj):
        """Display number of permissions assigned to role."""
        count = obj.permission_count
        if count > 0:
            url = reverse('admin:accounts_rolepermission_changelist')
            return format_html(
                '<a href="{}?role__id__exact={}">{} permission{}</a>',
                url, obj.id, count, 's' if count != 1 else ''
            )
        return '0 permissions'
    get_permission_count.short_description = 'Permissions'
    
    def get_user_count(self, obj):
        """Display number of users assigned to role."""
        count = obj.user_count
        if count > 0:
            url = reverse('admin:accounts_userrole_changelist')
            return format_html(
                '<a href="{}?role__id__exact={}">{} user{}</a>',
                url, obj.id, count, 's' if count != 1 else ''
            )
        return '0 users'
    get_user_count.short_description = 'Users'
    
    def activate_roles(self, request, queryset):
        """Bulk activate selected roles."""
        updated = queryset.update(is_active=True)
        self.message_user(
            request,
            f'{updated} role{"s" if updated != 1 else ""} successfully activated.'
        )
    activate_roles.short_description = "Activate selected roles"
    
    def deactivate_roles(self, request, queryset):
        """Bulk deactivate selected roles."""
        updated = queryset.update(is_active=False)
        self.message_user(
            request,
            f'{updated} role{"s" if updated != 1 else ""} successfully deactivated.'
        )
    deactivate_roles.short_description = "Deactivate selected roles"

@admin.register(Permission)
class PermissionAdmin(admin.ModelAdmin):
    """
    Admin interface for permission management.
    """
    list_display = [
        'name', 'code', 'resource', 'action',
        'get_role_count', 'get_group_count', 'is_active'
    ]
    list_filter = ['resource', 'action', 'is_active', 'created_at']
    search_fields = ['name', 'code', 'resource', 'action', 'description']
    ordering = ['resource', 'action', 'name']
    actions = ['activate_permissions', 'deactivate_permissions']
    
    fieldsets = [
        ('Basic Information', {
            'fields': ('name', 'code', 'description')
        }),
        ('Access Control', {
            'fields': ('resource', 'action')
        }),
        ('Status', {
            'fields': ('is_active',)
        }),
        ('Metadata', {
            'fields': ('created_at', 'updated_at'),
            'classes': ('collapse',)
        })
    ]
    readonly_fields = ['created_at', 'updated_at']
    
    def get_queryset(self, request):
        """Optimize queryset with annotations."""
        return super().get_queryset(request).annotate(
            role_count=Count('rolepermission'),
            group_count=Count('permissiongroupmembership')
        )
    
    def get_role_count(self, obj):
        """Display number of roles with this permission."""
        count = obj.role_count
        if count > 0:
            url = reverse('admin:accounts_rolepermission_changelist')
            return format_html(
                '<a href="{}?permission__id__exact={}">{} role{}</a>',
                url, obj.id, count, 's' if count != 1 else ''
            )
        return '0 roles'
    get_role_count.short_description = 'Roles'
    
    def get_group_count(self, obj):
        """Display number of permission groups containing this permission."""
        count = obj.group_count
        if count > 0:
            return format_html(
                '<span style="color: #007bff;">{} group{}</span>',
                count, 's' if count != 1 else ''
            )
        return '0 groups'
    get_group_count.short_description = 'Groups'

@admin.register(PermissionGroup)
class PermissionGroupAdmin(admin.ModelAdmin):
    """
    Admin interface for permission group management.
    """
    list_display = [
        'name', 'code', 'get_permission_count',
        'is_active', 'created_at'
    ]
    list_filter = ['is_active', 'created_at']
    search_fields = ['name', 'code', 'description']
    ordering = ['name']
    inlines = [PermissionGroupMembershipInline]
    
    def get_queryset(self, request):
        """Optimize queryset with annotations."""
        return super().get_queryset(request).annotate(
            permission_count=Count('permissiongroupmembership')
        )
    
    def get_permission_count(self, obj):
        """Display number of permissions in group."""
        count = obj.permission_count
        return f'{count} permission{"s" if count != 1 else ""}'
    get_permission_count.short_description = 'Permissions'

@admin.register(UserRole)
class UserRoleAdmin(admin.ModelAdmin):
    """
    Admin interface for user-role assignments.
    """
    list_display = [
        'get_user', 'get_role', 'assigned_by',
        'assigned_at', 'expires_at', 'is_active'
    ]
    list_filter = [
        'is_active', 'assigned_at', 'expires_at',
        'role__name', 'user__userprofile__user_type'
    ]
    search_fields = [
        'user__username', 'user__email', 'role__name',
        'assigned_by__username'
    ]
    autocomplete_fields = ['user', 'role', 'assigned_by']
    ordering = ['-assigned_at']
    
    def get_user(self, obj):
        """Display user with link to user admin."""
        url = reverse('admin:auth_user_change', args=[obj.user.id])
        return format_html(
            '<a href="{}">{} ({})</a>',
            url, obj.user.get_full_name() or obj.user.username, obj.user.username
        )
    get_user.short_description = 'User'
    get_user.admin_order_field = 'user__username'
    
    def get_role(self, obj):
        """Display role with link to role admin."""
        url = reverse('admin:accounts_role_change', args=[obj.role.id])
        return format_html('<a href="{}">{}</a>', url, obj.role.name)
    get_role.short_description = 'Role'
    get_role.admin_order_field = 'role__name'

@admin.register(SecurityLog)
class SecurityLogAdmin(admin.ModelAdmin):
    """
    Admin interface for security log monitoring.
    """
    list_display = [
        'get_event_type', 'get_user', 'get_severity',
        'ip_address', 'get_resolved', 'created_at'
    ]
    list_filter = [
        SecurityEventFilter, 'severity', 'resolved',
        'event_type', 'created_at'
    ]
    search_fields = [
        'user__username', 'ip_address', 'user_agent',
        'event_data', 'resolution_notes'
    ]
    readonly_fields = [
        'created_at', 'event_data_formatted', 'user_agent_info'
    ]
    ordering = ['-created_at']
    actions = ['mark_resolved', 'mark_unresolved', 'export_logs_csv']
    
    fieldsets = [
        ('Event Information', {
            'fields': ('event_type', 'severity', 'user', 'ip_address')
        }),
        ('Details', {
            'fields': ('description', 'event_data_formatted', 'user_agent_info')
        }),
        ('Resolution', {
            'fields': ('resolved', 'resolved_by', 'resolved_at', 'resolution_notes')
        }),
        ('Metadata', {
            'fields': ('created_at',),
            'classes': ('collapse',)
        })
    ]
    
    def get_queryset(self, request):
        """Optimize queryset with select_related."""
        return super().get_queryset(request).select_related(
            'user', 'resolved_by'
        )
    
    def get_event_type(self, obj):
        """Display event type with color coding."""
        colors = {
            'login_success': '#28a745',
            'login_failure': '#dc3545',
            'password_change': '#007bff',
            'account_locked': '#fd7e14',
            'permission_denied': '#dc3545',
            'suspicious_activity': '#dc3545'
        }
        return format_html(
            '<span style="color: {}; font-weight: bold;">{}</span>',
            colors.get(obj.event_type, '#000'),
            obj.get_event_type_display()
        )
    get_event_type.short_description = 'Event Type'
    get_event_type.admin_order_field = 'event_type'
    
    def get_user(self, obj):
        """Display user with link if available."""
        if obj.user:
            url = reverse('admin:auth_user_change', args=[obj.user.id])
            return format_html('<a href="{}">{}</a>', url, obj.user.username)
        return '-'
    get_user.short_description = 'User'
    get_user.admin_order_field = 'user__username'
    
    def get_severity(self, obj):
        """Display severity with color coding."""
        colors = {
            'low': '#28a745',
            'medium': '#ffc107',
            'high': '#fd7e14',
            'critical': '#dc3545'
        }
        return format_html(
            '<span style="color: {}; font-weight: bold;">{}</span>',
            colors.get(obj.severity, '#000'),
            obj.severity.upper()
        )
    get_severity.short_description = 'Severity'
    get_severity.admin_order_field = 'severity'
    
    def get_resolved(self, obj):
        """Display resolution status with icon."""
        if obj.resolved:
            return format_html(
                '<span style="color: #28a745;">✓ Resolved</span>'
            )
        return format_html(
            '<span style="color: #dc3545;">✗ Unresolved</span>'
        )
    get_resolved.short_description = 'Status'
    get_resolved.admin_order_field = 'resolved'
    
    def event_data_formatted(self, obj):
        """Display formatted event data."""
        if obj.event_data:
            try:
                data = json.loads(obj.event_data) if isinstance(obj.event_data, str) else obj.event_data
                formatted = json.dumps(data, indent=2)
                return format_html('<pre>{}</pre>', formatted)
            except (json.JSONDecodeError, TypeError):
                return obj.event_data
        return '-'
    event_data_formatted.short_description = 'Event Data'
    
    def user_agent_info(self, obj):
        """Display formatted user agent information."""
        if obj.user_agent:
            return format_html('<code>{}</code>', obj.user_agent)
        return '-'
    user_agent_info.short_description = 'User Agent'
    
    def mark_resolved(self, request, queryset):
        """Mark selected logs as resolved."""
        updated = queryset.update(
            resolved=True,
            resolved_by=request.user,
            resolved_at=timezone.now()
        )
        self.message_user(
            request,
            f'{updated} log{"s" if updated != 1 else ""} marked as resolved.'
        )
    mark_resolved.short_description = "Mark as resolved"
    
    def mark_unresolved(self, request, queryset):
        """Mark selected logs as unresolved."""
        updated = queryset.update(
            resolved=False,
            resolved_by=None,
            resolved_at=None
        )
        self.message_user(
            request,
            f'{updated} log{"s" if updated != 1 else ""} marked as unresolved.'
        )
    mark_unresolved.short_description = "Mark as unresolved"

@admin.register(UserSession)
class UserSessionAdmin(admin.ModelAdmin):
    """
    Admin interface for user session monitoring.
    """
    list_display = [
        'get_user', 'ip_address', 'device_type',
        'get_location', 'get_duration', 'is_active', 'last_activity'
    ]
    list_filter = [
        'is_active', 'device_type', 'created_at',
        'last_activity', 'user__userprofile__user_type'
    ]
    search_fields = [
        'user__username', 'ip_address', 'user_agent',
        'location', 'session_key'
    ]
    readonly_fields = [
        'session_key', 'created_at', 'user_agent_formatted',
        'duration_formatted'
    ]
    ordering = ['-last_activity']
    actions = ['terminate_sessions', 'export_sessions_csv']
    
    def get_queryset(self, request):
        """Optimize queryset with select_related."""
        return super().get_queryset(request).select_related('user')
    
    def get_user(self, obj):
        """Display user with link."""
        url = reverse('admin:auth_user_change', args=[obj.user.id])
        return format_html('<a href="{}">{}</a>', url, obj.user.username)
    get_user.short_description = 'User'
    get_user.admin_order_field = 'user__username'
    
    def get_location(self, obj):
        """Display location with flag if available."""
        if obj.location:
            return format_html('<span title="{}">{}</span>', obj.location, obj.location[:20])
        return '-'
    get_location.short_description = 'Location'
    
    def get_duration(self, obj):
        """Display session duration."""
        if obj.is_active:
            duration = timezone.now() - obj.created_at
        else:
            duration = obj.last_activity - obj.created_at
        
        total_seconds = int(duration.total_seconds())
        hours = total_seconds // 3600
        minutes = (total_seconds % 3600) // 60
        
        if hours > 0:
            return f'{hours}h {minutes}m'
        return f'{minutes}m'
    get_duration.short_description = 'Duration'
    
    def user_agent_formatted(self, obj):
        """Display formatted user agent."""
        if obj.user_agent:
            return format_html('<code>{}</code>', obj.user_agent)
        return '-'
    user_agent_formatted.short_description = 'User Agent'
    
    def duration_formatted(self, obj):
        """Display detailed duration information."""
        return self.get_duration(obj)
    duration_formatted.short_description = 'Session Duration'
    
    def terminate_sessions(self, request, queryset):
        """Terminate selected sessions."""
        updated = queryset.update(is_active=False)
        self.message_user(
            request,
            f'{updated} session{"s" if updated != 1 else ""} terminated.'
        )
    terminate_sessions.short_description = "Terminate selected sessions"

@admin.register(APIKey)
class APIKeyAdmin(admin.ModelAdmin):
    """
    Admin interface for API key management.
    """
    list_display = [
        'name', 'get_user', 'get_key_preview',
        'get_usage', 'is_active', 'expires_at', 'last_used'
    ]
    list_filter = [
        'is_active', 'created_at', 'expires_at',
        'last_used', 'user__userprofile__user_type'
    ]
    search_fields = [
        'name', 'user__username', 'allowed_ips',
        'key_hash'
    ]
    readonly_fields = [
        'key_hash', 'created_at', 'last_used',
        'usage_count', 'usage_stats'
    ]
    ordering = ['-created_at']
    actions = ['activate_keys', 'deactivate_keys', 'reset_usage']
    
    fieldsets = [
        ('Basic Information', {
            'fields': ('name', 'user', 'key_hash')
        }),
        ('Access Control', {
            'fields': ('is_active', 'expires_at', 'allowed_ips', 'rate_limit')
        }),
        ('Usage Statistics', {
            'fields': ('usage_count', 'last_used', 'usage_stats'),
            'classes': ('collapse',)
        }),
        ('Metadata', {
            'fields': ('created_at',),
            'classes': ('collapse',)
        })
    ]
    
    def get_queryset(self, request):
        """Optimize queryset with select_related."""
        return super().get_queryset(request).select_related('user')
    
    def get_user(self, obj):
        """Display user with link."""
        url = reverse('admin:auth_user_change', args=[obj.user.id])
        return format_html('<a href="{}">{}</a>', url, obj.user.username)
    get_user.short_description = 'User'
    get_user.admin_order_field = 'user__username'
    
    def get_key_preview(self, obj):
        """Display key preview (first and last 4 characters)."""
        if obj.key_hash and len(obj.key_hash) > 8:
            return f'{obj.key_hash[:4]}...{obj.key_hash[-4:]}'
        return 'Hidden'
    get_key_preview.short_description = 'Key Preview'
    
    def get_usage(self, obj):
        """Display usage statistics."""
        if obj.usage_count > 0:
            return format_html(
                '<span style="color: #007bff;">{} calls</span>',
                obj.usage_count
            )
        return '0 calls'
    get_usage.short_description = 'Usage'
    
    def usage_stats(self, obj):
        """Display detailed usage statistics."""
        stats = [
            f'Total calls: {obj.usage_count}',
            f'Created: {obj.created_at.strftime("%Y-%m-%d %H:%M")}',
        ]
        if obj.last_used:
            stats.append(f'Last used: {obj.last_used.strftime("%Y-%m-%d %H:%M")}')
        if obj.expires_at:
            stats.append(f'Expires: {obj.expires_at.strftime("%Y-%m-%d %H:%M")}')
        
        return format_html('<br>'.join(stats))
    usage_stats.short_description = 'Usage Statistics'

@admin.register(UserAccess)
class UserAccessAdmin(admin.ModelAdmin):
    """
    Admin interface for user access management (FTP, VPN, etc.).
    """
    list_display = [
        'get_user', 'service_type', 'username',
        'get_connection_status', 'is_active', 'last_tested'
    ]
    list_filter = [
        'service_type', 'is_active', 'created_at',
        'last_tested', 'connection_successful'
    ]
    search_fields = [
        'user__username', 'service_type', 'username',
        'host', 'notes'
    ]
    readonly_fields = [
        'created_at', 'updated_at', 'last_tested',
        'connection_successful', 'connection_details'
    ]
    ordering = ['-created_at']
    actions = ['test_connections', 'activate_access', 'deactivate_access']
    
    fieldsets = [
        ('User Information', {
            'fields': ('user', 'service_type')
        }),
        ('Connection Details', {
            'fields': ('username', 'password', 'host', 'port')
        }),
        ('Status', {
            'fields': ('is_active', 'notes')
        }),
        ('Connection Testing', {
            'fields': (
                'last_tested', 'connection_successful',
                'connection_details'
            ),
            'classes': ('collapse',)
        }),
        ('Metadata', {
            'fields': ('created_at', 'updated_at'),
            'classes': ('collapse',)
        })
    ]
    
    def get_queryset(self, request):
        """Optimize queryset with select_related."""
        return super().get_queryset(request).select_related('user')
    
    def get_user(self, obj):
        """Display user with link."""
        url = reverse('admin:auth_user_change', args=[obj.user.id])
        return format_html('<a href="{}">{}</a>', url, obj.user.username)
    get_user.short_description = 'User'
    get_user.admin_order_field = 'user__username'
    
    def get_connection_status(self, obj):
        """Display connection status with color coding."""
        if obj.last_tested:
            if obj.connection_successful:
                return format_html(
                    '<span style="color: #28a745;">✓ Connected</span>'
                )
            else:
                return format_html(
                    '<span style="color: #dc3545;">✗ Failed</span>'
                )
        return format_html(
            '<span style="color: #6c757d;">Not tested</span>'
        )
    get_connection_status.short_description = 'Status'
    
    def test_connections(self, request, queryset):
        """Test connections for selected access entries."""
        tested = 0
        successful = 0
        
        for access in queryset:
            try:
                # This would call the actual test_connection method
                # For now, we'll just update the timestamp
                access.last_tested = timezone.now()
                access.save()
                tested += 1
                # In a real implementation, you'd test the actual connection
                # and set connection_successful accordingly
            except Exception as e:
                pass
        
        self.message_user(
            request,
            f'Tested {tested} connection{"s" if tested != 1 else ""}. '
            f'{successful} successful.'
        )
    test_connections.short_description = "Test selected connections"

# ============================================================================
# Unregister and Re-register User Admin
# ============================================================================

# Unregister the default User admin
admin.site.unregister(User)

# Register our custom User admin
admin.site.register(User, CustomUserAdmin)

# ============================================================================
# Admin Site Customization
# ============================================================================

# Customize admin site headers and titles
admin.site.site_header = 'Adtlas Accounts Administration'
admin.site.site_title = 'Adtlas Accounts Admin'
admin.site.index_title = 'Welcome to Adtlas Accounts Administration'

# Add custom CSS and JavaScript if needed
# admin.site.enable_nav_sidebar = False  # Disable sidebar if desired