from pydantic import BaseModel, Field, validator
from typing import Optional, Dict, Any, List
from datetime import datetime
from app.models.permission import PermissionType, ResourceType

class PermissionCreate(BaseModel):
    name: str = Field(..., min_length=3, max_length=100)
    display_name: str = Field(..., min_length=2, max_length=100)
    description: Optional[str] = Field(None, max_length=500)
    resource_type: ResourceType
    permission_type: PermissionType
    scope: Optional[str] = Field(None, max_length=50)
    conditions: Optional[Dict[str, Any]] = None
    parent_permission: Optional[str] = None

    @validator('name')
    def validate_name(cls, v):
        # Permission name should follow pattern: resource.action or resource.action.scope
        parts = v.split('.')
        if len(parts) < 2:
            raise ValueError('Permission name must follow pattern: resource.action or resource.action.scope')
        return v.lower()

class PermissionUpdate(BaseModel):
    display_name: Optional[str] = Field(None, min_length=2, max_length=100)
    description: Optional[str] = Field(None, max_length=500)
    scope: Optional[str] = Field(None, max_length=50)
    conditions: Optional[Dict[str, Any]] = None
    parent_permission: Optional[str] = None
    is_active: Optional[bool] = None

class PermissionResponse(BaseModel):
    id: str
    name: str
    display_name: str
    description: Optional[str] = None
    resource_type: ResourceType
    permission_type: PermissionType
    scope: Optional[str] = None
    conditions: Dict[str, Any]
    parent_permission: Optional[str] = None
    child_permissions: List[str]
    is_active: bool
    is_system_permission: bool
    created_at: datetime
    updated_at: datetime
    created_by: Optional[str] = None
    usage_count: int = 0  # How many roles use this permission

    class Config:
        from_attributes = True

class PermissionCheckRequest(BaseModel):
    user_id: str
    resource: str
    action: str
    scope: Optional[str] = None
    context: Optional[Dict[str, Any]] = None

class PermissionCheckResponse(BaseModel):
    allowed: bool
    reason: Optional[str] = None
    matching_permissions: List[str] = Field(default_factory=list)
    user_roles: List[str] = Field(default_factory=list)

class BulkPermissionCheckRequest(BaseModel):
    user_id: str
    checks: List[Dict[str, Any]]  # List of {resource, action, scope} dicts

class BulkPermissionCheckResponse(BaseModel):
    results: Dict[str, bool]  # key: "resource.action.scope", value: allowed
    details: Dict[str, PermissionCheckResponse]

class PermissionTreeNode(BaseModel):
    name: str
    display_name: str
    description: Optional[str] = None
    children: List["PermissionTreeNode"] = Field(default_factory=list)
    is_active: bool = True

# Update forward reference

class PermissionStatsResponse(BaseModel):
    total_permissions: int
    system_permissions: int
    custom_permissions: int
    active_permissions: int
    permissions_by_resource: Dict[str, int]
    permissions_by_type: Dict[str, int]
    most_used_permissions: List[Dict[str, Any]]

class PermissionUsageResponse(BaseModel):
    permission_name: str
    roles_using: List[str]
    total_users_affected: int
    last_used: Optional[datetime] = None