"""
Tests for admin endpoints

Covers:
- Admin user management CRUD
- RBAC enforcement on admin routes
- Analytics endpoints
"""
import pytest


class TestAdminUserManagement:
    """Test admin user management endpoints"""

    def test_list_users_as_admin(self, client, admin_auth_headers):
        """Admin should be able to list all users"""
        response = client.get("/api/admin/users", headers=admin_auth_headers)
        
        assert response.status_code == 200
        users = response.json()
        assert isinstance(users, list)
        # At least admin and test users should exist
        assert len(users) >= 1

    def test_list_users_as_regular_user(self, client, test_user_auth_headers):
        """Regular user should not be able to list users"""
        response = client.get("/api/admin/users", headers=test_user_auth_headers)
        
        assert response.status_code == 403

    def test_list_users_unauthorized(self, client):
        """Unauthenticated request should be rejected"""
        response = client.get("/api/admin/users")
        
        assert response.status_code == 401

    def test_create_user_as_admin(self, client, admin_auth_headers):
        """Admin should be able to create new users"""
        import uuid
        unique_email = f"newuser_{uuid.uuid4().hex[:8]}@test.com"
        
        response = client.post("/api/admin/users",
            headers=admin_auth_headers,
            json={
                "email": unique_email,
                "full_name": "New Created User"
            }
        )
        
        assert response.status_code == 200
        data = response.json()
        assert data["email"] == unique_email
        assert data["full_name"] == "New Created User"
        assert "password" in data  # Generated password returned
        assert "totp_secret" in data  # TOTP secret returned

    def test_create_user_as_regular_user(self, client, test_user_auth_headers):
        """Regular user should not be able to create users"""
        response = client.post("/api/admin/users",
            headers=test_user_auth_headers,
            json={
                "email": "newuser@test.com",
                "full_name": "New User"
            }
        )
        
        assert response.status_code == 403

    def test_create_duplicate_user(self, client, admin_auth_headers):
        """Creating user with existing email should fail"""
        # Try to create user with admin's email
        response = client.post("/api/admin/users",
            headers=admin_auth_headers,
            json={
                "email": "jackamichai@gmail.com",
                "full_name": "Duplicate User"
            }
        )
        
        assert response.status_code == 400
        assert "already registered" in response.json()["detail"].lower()


class TestAdminRBAC:
    """Test Role-Based Access Control for admin endpoints"""

    def test_admin_panel_requires_admin_role(self, client, test_user_auth_headers):
        """Regular users cannot access admin panel endpoints"""
        endpoints = [
            "/api/admin/users",
            "/api/admin/analytics",
        ]
        
        for endpoint in endpoints:
            response = client.get(endpoint, headers=test_user_auth_headers)
            assert response.status_code in [403, 404], f"Expected 403/404 for {endpoint}"

    def test_admin_can_access_all_endpoints(self, client, admin_auth_headers):
        """Admin should access admin-only endpoints"""
        response = client.get("/api/admin/users", headers=admin_auth_headers)
        assert response.status_code == 200


class TestAdminAnalytics:
    """Test admin analytics endpoints"""

    def test_get_analytics_as_admin(self, client, admin_auth_headers):
        """Admin should access analytics"""
        response = client.get("/api/admin/analytics", headers=admin_auth_headers)
        
        # May return 200 or 404 depending on whether endpoint exists
        assert response.status_code in [200, 404]

    def test_analytics_contains_usage_data(self, client, admin_auth_headers):
        """Analytics response should contain usage metrics"""
        response = client.get("/api/admin/analytics", headers=admin_auth_headers)
        
        if response.status_code == 200:
            data = response.json()
            # Verify expected fields if endpoint exists
            assert isinstance(data, dict)


class TestUserTOTPSetup:
    """Test TOTP setup endpoints for users"""

    def test_get_user_totp_setup_as_admin(self, client, admin_auth_headers):
        """Admin can retrieve TOTP setup for any user"""
        # First create a user
        import uuid
        unique_email = f"totptest_{uuid.uuid4().hex[:8]}@test.com"
        
        create_response = client.post("/api/admin/users",
            headers=admin_auth_headers,
            json={
                "email": unique_email,
                "full_name": "TOTP Test User"
            }
        )
        
        if create_response.status_code == 200:
            user_id = create_response.json()["id"]
            
            # Get TOTP setup (returns HTML page)
            response = client.get(f"/api/admin/users/{user_id}/totp-setup",
                headers=admin_auth_headers
            )
            
            assert response.status_code == 200