<?php

namespace KTXC\Controllers;

use KTXC\Http\Response\JsonResponse;
use KTXC\SessionIdentity;
use KTXC\SessionTenant;
use KTXC\Service\UserRolesService;
use KTXF\Controller\ControllerAbstract;
use KTXF\Routing\Attributes\AuthenticatedRoute;
use Psr\Log\LoggerInterface;

/**
 * User Roles Controller
 * Core administrative role management operations
 */
class UserRolesController extends ControllerAbstract
{
    public function __construct(
        private readonly SessionTenant $tenantIdentity,
        private readonly SessionIdentity $userIdentity,
        private readonly UserRolesService $roleService,
        private readonly LoggerInterface $logger
    ) {}

    /**
     * Main versioned endpoint for role management
     */
    #[AuthenticatedRoute('/user/roles/v1', name: 'user.roles.v1', methods: ['POST'])]
    public function index(int $version, string $transaction, string $operation, array $data = []): JsonResponse
    {
        try {
            // Check role admin permission
            if (!$this->userIdentity->hasPermission('role.admin')) {
                return new JsonResponse([
                    'status' => 'error',
                    'data' => ['code' => 403, 'message' => 'Insufficient permissions']
                ], JsonResponse::HTTP_FORBIDDEN);
            }

            $result = $this->process($operation, $data);
            
            return new JsonResponse([
                'version' => $version,
                'transaction' => $transaction,
                'operation' => $operation,
                'status' => 'success',
                'data' => $result,
            ], JsonResponse::HTTP_OK);
            
        } catch (\InvalidArgumentException $e) {
            $this->logger->error('Role manager validation error', [
                'operation' => $operation,
                'error' => $e->getMessage(),
                'trace' => $e->getTraceAsString()
            ]);
            
            return new JsonResponse([
                'version' => $version,
                'transaction' => $transaction,
                'operation' => $operation,
                'status' => 'error',
                'data' => ['code' => 400, 'message' => $e->getMessage()]
            ], JsonResponse::HTTP_BAD_REQUEST);
            
        } catch (\Throwable $e) {
            $this->logger->error('Role manager operation failed', [
                'operation' => $operation,
                'error' => $e->getMessage(),
                'trace' => $e->getTraceAsString()
            ]);
            
            return new JsonResponse([
                'version' => $version,
                'transaction' => $transaction,
                'operation' => $operation,
                'status' => 'error',
                'data' => ['code' => $e->getCode(), 'message' => $e->getMessage()]
            ], JsonResponse::HTTP_INTERNAL_SERVER_ERROR);
        }
    }

    /**
     * Process operation
     */
    private function process(string $operation, array $data): mixed
    {
        return match ($operation) {
            'role.list' => $this->roleList($data),
            'role.fetch' => $this->roleFetch($data),
            'role.create' => $this->roleCreate($data),
            'role.update' => $this->roleUpdate($data),
            'role.delete' => $this->roleDelete($data),
            'permissions.list' => $this->permissionsList($data),
            default => throw new \InvalidArgumentException("Invalid operation: {$operation}"),
        };
    }

    // =========================================================================
    // Role Operations
    // =========================================================================

    /**
     * List all roles
     */
    private function roleList(array $data): array
    {
        $roles = $this->roleService->listRoles();
        
        // Add user count to each role
        foreach ($roles as &$role) {
            $role['user_count'] = $this->roleService->getRoleUserCount($role['rid']);
        }
        
        return $roles;
    }

    /**
     * Fetch single role
     */
    private function roleFetch(array $data): array
    {
        $rid = $data['rid'] ?? throw new \InvalidArgumentException('Role ID required');
        
        $role = $this->roleService->getRole($rid);
        if (!$role) {
            throw new \InvalidArgumentException('Role not found');
        }
        
        $role['user_count'] = $this->roleService->getRoleUserCount($rid);
        
        return $role;
    }

    /**
     * Create new role
     */
    private function roleCreate(array $data): array
    {
        if (!$this->userIdentity->hasPermission('role.manage')) {
            throw new \InvalidArgumentException('Insufficient permissions to create roles');
        }
        
        $roleData = [
            'label' => $data['label'] ?? throw new \InvalidArgumentException('Role label required'),
            'description' => $data['description'] ?? '',
            'permissions' => $data['permissions'] ?? []
        ];
        
        return $this->roleService->createRole($roleData);
    }

    /**
     * Update existing role
     */
    private function roleUpdate(array $data): bool
    {
        if (!$this->userIdentity->hasPermission('role.manage')) {
            throw new \InvalidArgumentException('Insufficient permissions to update roles');
        }
        
        $rid = $data['rid'] ?? throw new \InvalidArgumentException('Role ID required');
        
        $updates = [];
        $allowedFields = ['label', 'description', 'permissions'];
        
        foreach ($allowedFields as $field) {
            if (isset($data[$field])) {
                $updates[$field] = $data[$field];
            }
        }
        
        if (empty($updates)) {
            throw new \InvalidArgumentException('No valid fields to update');
        }
        
        return $this->roleService->updateRole($rid, $updates);
    }

    /**
     * Delete role
     */
    private function roleDelete(array $data): bool
    {
        if (!$this->userIdentity->hasPermission('role.manage')) {
            throw new \InvalidArgumentException('Insufficient permissions to delete roles');
        }
        
        $rid = $data['rid'] ?? throw new \InvalidArgumentException('Role ID required');
        
        return $this->roleService->deleteRole($rid);
    }

    /**
     * Get available permissions
     */
    private function permissionsList(array $data): array
    {
        return $this->roleService->availablePermissions();
    }
}