import logging
import os
from typing import Dict, List

import httpx
import msal
import chainlit as cl


def read_env_list(var_name: str) -> List[str]:
    """Reads a comma-separated list from the environment variable."""
    value = os.getenv(var_name, "")
    return [item.strip() for item in value.split(",") if item.strip()]


def get_env_var(name: str, fallback: str = None) -> str:
    """Helper to fetch and log missing environment variables."""
    value = os.getenv(name, fallback)
    if value is None:
        logging.warning(f"[auth] Environment variable '{name}' is not set.")
    return value


async def get_user_groups(access_token: str) -> List[str]:
    """Fetch user group names from Microsoft Graph API."""
    graph_url = "https://graph.microsoft.com/v1.0/me/memberOf"
    headers = {"Authorization": f"Bearer {access_token}"}

    try:
        async with httpx.AsyncClient() as client:
            response = await client.get(graph_url, headers=headers)
            response.raise_for_status()
            group_data = response.json()
        groups = [g.get("displayName", "unknown-group") for g in group_data.get("value", [])]
        logging.info(f"[auth] User groups: {groups}")
        return groups
    except Exception as e:
        logging.warning(f"[auth] Failed to retrieve groups: {e}")
        return []


def is_user_authorized(name: str, principal_id: str, groups: List[str]) -> bool:
    """Check if user is authorized based on group or user criteria."""
    allowed_names = read_env_list("ALLOWED_USER_NAMES")
    allowed_ids = read_env_list("ALLOWED_USER_PRINCIPALS")
    allowed_groups = read_env_list("ALLOWED_GROUP_NAMES")

    if not (allowed_names or allowed_ids or allowed_groups):
        return True

    if name in allowed_names or principal_id in allowed_ids:
        return True

    if any(group in allowed_groups for group in groups):
        return True

    logging.info(f"[auth] Access denied for user {name}. Not in allowed users or groups.")
    return False


@cl.oauth_callback
async def oauth_callback(
    provider_id: str, code: str, raw_user_data: Dict[str, str], default_user: cl.User
) -> cl.User:
    """Handles the OAuth callback and returns a validated Chainlit User."""
    client_id = get_env_var("OAUTH_AZURE_AD_CLIENT_ID", get_env_var("CLIENT_ID"))
    client_secret = get_env_var("OAUTH_AZURE_AD_CLIENT_SECRET")
    tenant_id = get_env_var("OAUTH_AZURE_AD_TENANT_ID")
    authority = f"https://login.microsoftonline.com/{tenant_id}"
    scopes = read_env_list("OAUTH_AZURE_AD_SCOPES") or ["User.Read"]

    # Build MSAL confidential client
    msal_app = msal.ConfidentialClientApplication(
        client_id,
        authority=authority,
        client_credential=client_secret
    )

    result = msal_app.acquire_token_by_refresh_token(
        refresh_token=default_user.metadata.get("refresh_token"),
        scopes=scopes
    )

    if "error" in result:
        error_desc = result.get("error_description", "Unknown error")
        raise Exception(f"Token acquisition failed: {error_desc}")

    access_token = result.get("access_token")
    refresh_token = result.get("refresh_token")
    id_token = result.get("id_token_claims", {})

    user_id = id_token.get("oid", "00000000-0000-0000-0000-000000000000")
    user_name = id_token.get("name", "anonymous")
    principal_name = id_token.get("preferred_username", "")

    # Fetch user groups
    groups = await get_user_groups(access_token) if access_token else []
    authorized = is_user_authorized(principal_name, user_id, groups)

    return cl.User(
        identifier=user_name,
        metadata={
            "access_token": access_token,
            "refresh_token": refresh_token,
            "authorized": authorized,
            "user_name": user_name,
            "client_principal_id": user_id,
            "client_principal_name": principal_name,
            "client_group_names": groups
        }
    )