import msal
from django.conf import settings as s
from django.contrib.auth import login
from django.shortcuts import redirect
from django.contrib.auth import get_user_model

from epdb.logic import UserManager, GroupManager
from epdb.models import Group

def entra_login(request):
    msal_app = msal.ConfidentialClientApplication(
        client_id=s.MS_ENTRA_CLIENT_ID,
        client_credential=s.MS_ENTRA_CLIENT_SECRET,
        authority=s.MS_ENTRA_AUTHORITY,
    )

    flow = msal_app.initiate_auth_code_flow(
        scopes=s.MS_ENTRA_SCOPES, redirect_uri=s.MS_ENTRA_REDIRECT_URI
    )

    request.session["msal_auth_flow"] = flow
    return redirect(flow["auth_uri"])


def entra_callback(request):
    msal_app = msal.ConfidentialClientApplication(
        client_id=s.MS_ENTRA_CLIENT_ID,
        client_credential=s.MS_ENTRA_CLIENT_SECRET,
        authority=s.MS_ENTRA_AUTHORITY,
    )

    flow = request.session.pop("msal_auth_flow", None)
    if not flow:
        return redirect("/")

    # Acquire token using the flow and callback request
    result = msal_app.acquire_token_by_auth_code_flow(flow, request.GET)
    print(result)
    # if "error" in result:
    #     {'correlation_id': '626f511b-5230-4d06-9ffd-d89a764082c6',
    #      'error': 'invalid_client',
    #      'error_codes': [7000222],
    #      'error_description': 'AADSTS7000222: The provided client secret keys for app '
    #                           "'35c75dfb-bd15-493d-b4e9-af847f2df894' are expired. "
    #                           'Visit the Azure portal to create new keys for your app: '
    #                           'https://aka.ms/NewClientSecret, or consider using '
    #                           'certificate credentials for added security: '
    #                           'https://aka.ms/certCreds. Trace ID: '
    #                           '30ba1c58-c949-4432-9ed6-3b6136856700 Correlation ID: '
    #                           '626f511b-5230-4d06-9ffd-d89a764082c6 Timestamp: '
    #                           '2026-04-15 08:21:15Z',
    #      'error_uri': 'https://login.microsoftonline.com/error?code=7000222',
    #      'timestamp': '2026-04-15 08:21:15Z',
    #      'trace_id': '30ba1c58-c949-4432-9ed6-3b6136856700'}
    #     return redirect("/")

    claims = result["id_token_claims"]

    user_name = claims["name"]
    user_email = claims.get("emailaddress", claims["email"])
    user_oid = claims["oid"]

    # Get implementing class
    User = get_user_model()

    if User.objects.filter(uuid=user_oid).exists():
        u = User.objects.get(uuid=user_oid)

        if u.username != user_name:
            u.username = user_name
            u.save()

    else:
        u = UserManager.create_user(user_name, user_email, None, uuid=user_oid, is_active=True)

    login(request, u)

    # EDIT START
    # Ensure groups exists in eP
    for id, name in s.ENTRA_SECRET_GROUPS.items():
        if not Group.objects.filter(uuid=id).exists():
            g = GroupManager.create_group(User.objects.get(username="admin"), name, f"Synced Entra Group {name} ", uuid=id)
        else:
            g = Group.objects.get(uuid=id)
        # Ensure its secret
        g.secret = True
        g.save()

    for id, name in s.ENTRA_GROUPS.items():
        if not Group.objects.filter(uuid=id).exists():
            g = GroupManager.create_group(User.objects.get(username="admin"), name, f"Synced Entra Group {name} ", uuid=id)
        else:
            g = Group.objects.get(uuid=id)

    for group_uuid in claims.get("groups", []):
        if Group.objects.filter(uuid=group_uuid).exists():
            g = Group.objects.get(uuid=group_uuid)
            g.user_member.add(u)

    # EDIT END

    return redirect(s.SERVER_URL)  # Handle errors