"""
Contract test for GET /users endpoint.
This test MUST fail before implementation.
"""

import pytest
from django.test import TestCase
from django.urls import reverse
from rest_framework.test import APIClient
from rest_framework import status
import json


class UsersGetContractTest(TestCase):
    def setUp(self):
        self.client = APIClient()
        self.users_url = '/api/v1/users/'

        # Admin authentication header
        self.admin_auth = {'HTTP_AUTHORIZATION': 'Bearer admin_token'}

        # Regular user authentication header
        self.user_auth = {'HTTP_AUTHORIZATION': 'Bearer user_token'}

    def test_get_users_success_admin(self):
        """Test successful retrieval of users list by admin."""
        response = self.client.get(
            self.users_url,
            **self.admin_auth
        )

        # This should fail before implementation
        assert response.status_code == status.HTTP_200_OK

        data = response.json()
        assert 'users' in data
        assert isinstance(data['users'], list)

        # Check pagination structure
        assert 'pagination' in data
        pagination = data['pagination']
        assert 'page' in pagination
        assert 'limit' in pagination
        assert 'total' in pagination
        assert 'pages' in pagination

    def test_get_users_success_tenant_admin(self):
        """Test successful retrieval of users list by tenant admin."""
        response = self.client.get(
            self.users_url,
            **self.user_auth
        )

        # This should fail before implementation
        assert response.status_code == status.HTTP_200_OK

        data = response.json()
        assert 'users' in data
        assert isinstance(data['users'], list)

        # Tenant admin should only see users from their tenant
        # This will be validated once implementation exists

    def test_get_users_unauthorized(self):
        """Test users list retrieval without authentication."""
        response = self.client.get(self.users_url)

        assert response.status_code == status.HTTP_401_UNAUTHORIZED

    def test_get_users_with_pagination(self):
        """Test users list retrieval with pagination parameters."""
        params = {
            'page': 2,
            'limit': 10
        }

        response = self.client.get(
            self.users_url,
            data=params,
            **self.admin_auth
        )

        assert response.status_code == status.HTTP_200_OK

        data = response.json()
        assert data['pagination']['page'] == 2
        assert data['pagination']['limit'] == 10

    def test_get_users_with_search(self):
        """Test users list retrieval with search parameter."""
        params = {
            'search': 'john'
        }

        response = self.client.get(
            self.users_url,
            data=params,
            **self.admin_auth
        )

        assert response.status_code == status.HTTP_200_OK

        data = response.json()
        # All returned users should match search criteria
        for user in data['users']:
            assert 'john' in user['name'].lower() or 'john' in user['email'].lower()

    def test_get_users_filter_by_role(self):
        """Test users list retrieval filtered by role."""
        params = {
            'role': 'TENANT_ADMIN'
        }

        response = self.client.get(
            self.users_url,
            data=params,
            **self.admin_auth
        )

        assert response.status_code == status.HTTP_200_OK

        data = response.json()
        # All returned users should have the specified role
        for user in data['users']:
            assert user['role'] == 'TENANT_ADMIN'

    def test_get_users_filter_by_status(self):
        """Test users list retrieval filtered by status."""
        params = {
            'status': 'ACTIVE'
        }

        response = self.client.get(
            self.users_url,
            data=params,
            **self.admin_auth
        )

        assert response.status_code == status.HTTP_200_OK

        data = response.json()
        # All returned users should have the specified status
        for user in data['users']:
            assert user['status'] == 'ACTIVE'

    def test_get_users_tenant_isolation(self):
        """Test that tenant admin can only see users from their tenant."""
        # This test verifies tenant isolation for user data
        response = self.client.get(
            self.users_url,
            **self.user_auth
        )

        if response.status_code == status.HTTP_200_OK:
            data = response.json()
            # For tenant users, all returned users should belong to their tenant
            # This will be validated once implementation exists
            pass

    def test_get_users_data_structure(self):
        """Test that user data structure matches the contract."""
        response = self.client.get(
            self.users_url,
            **self.admin_auth
        )

        if response.status_code == status.HTTP_200_OK and len(response.json()['users']) > 0:
            user = response.json()['users'][0]

            # Required fields according to contract
            required_fields = [
                'id', 'email', 'name', 'role', 'status',
                'tenant_id', 'created_at', 'last_login'
            ]

            for field in required_fields:
                assert field in user

            # Field types and enums
            assert isinstance(user['id'], str)
            assert isinstance(user['email'], str)
            assert isinstance(user['name'], str)
            assert user['role'] in ['SUPER_ADMIN', 'TENANT_ADMIN', 'MANAGER', 'STAFF', 'VIEWER']
            assert user['status'] in ['ACTIVE', 'INACTIVE', 'PENDING', 'SUSPENDED']
            assert isinstance(user['tenant_id'], str)