"""
Environment variable validation on startup.
Ensures required configuration is present and valid.
"""

import os
from typing import Dict, List, Tuple, Optional
from flask import current_app


class EnvValidationError(Exception):
    """Raised when environment validation fails"""

    pass


def validate_required_env_vars(required_vars: List[str], raise_on_error: bool = True) -> Tuple[bool, List[str]]:
    """
    Validate that required environment variables are set.

    Args:
        required_vars: List of required environment variable names
        raise_on_error: If True, raise EnvValidationError on failure

    Returns:
        Tuple of (is_valid, missing_vars)
    """
    missing = []
    for var in required_vars:
        value = os.getenv(var)
        if not value or value.strip() == "":
            missing.append(var)

    if missing and raise_on_error:
        raise EnvValidationError(f"Missing required environment variables: {', '.join(missing)}")

    return len(missing) == 0, missing


def validate_secret_key() -> bool:
    """
    Validate that SECRET_KEY is set and secure.

    Returns:
        True if valid, False otherwise
    """
    secret_key = os.getenv("SECRET_KEY", "")
    placeholder_values = {"dev-secret-key-change-in-production", "your-secret-key-change-this", "your-secret-key-here"}

    if not secret_key:
        return False

    if secret_key in placeholder_values:
        return False

    if len(secret_key) < 32:
        return False

    return True


def validate_database_url() -> bool:
    """
    Validate that DATABASE_URL is set and valid.

    Returns:
        True if valid, False otherwise
    """
    database_url = os.getenv("DATABASE_URL", "")

    if not database_url:
        # Check for PostgreSQL env vars
        if all([os.getenv("POSTGRES_DB"), os.getenv("POSTGRES_USER"), os.getenv("POSTGRES_PASSWORD")]):
            return True
        return False

    # Basic validation - check for known database schemes
    valid_schemes = ["postgresql", "postgresql+psycopg2", "sqlite"]
    if not any(database_url.startswith(scheme) for scheme in valid_schemes):
        return False

    return True


def validate_production_config() -> Tuple[bool, List[str]]:
    """
    Validate production configuration requirements.

    Returns:
        Tuple of (is_valid, issues)
    """
    issues = []

    # Check SECRET_KEY
    if not validate_secret_key():
        issues.append("SECRET_KEY must be set and at least 32 characters long")

    # Check database
    if not validate_database_url():
        issues.append("DATABASE_URL or PostgreSQL environment variables must be set")

    # Check HTTPS settings in production
    flask_env = os.getenv("FLASK_ENV", "production")
    if flask_env == "production":
        session_secure = os.getenv("SESSION_COOKIE_SECURE", "false").lower() == "true"
        if not session_secure:
            issues.append("SESSION_COOKIE_SECURE should be true in production")

    return len(issues) == 0, issues


def validate_optional_env_vars() -> Dict[str, bool]:
    """
    Validate optional environment variables and return their status.

    Returns:
        Dict mapping env var names to their validation status
    """
    optional_vars = {
        "TZ": lambda v: bool(v),
        "CURRENCY": lambda v: bool(v),
        "OIDC_ISSUER": lambda v: bool(v) if os.getenv("AUTH_METHOD", "").lower() in ("oidc", "both") else True,
        "OIDC_CLIENT_ID": lambda v: bool(v) if os.getenv("AUTH_METHOD", "").lower() in ("oidc", "both") else True,
        "OIDC_CLIENT_SECRET": lambda v: bool(v) if os.getenv("AUTH_METHOD", "").lower() in ("oidc", "both") else True,
    }

    results = {}
    for var, validator in optional_vars.items():
        value = os.getenv(var, "")
        results[var] = validator(value)

    return results


def validate_all(raise_on_error: bool = False) -> Tuple[bool, Dict[str, any]]:
    """
    Validate all environment configuration.

    Args:
        raise_on_error: If True, raise EnvValidationError on critical failures

    Returns:
        Tuple of (is_valid, validation_results)
    """
    results = {"required": {}, "optional": {}, "production": {}, "warnings": []}

    # Required vars (minimal set)
    required_vars = []  # Most vars have defaults, but SECRET_KEY is critical in production
    is_production = os.getenv("FLASK_ENV", "production") == "production"

    if is_production:
        required_vars = ["SECRET_KEY"]

    is_valid, missing = validate_required_env_vars(required_vars, raise_on_error=False)
    results["required"] = {"valid": is_valid, "missing": missing}

    # Secret key validation
    secret_valid = validate_secret_key()
    if not secret_valid and is_production:
        results["warnings"].append("SECRET_KEY is not secure for production")

    # Database validation
    db_valid = validate_database_url()
    results["required"]["database_valid"] = db_valid

    # Production config validation
    prod_valid, prod_issues = validate_production_config()
    results["production"] = {"valid": prod_valid, "issues": prod_issues}

    # Optional vars
    results["optional"] = validate_optional_env_vars()

    # Overall validity
    overall_valid = is_valid and db_valid and (not is_production or prod_valid)

    if not overall_valid and raise_on_error:
        error_msg = "Environment validation failed:\n"
        if missing:
            error_msg += f"  Missing: {', '.join(missing)}\n"
        if not db_valid:
            error_msg += "  Database configuration invalid\n"
        if prod_issues:
            error_msg += f"  Production issues: {', '.join(prod_issues)}\n"
        raise EnvValidationError(error_msg.strip())

    return overall_valid, results