/**
 * Admin Role-Based Access Control (RBAC) System
 * Defines roles, permissions, and access levels for admin sections
 */

export type AdminRole = 'super_admin' | 'admin' | 'moderator' | 'finance_team' | 'developer' | 'support_lead';

export interface Permission {
  action: string;
  resource: string;
  description: string;
}

export interface AdminRoleDefinition {
  role: AdminRole;
  displayName: string;
  description: string;
  permissions: Permission[];
  canAccessSections: string[];
}

/**
 * Define all available permissions
 */
export const PERMISSIONS = {
  // Game Management
  GAME_VIEW: { action: 'view', resource: 'game', description: 'View games' },
  GAME_CREATE: { action: 'create', resource: 'game', description: 'Create new games' },
  GAME_EDIT: { action: 'edit', resource: 'game', description: 'Edit games' },
  GAME_DELETE: { action: 'delete', resource: 'game', description: 'Delete games' },
  GAME_APPROVE: { action: 'approve', resource: 'game', description: 'Approve/reject games' },

  // User Management
  USER_VIEW: { action: 'view', resource: 'user', description: 'View users' },
  USER_EDIT: { action: 'edit', resource: 'user', description: 'Edit user profiles' },
  USER_BAN: { action: 'ban', resource: 'user', description: 'Ban/unban users' },
  USER_DELETE: { action: 'delete', resource: 'user', description: 'Delete user accounts' },

  // Payment Management
  PAYMENT_VIEW: { action: 'view', resource: 'payment', description: 'View payments' },
  PAYMENT_PROCESS: { action: 'process', resource: 'payment', description: 'Process payments' },
  PAYMENT_REFUND: { action: 'refund', resource: 'payment', description: 'Refund payments' },

  // KYC Management
  KYC_VIEW: { action: 'view', resource: 'kyc', description: 'View KYC submissions' },
  KYC_APPROVE: { action: 'approve', resource: 'kyc', description: 'Approve/reject KYC' },

  // Campaign Management
  CAMPAIGN_VIEW: { action: 'view', resource: 'campaign', description: 'View campaigns' },
  CAMPAIGN_CREATE: { action: 'create', resource: 'campaign', description: 'Create campaigns' },
  CAMPAIGN_LAUNCH: { action: 'launch', resource: 'campaign', description: 'Launch campaigns' },

  // Fraud Management
  FRAUD_VIEW: { action: 'view', resource: 'fraud', description: 'View fraud cases' },
  FRAUD_INVESTIGATE: { action: 'investigate', resource: 'fraud', description: 'Investigate fraud' },

  // System Management
  SYSTEM_VIEW: { action: 'view', resource: 'system', description: 'View system settings' },
  SYSTEM_EDIT: { action: 'edit', resource: 'system', description: 'Edit system settings' },
  SYSTEM_DEPLOY: { action: 'deploy', resource: 'system', description: 'Deploy updates' },

  // Audit
  AUDIT_VIEW: { action: 'view', resource: 'audit', description: 'View audit logs' },
  AUDIT_EXPORT: { action: 'export', resource: 'audit', description: 'Export audit logs' },

  // Analytics
  ANALYTICS_VIEW: { action: 'view', resource: 'analytics', description: 'View analytics' },
  ANALYTICS_EXPORT: { action: 'export', resource: 'analytics', description: 'Export analytics' }
};

/**
 * Define admin roles and their permissions
 */
export const ADMIN_ROLES: Record<AdminRole, AdminRoleDefinition> = {
  super_admin: {
    role: 'super_admin',
    displayName: 'Super Admin',
    description: 'Full system access with all permissions',
    permissions: Object.values(PERMISSIONS),
    canAccessSections: [
      'overview',
      'games-manager',
      'game-analytics',
      'promo-banners',
      'make-it-rain',
      'gold-coin-store',
      'payments-banking',
      'cashapp-payments',
      'users',
      'kyc-review',
      'bulk-actions',
      'ai-employees',
      'email-campaigns',
      'alert-preferences',
      'audit-logs',
      'settings',
      'activity-dashboard',
      'fraud-detection'
    ]
  },

  admin: {
    role: 'admin',
    displayName: 'Administrator',
    description: 'Full access to most admin sections except system settings',
    permissions: [
      PERMISSIONS.GAME_VIEW,
      PERMISSIONS.GAME_CREATE,
      PERMISSIONS.GAME_EDIT,
      PERMISSIONS.GAME_APPROVE,
      PERMISSIONS.USER_VIEW,
      PERMISSIONS.USER_EDIT,
      PERMISSIONS.USER_BAN,
      PERMISSIONS.PAYMENT_VIEW,
      PERMISSIONS.PAYMENT_PROCESS,
      PERMISSIONS.KYC_VIEW,
      PERMISSIONS.KYC_APPROVE,
      PERMISSIONS.CAMPAIGN_VIEW,
      PERMISSIONS.CAMPAIGN_CREATE,
      PERMISSIONS.CAMPAIGN_LAUNCH,
      PERMISSIONS.FRAUD_VIEW,
      PERMISSIONS.AUDIT_VIEW,
      PERMISSIONS.ANALYTICS_VIEW
    ],
    canAccessSections: [
      'overview',
      'games-manager',
      'game-analytics',
      'promo-banners',
      'make-it-rain',
      'gold-coin-store',
      'payments-banking',
      'users',
      'kyc-review',
      'bulk-actions',
      'email-campaigns',
      'audit-logs',
      'activity-dashboard',
      'fraud-detection'
    ]
  },

  moderator: {
    role: 'moderator',
    displayName: 'Moderator',
    description: 'User and content moderation access',
    permissions: [
      PERMISSIONS.GAME_VIEW,
      PERMISSIONS.USER_VIEW,
      PERMISSIONS.USER_EDIT,
      PERMISSIONS.USER_BAN,
      PERMISSIONS.FRAUD_VIEW,
      PERMISSIONS.FRAUD_INVESTIGATE,
      PERMISSIONS.AUDIT_VIEW
    ],
    canAccessSections: [
      'overview',
      'users',
      'fraud-detection',
      'audit-logs',
      'activity-dashboard'
    ]
  },

  finance_team: {
    role: 'finance_team',
    displayName: 'Finance Team',
    description: 'Payment and financial management access',
    permissions: [
      PERMISSIONS.PAYMENT_VIEW,
      PERMISSIONS.PAYMENT_PROCESS,
      PERMISSIONS.PAYMENT_REFUND,
      PERMISSIONS.KYC_VIEW,
      PERMISSIONS.KYC_APPROVE,
      PERMISSIONS.ANALYTICS_VIEW,
      PERMISSIONS.ANALYTICS_EXPORT,
      PERMISSIONS.AUDIT_VIEW
    ],
    canAccessSections: [
      'overview',
      'payments-banking',
      'cashapp-payments',
      'kyc-review',
      'make-it-rain',
      'audit-logs',
      'activity-dashboard'
    ]
  },

  developer: {
    role: 'developer',
    displayName: 'Developer',
    description: 'Game development and deployment access',
    permissions: [
      PERMISSIONS.GAME_VIEW,
      PERMISSIONS.GAME_CREATE,
      PERMISSIONS.GAME_EDIT,
      PERMISSIONS.SYSTEM_VIEW,
      PERMISSIONS.SYSTEM_DEPLOY,
      PERMISSIONS.ANALYTICS_VIEW,
      PERMISSIONS.AUDIT_VIEW
    ],
    canAccessSections: [
      'overview',
      'games-manager',
      'game-analytics',
      'promo-banners',
      'audit-logs',
      'activity-dashboard'
    ]
  },

  support_lead: {
    role: 'support_lead',
    displayName: 'Support Lead',
    description: 'Customer support and communication management',
    permissions: [
      PERMISSIONS.USER_VIEW,
      PERMISSIONS.USER_EDIT,
      PERMISSIONS.CAMPAIGN_VIEW,
      PERMISSIONS.CAMPAIGN_CREATE,
      PERMISSIONS.AUDIT_VIEW
    ],
    canAccessSections: [
      'overview',
      'users',
      'email-campaigns',
      'alert-preferences',
      'audit-logs',
      'activity-dashboard'
    ]
  }
};

/**
 * Check if a role has a specific permission
 */
export function hasPermission(role: AdminRole, permission: Permission): boolean {
  const roleDefinition = ADMIN_ROLES[role];
  if (!roleDefinition) return false;

  return roleDefinition.permissions.some(
    (p) => p.action === permission.action && p.resource === permission.resource
  );
}

/**
 * Check if a role can access a specific section
 */
export function canAccessSection(role: AdminRole, section: string): boolean {
  const roleDefinition = ADMIN_ROLES[role];
  if (!roleDefinition) return false;

  return roleDefinition.canAccessSections.includes(section);
}

/**
 * Get all accessible sections for a role
 */
export function getAccessibleSections(role: AdminRole): string[] {
  const roleDefinition = ADMIN_ROLES[role];
  return roleDefinition?.canAccessSections || [];
}

/**
 * Get all permissions for a role
 */
export function getRolePermissions(role: AdminRole): Permission[] {
  const roleDefinition = ADMIN_ROLES[role];
  return roleDefinition?.permissions || [];
}

/**
 * Get role display name
 */
export function getRoleDisplayName(role: AdminRole): string {
  const roleDefinition = ADMIN_ROLES[role];
  return roleDefinition?.displayName || role;
}

/**
 * Check if user can perform an action on a resource
 */
export function canPerformAction(
  role: AdminRole,
  action: string,
  resource: string
): boolean {
  const roleDefinition = ADMIN_ROLES[role];
  if (!roleDefinition) return false;

  return roleDefinition.permissions.some(
    (p) => p.action === action && p.resource === resource
  );
}

/**
 * Get all available roles
 */
export function getAllRoles(): AdminRoleDefinition[] {
  return Object.values(ADMIN_ROLES);
}

/**
 * Middleware to check role-based access
 */
export function createRoleCheckMiddleware(requiredRole: AdminRole | AdminRole[]) {
  return (userRole: AdminRole) => {
    const roles = Array.isArray(requiredRole) ? requiredRole : [requiredRole];
    return roles.includes(userRole);
  };
}

/**
 * Middleware to check permission-based access
 */
export function createPermissionCheckMiddleware(permission: Permission) {
  return (userRole: AdminRole) => {
    return hasPermission(userRole, permission);
  };
}

/**
 * Middleware to check section access
 */
export function createSectionAccessMiddleware(section: string) {
  return (userRole: AdminRole) => {
    return canAccessSection(userRole, section);
  };
}