/**
 * IAM (Identity and Access Management) API
 * 角色与权限管理 API
 */

import apiClient from '@/lib/api-client';

// ============================================
// Types
// ============================================

export interface Permission {
  id: string;
  resource: string;
  action: string;
  description: string;
  module?: string;
  isBuiltIn: boolean;
  createdAt: string;
  updatedAt: string;
}

export interface PermissionGroup {
  resource: string;
  resourceName: string;
  module?: string;
  permissions: Permission[];
}

export interface Role {
  id: string;
  name: string;
  code: string;
  description?: string;
  isBuiltIn: boolean;
  userCount: number;
  permissionCount: number;
  createdAt: string;
  updatedAt: string;
}

export interface RoleDetail extends Role {
  permissions: Permission[];
  users: User[];
}

export interface WorkflowRole {
  id: string;
  name: string;
  code: string;
  description?: string;
  ruleType: 'ORGANIZATION_RELATION' | 'SYSTEM_ROLE_MAPPING' | 'FIXED_USERS' | 'DYNAMIC_SCRIPT';
  ruleConfig: Record<string, any>;
  userCount?: number;
  workflowCount?: number;
  createdAt: string;
  updatedAt: string;
}

export interface WorkflowRoleDetail extends WorkflowRole {
  userAssignments?: Array<{
    id: string;
    user: User;
  }>;
}

export interface User {
  id: string;
  username: string;
  displayName: string;
  email: string;
  avatar?: string;
  status?: string;
  employeeId?: string;
  departmentId?: string;
  department?: {
    id: string;
    name: string;
  } | null;
  positionId?: string;
  position?: {
    id: string;
    title: string;
  } | null;
}

export interface CreateRoleDto {
  name: string;
  code: string;
  description?: string;
  permissionIds?: string[];
}

export interface UpdateRoleDto {
  name?: string;
  code?: string;
  description?: string;
  permissionIds?: string[];
}

export interface CreateWorkflowRoleDto {
  name: string;
  code: string;
  description?: string;
  ruleType: string;
  ruleConfig: Record<string, any>;
}

export interface UpdateWorkflowRoleDto {
  name?: string;
  code?: string;
  description?: string;
  ruleType?: string;
  ruleConfig?: Record<string, any>;
}

export interface AssignPermissionsResponse {
  roleId: string;
  assignedCount: number;
  permissions: Permission[];
}

export interface AssignUsersResponse {
  roleId: string;
  addedCount: number;
  users: User[];
}

// ============================================
// Permissions API
// ============================================

/**
 * 获取所有权限
 */
export async function getPermissions(search?: string): Promise<Permission[]> {
  const params = search ? { search } : {};
  return apiClient.get('/permissions', { params });
}

/**
 * 获取分组的权限
 */
export async function getPermissionsGrouped(search?: string): Promise<PermissionGroup[]> {
  const params = search ? { search } : {};
  return apiClient.get('/permissions/grouped', { params });
}

/**
 * 搜索权限
 */
export async function searchPermissions(query: string): Promise<Permission[]> {
  return apiClient.get('/permissions/search', { params: { query } });
}

/**
 * 获取权限详情
 */
export async function getPermissionById(id: string): Promise<Permission> {
  return apiClient.get(`/permissions/${id}`);
}

// ============================================
// Roles API
// ============================================

/**
 * 获取所有系统角色
 */
export async function getRoles(search?: string): Promise<Role[]> {
  const params = search ? { search } : {};
  return apiClient.get('/roles', { params });
}

/**
 * 获取角色详情
 */
export async function getRoleById(id: string): Promise<RoleDetail> {
  return apiClient.get(`/roles/${id}`);
}

/**
 * 创建角色
 */
export async function createRole(data: CreateRoleDto): Promise<Role> {
  return apiClient.post('/roles', data);
}

/**
 * 更新角色
 */
export async function updateRole(id: string, data: UpdateRoleDto): Promise<Role> {
  return apiClient.put(`/roles/${id}`, data);
}

/**
 * 删除角色
 */
export async function deleteRole(id: string): Promise<void> {
  return apiClient.delete(`/roles/${id}`);
}

/**
 * 获取角色的权限
 */
export async function getRolePermissions(roleId: string): Promise<Permission[]> {
  return apiClient.get(`/roles/${roleId}/permissions`);
}

/**
 * 为角色分配权限
 */
export async function assignPermissionsToRole(
  roleId: string,
  permissionIds: string[]
): Promise<AssignPermissionsResponse> {
  return apiClient.post(`/roles/${roleId}/permissions`, { permissionIds });
}

/**
 * 获取角色的用户
 */
export async function getRoleUsers(roleId: string): Promise<User[]> {
  return apiClient.get(`/roles/${roleId}/users`);
}

/**
 * 为角色添加用户
 */
export async function addUsersToRole(
  roleId: string,
  userIds: string[]
): Promise<AssignUsersResponse> {
  return apiClient.post(`/roles/${roleId}/users`, { userIds });
}

/**
 * 从角色移除用户
 */
export async function removeUserFromRole(roleId: string, userId: string): Promise<void> {
  return apiClient.delete(`/roles/${roleId}/users/${userId}`);
}

// ============================================
// Workflow Roles API
// ============================================

/**
 * 获取所有流程角色
 */
export async function getWorkflowRoles(search?: string, ruleType?: string): Promise<WorkflowRole[]> {
  const params: Record<string, string> = {};
  if (search) params.search = search;
  if (ruleType) params.ruleType = ruleType;
  return apiClient.get('/workflow-roles', { params });
}

/**
 * 获取流程角色详情
 */
export async function getWorkflowRoleById(id: string): Promise<WorkflowRoleDetail> {
  return apiClient.get(`/workflow-roles/${id}`);
}

/**
 * 创建流程角色
 */
export async function createWorkflowRole(data: CreateWorkflowRoleDto): Promise<WorkflowRole> {
  return apiClient.post('/workflow-roles', data);
}

/**
 * 更新流程角色
 */
export async function updateWorkflowRole(id: string, data: UpdateWorkflowRoleDto): Promise<WorkflowRole> {
  return apiClient.put(`/workflow-roles/${id}`, data);
}

/**
 * 删除流程角色
 */
export async function deleteWorkflowRole(id: string): Promise<void> {
  return apiClient.delete(`/workflow-roles/${id}`);
}

/**
 * 获取流程角色的用户
 */
export async function getWorkflowRoleUsers(workflowRoleId: string): Promise<User[]> {
  return apiClient.get(`/workflow-roles/${workflowRoleId}/users`);
}

/**
 * 为流程角色分配用户（仅 FIXED_USERS 类型）
 */
export async function assignUsersToWorkflowRole(
  workflowRoleId: string,
  userIds: string[]
): Promise<WorkflowRole> {
  return apiClient.post(`/workflow-roles/${workflowRoleId}/users`, { userIds });
}

// ============================================
// User Roles API
// ============================================

/**
 * 获取用户的角色
 */
export async function getUserRoles(userId: string): Promise<Role[]> {
  return apiClient.get(`/users/${userId}/roles`);
}

/**
 * 获取用户的权限
 */
export async function getUserPermissions(userId: string): Promise<Permission[]> {
  return apiClient.get(`/users/${userId}/permissions`);
}

/**
 * 为用户分配角色
 */
export async function assignRolesToUser(userId: string, roleIds: string[]): Promise<Role[]> {
  return apiClient.post(`/users/${userId}/roles`, { roleIds });
}

/**
 * 移除用户的角色
 */
export async function removeRoleFromUser(userId: string, roleId: string): Promise<void> {
  return apiClient.delete(`/users/${userId}/roles/${roleId}`);
}