"""
Security Configuration for EPO-LAW
Loads environment variables from /etc/epo-law/.env
"""
import os
from dotenv import load_dotenv
from datetime import timedelta

# Load environment variables from secure location
ENV_FILE = '/etc/epo-law/.env'

if os.path.exists(ENV_FILE):
    load_dotenv(ENV_FILE)
else:
    raise RuntimeError(f"Critical: Environment file not found at {ENV_FILE}")

class Config:
    """Base configuration with security-first defaults"""

    # Flask Core Settings
    SECRET_KEY = os.environ.get('SECRET_KEY')
    if not SECRET_KEY or SECRET_KEY == 'CHANGE_ME_GENERATE_RANDOM_SECRET_KEY_HERE':
        raise RuntimeError("SECRET_KEY must be set in environment variables!")

    # Database Configuration
    DB_HOST = os.environ.get('DB_HOST', 'localhost')
    DB_PORT = int(os.environ.get('DB_PORT', 3306))
    DB_NAME = os.environ.get('DB_NAME')
    DB_USER = os.environ.get('DB_USER')
    DB_PASSWORD = os.environ.get('DB_PASSWORD')

    if not all([DB_NAME, DB_USER, DB_PASSWORD]):
        raise RuntimeError("Database credentials must be set in environment variables!")

    # SQLAlchemy Database URI
    SQLALCHEMY_DATABASE_URI = f"mysql+pymysql://{DB_USER}:{DB_PASSWORD}@{DB_HOST}:{DB_PORT}/{DB_NAME}"
    SQLALCHEMY_TRACK_MODIFICATIONS = False
    SQLALCHEMY_ENGINE_OPTIONS = {
        'pool_size': int(os.environ.get('DB_POOL_SIZE', 10)),
        'pool_recycle': int(os.environ.get('DB_POOL_RECYCLE', 3600)),
        'pool_timeout': int(os.environ.get('DB_POOL_TIMEOUT', 30)),
        'pool_pre_ping': True,  # Verify connections before using
    }

    # Session Security
    SESSION_COOKIE_SECURE = os.environ.get('SESSION_COOKIE_SECURE', 'True').lower() == 'true'
    SESSION_COOKIE_HTTPONLY = os.environ.get('SESSION_COOKIE_HTTPONLY', 'True').lower() == 'true'
    SESSION_COOKIE_SAMESITE = os.environ.get('SESSION_COOKIE_SAMESITE', 'Lax')
    PERMANENT_SESSION_LIFETIME = timedelta(
        seconds=int(os.environ.get('PERMANENT_SESSION_LIFETIME', 3600))
    )
    SESSION_REFRESH_EACH_REQUEST = os.environ.get('SESSION_REFRESH_EACH_REQUEST', 'True').lower() == 'true'

    # CSRF Protection
    WTF_CSRF_ENABLED = os.environ.get('WTF_CSRF_ENABLED', 'True').lower() == 'true'
    WTF_CSRF_TIME_LIMIT = int(os.environ.get('WTF_CSRF_TIME_LIMIT', 3600))
    WTF_CSRF_SSL_STRICT = os.environ.get('WTF_CSRF_SSL_STRICT', 'True').lower() == 'true'
    WTF_CSRF_METHODS = ['POST', 'PUT', 'PATCH', 'DELETE']

    # File Upload Security
    MAX_CONTENT_LENGTH = int(os.environ.get('MAX_CONTENT_LENGTH', 16 * 1024 * 1024))  # 16MB default
    UPLOAD_FOLDER = os.environ.get('UPLOAD_FOLDER', '/opt/epolaw/uploads')
    ALLOWED_EXTENSIONS = set(os.environ.get('ALLOWED_EXTENSIONS', 'pdf,doc,docx,txt').split(','))

    # Password Policy
    MIN_PASSWORD_LENGTH = int(os.environ.get('MIN_PASSWORD_LENGTH', 12))
    REQUIRE_UPPERCASE = os.environ.get('REQUIRE_UPPERCASE', 'True').lower() == 'true'
    REQUIRE_LOWERCASE = os.environ.get('REQUIRE_LOWERCASE', 'True').lower() == 'true'
    REQUIRE_DIGITS = os.environ.get('REQUIRE_DIGITS', 'True').lower() == 'true'
    REQUIRE_SPECIAL_CHARS = os.environ.get('REQUIRE_SPECIAL_CHARS', 'True').lower() == 'true'

    # Account Lockout Policy
    MAX_LOGIN_ATTEMPTS = int(os.environ.get('MAX_LOGIN_ATTEMPTS', 5))
    LOCKOUT_DURATION_MINUTES = int(os.environ.get('LOCKOUT_DURATION_MINUTES', 30))
    LOCKOUT_NOTIFY_ADMIN = os.environ.get('LOCKOUT_NOTIFY_ADMIN', 'True').lower() == 'true'

    # Email Configuration
    MAIL_SERVER = os.environ.get('MAIL_SERVER')
    MAIL_PORT = int(os.environ.get('MAIL_PORT', 587))
    MAIL_USE_TLS = os.environ.get('MAIL_USE_TLS', 'True').lower() == 'true'
    MAIL_USERNAME = os.environ.get('MAIL_USERNAME')
    MAIL_PASSWORD = os.environ.get('MAIL_PASSWORD')
    MAIL_DEFAULT_SENDER = os.environ.get('MAIL_DEFAULT_SENDER')

    # Logging
    LOG_LEVEL = os.environ.get('LOG_LEVEL', 'INFO')
    LOG_FILE = os.environ.get('LOG_FILE', '/var/log/epo-law/application.log')
    SECURITY_LOG_FILE = os.environ.get('SECURITY_LOG_FILE', '/var/log/epo-law/security.log')

    # Application Settings
    APP_NAME = os.environ.get('APP_NAME', 'EPO-LAW')
    ADMIN_EMAIL = os.environ.get('ADMIN_EMAIL')
    TIMEZONE = os.environ.get('TIMEZONE', 'UTC')


class DevelopmentConfig(Config):
    """Development configuration - less strict for local dev"""
    DEBUG = True
    SESSION_COOKIE_SECURE = False  # Allow HTTP in development
    WTF_CSRF_SSL_STRICT = False


class ProductionConfig(Config):
    """Production configuration - maximum security"""
    DEBUG = False
    TESTING = False

    # Force HTTPS
    SESSION_COOKIE_SECURE = True
    WTF_CSRF_SSL_STRICT = True
    PREFERRED_URL_SCHEME = 'https'


class TestingConfig(Config):
    """Testing configuration"""
    TESTING = True
    WTF_CSRF_ENABLED = False  # Disable CSRF for testing
    SQLALCHEMY_DATABASE_URI = 'sqlite:///:memory:'


# Configuration dictionary
config = {
    'development': DevelopmentConfig,
    'production': ProductionConfig,
    'testing': TestingConfig,
    'default': ProductionConfig
}


def get_config(env=None):
    """Get configuration based on environment"""
    if env is None:
        env = os.environ.get('FLASK_ENV', 'production')
    return config.get(env, config['default'])