# [DEF:backend.src.schemas.auth:Module]
#
# @TIER:      STANDARD
# @SEMANTICS: auth, schemas, pydantic, user, token
# @PURPOSE:   Pydantic schemas for authentication requests and responses.
# @LAYER:     API
# @RELATION:  DEPENDS_ON -> pydantic
#
# @INVARIANT: Sensitive fields like password must not be included in response schemas.

# [SECTION: IMPORTS]
from typing import List, Optional
from pydantic import BaseModel, EmailStr
from datetime import datetime
# [/SECTION]

# [DEF:Token:Class]
# @TIER: TRIVIAL
# @PURPOSE: Represents a JWT access token response.
class Token(BaseModel):
    access_token: str
    token_type: str
# [/DEF:Token:Class]

# [DEF:TokenData:Class]
# @TIER: TRIVIAL
# @PURPOSE: Represents the data encoded in a JWT token.
class TokenData(BaseModel):
    username: Optional[str] = None
    scopes: List[str] = []
# [/DEF:TokenData:Class]

# [DEF:PermissionSchema:Class]
# @TIER: TRIVIAL
# @PURPOSE: Represents a permission in API responses.
class PermissionSchema(BaseModel):
    id: Optional[str] = None
    resource: str
    action: str

    class Config:
        from_attributes = True
# [/DEF:PermissionSchema:Class]

# [DEF:RoleSchema:Class]
# @PURPOSE: Represents a role in API responses.
class RoleSchema(BaseModel):
    id: str
    name: str
    description: Optional[str] = None
    permissions: List[PermissionSchema] = []

    class Config:
        from_attributes = True
# [/DEF:RoleSchema:Class]

# [DEF:RoleCreate:Class]
# @PURPOSE: Schema for creating a new role.
class RoleCreate(BaseModel):
    name: str
    description: Optional[str] = None
    permissions: List[str] = [] # List of permission IDs or "resource:action" strings
# [/DEF:RoleCreate:Class]

# [DEF:RoleUpdate:Class]
# @PURPOSE: Schema for updating an existing role.
class RoleUpdate(BaseModel):
    name: Optional[str] = None
    description: Optional[str] = None
    permissions: Optional[List[str]] = None
# [/DEF:RoleUpdate:Class]

# [DEF:ADGroupMappingSchema:Class]
# @PURPOSE: Represents an AD Group to Role mapping in API responses.
class ADGroupMappingSchema(BaseModel):
    id: str
    ad_group: str
    role_id: str

    class Config:
        from_attributes = True
# [/DEF:ADGroupMappingSchema:Class]

# [DEF:ADGroupMappingCreate:Class]
# @PURPOSE: Schema for creating an AD Group mapping.
class ADGroupMappingCreate(BaseModel):
    ad_group: str
    role_id: str
# [/DEF:ADGroupMappingCreate:Class]

# [DEF:UserBase:Class]
# @PURPOSE: Base schema for user data.
class UserBase(BaseModel):
    username: str
    email: Optional[EmailStr] = None
    is_active: bool = True
# [/DEF:UserBase:Class]

# [DEF:UserCreate:Class]
# @PURPOSE: Schema for creating a new user.
class UserCreate(UserBase):
    password: str
    roles: List[str] = []
# [/DEF:UserCreate:Class]

# [DEF:UserUpdate:Class]
# @PURPOSE: Schema for updating an existing user.
class UserUpdate(BaseModel):
    email: Optional[EmailStr] = None
    password: Optional[str] = None
    is_active: Optional[bool] = None
    roles: Optional[List[str]] = None
# [/DEF:UserUpdate:Class]

# [DEF:User:Class]
# @PURPOSE: Schema for user data in API responses.
class User(UserBase):
    id: str
    auth_source: str
    created_at: datetime
    last_login: Optional[datetime] = None
    roles: List[RoleSchema] = []

    class Config:
        from_attributes = True
# [/DEF:User:Class]

# [/DEF:backend.src.schemas.auth:Module]