import hashlib
from typing import Dict, Optional

class AuthSystem:
    """Authentication and role management system"""
    
    def __init__(self):
        # Demo users with hashed passwords
        # In production, this would be stored in a secure database
        self.users = {
            "tony.finance": {
                "password_hash": self._hash_password("password123"),
                "role": "Finance",
                "full_name": "Tony Sharma",
                "department": "Finance"
            },
            "sarah.marketing": {
                "password_hash": self._hash_password("password123"),
                "role": "Marketing",
                "full_name": "Sarah Johnson",
                "department": "Marketing"
            },
            "mike.hr": {
                "password_hash": self._hash_password("password123"),
                "role": "HR",
                "full_name": "Mike Wilson",
                "department": "Human Resources"
            },
            "peter.engineering": {
                "password_hash": self._hash_password("password123"),
                "role": "Engineering",
                "full_name": "Peter Pandey",
                "department": "Engineering"
            },
            "ceo.admin": {
                "password_hash": self._hash_password("password123"),
                "role": "C-Level",
                "full_name": "CEO Admin",
                "department": "Executive"
            },
            "john.employee": {
                "password_hash": self._hash_password("password123"),
                "role": "Employee",
                "full_name": "John Doe",
                "department": "General"
            }
        }
        
        # Role-based access permissions - using embedded document content identifiers
        self.role_permissions = {
            "Finance": {
                "documents": ["financial_reports", "expense_data", "budget_info"],
                "keywords": ["revenue", "financial", "profit", "sales", "budget", "expenses", "cost"],
                "description": "Access to financial reports, budgets, and expense data"
            },
            "Marketing": {
                "documents": ["marketing_reports", "campaign_data", "customer_metrics"],
                "keywords": ["marketing", "campaign", "customer", "roi", "acquisition", "conversion"],
                "description": "Access to marketing campaigns, performance metrics, and customer data"
            },
            "HR": {
                "documents": ["employee_data", "hr_policies", "attendance_records"],
                "keywords": ["employee", "hr", "policy", "leave", "attendance", "benefits", "payroll"],
                "description": "Access to employee data, policies, and HR processes"
            },
            "Engineering": {
                "documents": ["technical_docs", "architecture", "development_processes"],
                "keywords": ["architecture", "technology", "system", "development", "engineering", "technical"],
                "description": "Access to technical documentation and system architecture"
            },
            "C-Level": {
                "documents": ["financial_reports", "marketing_reports", "employee_data", "technical_docs", "all_data"],
                "keywords": ["all", "company", "overview", "performance", "metrics", "strategy"],
                "description": "Full access to all company data and reports"
            },
            "Employee": {
                "documents": ["general_policies", "company_info", "benefits"],
                "keywords": ["policy", "benefits", "company", "general", "handbook", "leave"],
                "description": "Access to general company policies and employee information"
            }
        }
    
    def _hash_password(self, password: str) -> str:
        """Hash password using SHA-256"""
        return hashlib.sha256(password.encode()).hexdigest()
    
    def authenticate(self, username: str, password: str) -> bool:
        """Authenticate user credentials"""
        if username not in self.users:
            return False
        
        password_hash = self._hash_password(password)
        return self.users[username]["password_hash"] == password_hash
    
    def get_user_role(self, username: str) -> Optional[str]:
        """Get user role"""
        if username not in self.users:
            return None
        return self.users[username]["role"]
    
    def get_user_info(self, username: str) -> Optional[Dict]:
        """Get user information"""
        if username not in self.users:
            return None
        user_info = self.users[username].copy()
        # Remove password hash for security
        del user_info["password_hash"]
        return user_info
    
    def get_role_permissions(self, role: str) -> Dict:
        """Get permissions for a specific role"""
        return self.role_permissions.get(role, {})
    
    def can_access_content(self, role: str, content_type: str) -> bool:
        """Check if a role can access specific content"""
        permissions = self.get_role_permissions(role)
        allowed_docs = permissions.get("documents", [])
        return content_type in allowed_docs or "all_data" in allowed_docs
    
    def get_accessible_documents(self, role: str) -> list:
        """Get list of documents accessible to a role"""
        permissions = self.get_role_permissions(role)
        return permissions.get("documents", [])
    
    def get_role_keywords(self, role: str) -> list:
        """Get keywords relevant to a role for better content filtering"""
        permissions = self.get_role_permissions(role)
        return permissions.get("keywords", [])