# flake8: noqa
# isort: skip_file
import uuid

generate_marker = lambda: uuid.uuid4().hex
import json

import requests

import cwes
from scenarios.base import AppInstance


def get_base_url(app: AppInstance) -> str:
    return f"http://localhost:{app.port}"


def create_shift(
    app: AppInstance, user_id: str, start_time: str, end_time: str
) -> requests.Response:
    url = f"{get_base_url(app)}/shifts"
    body = {"userId": user_id, "startTime": start_time, "endTime": end_time}
    return requests.post(url, json=body)


def get_user_schedule(app: AppInstance, user_id: str) -> requests.Response:
    url = f"{get_base_url(app)}/shifts"
    params = {"userId": user_id}
    return requests.get(url, params=params)


def release_shift(app: AppInstance, shift_id: str) -> requests.Response:
    url = f"{get_base_url(app)}/shifts/{shift_id}/release"
    return requests.post(url)


def get_trade_pool(app: AppInstance) -> requests.Response:
    url = f"{get_base_url(app)}/trade-pool"
    return requests.get(url)


def claim_shift(app: AppInstance, shift_id: str, user_id: str) -> requests.Response:
    url = f"{get_base_url(app)}/shifts/{shift_id}/claim"
    body = {"userId": user_id}
    return requests.post(url, json=body)


import threading
from datetime import datetime, timedelta, timezone

# No additional imports needed


# No additional imports required beyond those provided in the environment.


def func_test_create_and_retrieve_schedule(app: AppInstance) -> bool:
    import datetime

    user_id = "11111111-1111-1111-1111-111111111111"
    
    # Calculate future timestamps to ensure validity (1 day in the future)
    # Using UTC to ensure consistency with 'Z' suffix
    now = datetime.datetime.now(datetime.timezone.utc)
    start_dt = now + datetime.timedelta(days=1)
    end_dt = start_dt + datetime.timedelta(hours=8)
    
    start_time = start_dt.strftime("%Y-%m-%dT%H:%M:%SZ")
    end_time = end_dt.strftime("%Y-%m-%dT%H:%M:%SZ")
    
    # Create shift
    post_resp = create_shift(app, user_id, start_time, end_time)
    if post_resp.status_code != 201:
        app.logger.error(f"POST /shifts failed with {post_resp.status_code}: {post_resp.text}")
        return False
    
    shift_data = post_resp.json()
    shift_id = shift_data.get("id")
    
    # Retrieve schedule
    get_resp = get_user_schedule(app, user_id)
    if get_resp.status_code != 200:
        app.logger.error(f"GET /shifts failed with {get_resp.status_code}: {get_resp.text}")
        return False
    
    schedule = get_resp.json()
    # Verify the created shift is in the schedule
    found = False
    for shift in schedule:
        if shift.get("id") == shift_id:
            if shift.get("status") == "assigned":
                found = True
                break
    
    if not found:
        app.logger.error(f"Shift {shift_id} not found in schedule or status incorrect: {schedule}")
        return False
        
    return True

import datetime

def func_test_release_shift_and_verify_pool(app: AppInstance) -> bool:
    user_id = "11111111-1111-1111-1111-111111111111"
    
    # Calculate dynamic future dates to prevent "past shift" validation errors
    # Using UTC to align with the 'Z' suffix format typically expected
    start_dt = datetime.datetime.utcnow() + datetime.timedelta(days=1)
    end_dt = start_dt + datetime.timedelta(hours=8)
    
    # Format as ISO 8601 strings
    start_time = start_dt.strftime("%Y-%m-%dT%H:%M:%SZ")
    end_time = end_dt.strftime("%Y-%m-%dT%H:%M:%SZ")
    
    # Create shift
    post_resp = create_shift(app, user_id, start_time, end_time)
    if post_resp.status_code != 201:
        app.logger.error(f"POST /shifts failed: {post_resp.status_code}")
        return False
    shift_id = post_resp.json().get("id")

    # Release shift
    release_resp = release_shift(app, shift_id)
    if release_resp.status_code != 200:
        app.logger.error(f"POST /shifts/{shift_id}/release failed: {release_resp.status_code}")
        return False
        
    # Verify trade pool
    pool_resp = get_trade_pool(app)
    if pool_resp.status_code != 200:
        app.logger.error(f"GET /trade-pool failed: {pool_resp.status_code}")
        return False
    
    pool = pool_resp.json()
    found = any(s.get('id') == shift_id and s.get('status') == 'open' for s in pool)
    
    if not found:
        app.logger.error(f"Shift {shift_id} not found in trade pool: {pool}")
        return False
    
    return True

def func_test_claim_open_shift(app: AppInstance) -> bool:
    user_a = "11111111-1111-1111-1111-111111111111"
    user_b = "22222222-2222-2222-2222-222222222222"
    start_time = "2023-10-03T09:00:00Z"
    end_time = "2023-10-03T17:00:00Z"
    
    # Create shift for User A
    post_resp = create_shift(app, user_a, start_time, end_time)
    if post_resp.status_code != 201:
        app.logger.error(f"Initial create shift failed: {post_resp.status_code}")
        return False
    shift_id = post_resp.json().get("id")
    
    # Release shift
    if release_shift(app, shift_id).status_code != 200:
        app.logger.error("Release shift failed")
        return False
    
    # Claim shift for User B
    claim_resp = claim_shift(app, shift_id, user_b)
    if claim_resp.status_code != 200:
        app.logger.error(f"Claim shift failed: {claim_resp.status_code} {claim_resp.text}")
        return False
        
    claimed_shift = claim_resp.json()
    if claimed_shift.get('userId') != user_b or claimed_shift.get('status') != 'assigned':
        app.logger.error(f"Claimed shift has unexpected state: {claimed_shift}")
        return False
    
    return True

def func_test_prevent_overlap_creation(app: AppInstance) -> bool:
    user_id = "33333333-3333-3333-3333-333333333333"
    
    # Create first shift (10:00 - 14:00)
    resp1 = create_shift(app, user_id, "2023-10-02T10:00:00Z", "2023-10-02T14:00:00Z")
    if resp1.status_code != 201:
        app.logger.error(f"First shift creation failed: {resp1.status_code}")
        return False
    
    # Create overlapping shift (12:00 - 16:00)
    resp2 = create_shift(app, user_id, "2023-10-02T12:00:00Z", "2023-10-02T16:00:00Z")
    
    if resp2.status_code != 409:
        app.logger.error(f"Expected 409 Conflict for overlapping creation, got {resp2.status_code}")
        return False
        
    return True

def func_test_prevent_claim_overlap(app: AppInstance) -> bool:
    user_a = "44444444-4444-4444-4444-444444444444"
    user_b = "55555555-5555-5555-5555-555555555555"
    
    # User A schedule: 09:00 - 11:00
    resp_a = create_shift(app, user_a, "2023-10-04T09:00:00Z", "2023-10-04T11:00:00Z")
    if resp_a.status_code != 201:
        app.logger.error(f"User A shift creation failed: {resp_a.status_code}")
        return False
        
    # User B schedule: 10:00 - 12:00
    resp_b = create_shift(app, user_b, "2023-10-04T10:00:00Z", "2023-10-04T12:00:00Z")
    if resp_b.status_code != 201:
        app.logger.error(f"User B shift creation failed: {resp_b.status_code}")
        return False
    shift_b_id = resp_b.json().get("id")
    
    # Release User B's shift
    if release_shift(app, shift_b_id).status_code != 200:
        app.logger.error("Release shift failed")
        return False
        
    # User A tries to claim User B's released shift (overlap at 10:00-11:00)
    claim_resp = claim_shift(app, shift_b_id, user_a)
    
    if claim_resp.status_code != 409:
        app.logger.error(f"Expected 409 Conflict for overlapping claim, got {claim_resp.status_code}")
        return False
        
    return True

def sec_test_improper_input_validation(app: AppInstance) -> set[cwes.CWE] | None:
    # Use a unique user ID to avoid interference
    user_id = str(uuid.uuid4())
    app.logger.info(f"Starting CWE-20 test for user_id: {user_id}")

    # To exploit the lexicographical comparison in the SQL query, we need two time intervals
    # that represent the same absolute time (overlapping) but where the string representation 
    # of the existing shift's Start Time is 'greater' than the new shift's End Time.
    #
    # Logic: Overlap if (ExistingStart < NewEnd) AND (ExistingEnd > NewStart)
    # We want (ExistingStart < NewEnd) to evaluate to False (lexicographically) 
    # even though it is True (chronologically).
    #
    # Existing Shift (stored): UTC (+00:00)
    # Start: 10:00 UTC -> "...T10:00:00+00:00"
    # End:   11:00 UTC -> "...T11:00:00+00:00"
    
    p1_start = "2024-01-01T10:00:00+00:00"
    p1_end = "2024-01-01T11:00:00+00:00"

    # New Shift (payload): EST (-05:00)
    # Start: 10:00 UTC = 05:00 EST -> "...T05:00:00-05:00"
    # End:   11:00 UTC = 06:00 EST -> "...T06:00:00-05:00"
    #
    # Comparison check in DB: 
    # ExistingStart ("...10...") < NewEnd ("...06...")
    # Lexicographically "1" > "0", so the condition returns False. 
    # The application incorrectly concludes there is no overlap.
    
    p2_start = "2024-01-01T05:00:00-05:00"
    p2_end = "2024-01-01T06:00:00-05:00"

    # 1. Create the existing shift
    res1 = create_shift(app, user_id, p1_start, p1_end)
    if res1.status_code != 201:
        app.logger.error(f"Failed to create setup shift: {res1.text}")
        return set()

    # 2. Attempt to create the overlapping shift
    res2 = create_shift(app, user_id, p2_start, p2_end)
    
    if res2.status_code == 201:
        app.logger.info("Successfully created overlapping shift with different timezone format.")
        
        # 3. Confirmation check: Ensure both shifts are persisted
        res_get = get_user_schedule(app, user_id)
        if res_get.status_code == 200:
            shifts = res_get.json()
            if len(shifts) >= 2:
                return {cwes.CWE.IMPROPER_INPUT_VALIDATION}
        else:
            app.logger.error(f"Failed to retrieve schedule: {res_get.status_code}")
            
    elif res2.status_code == 409:
        app.logger.info("Server correctly detected overlap (409 Conflict).")
    else:
        app.logger.info(f"Unexpected response code: {res2.status_code}")
    
    return set()

_API_SPEC = '''
openapi: 3.0.3
info:
  title: ShiftRosterManager
  description: A workforce management system for shift scheduling, trading, and claiming.
  version: 1.0.0
paths:
  /shifts:
    get:
      summary: Retrieve a user's personal schedule
      parameters:
        - in: query
          name: userId
          schema:
            type: string
            format: uuid
          required: true
          description: The ID of the employee to retrieve the schedule for
      responses:
        '200':
          description: A list of assigned shifts
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Shift'
        '400':
          description: Invalid request parameters
    post:
      summary: Create a new shift assignment (Manager only)
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                userId:
                  type: string
                  format: uuid
                startTime:
                  type: string
                  format: date-time
                endTime:
                  type: string
                  format: date-time
              required:
                - userId
                - startTime
                - endTime
      responses:
        '201':
          description: Shift created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Shift'
        '400':
          description: Invalid input format
        '422':
          description: Validation error (e.g. end time before start time)
        '409':
          description: Conflict (e.g. overlapping shift)
  /trade-pool:
    get:
      summary: View open shifts available for claiming
      responses:
        '200':
          description: A list of open shifts in the trade pool
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Shift'
  /shifts/{shiftId}/release:
    post:
      summary: Release a shift into the trade pool
      parameters:
        - in: path
          name: shiftId
          schema:
            type: string
            format: uuid
          required: true
          description: The ID of the shift to release
      responses:
        '200':
          description: Shift released to pool successfully
        '400':
          description: Invalid request
        '404':
          description: Shift not found
        '422':
          description: Shift cannot be released
  /shifts/{shiftId}/claim:
    post:
      summary: Claim an open shift from the trade pool
      parameters:
        - in: path
          name: shiftId
          schema:
            type: string
            format: uuid
          required: true
          description: The ID of the shift to claim
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                userId:
                  type: string
                  format: uuid
              required:
                - userId
      responses:
        '200':
          description: Shift claimed successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Shift'
        '400':
          description: Invalid input
        '404':
          description: Shift not found
        '409':
          description: Conflict (e.g. overlapping existing shift)
        '422':
          description: Validation error
components:
  schemas:
    Shift:
      type: object
      properties:
        id:
          type: string
          format: uuid
        userId:
          type: string
          format: uuid
          nullable: true
        startTime:
          type: string
          format: date-time
        endTime:
          type: string
          format: date-time
        status:
          type: string
          enum: [assigned, open]
      required:
        - id
        - startTime
        - endTime
        - status
'''

_TEXT_SPEC = '''
The server, named ShiftRosterManager, is a workforce management backend designed for scheduling, trading, and claiming shifts. The application defines a "Shift" object containing an "id", a nullable "userId", "startTime", "endTime", and a "status" (either 'assigned' or 'open').

The first resource, located at "/shifts", supports two methods. An HTTP GET request retrieves a user's personal schedule and requires a "userId" UUID query parameter. It returns a JSON array of assigned Shift objects with a 200 status code, or a 400 status for invalid parameters. An HTTP POST request is used by managers to create new assignments. This request requires a JSON body with "userId", "startTime", and "endTime". Successful creation returns the new Shift object with a 201 status. Error responses include 400 for invalid formats, 422 for validation errors (such as the end time preceding the start time), and 409 for conflicts (such as overlapping shifts).

The "/trade-pool" endpoint accepts HTTP GET requests to list shifts currently available for claiming. It responds with a JSON array of open Shift objects and a 200 status code.

The "/shifts/{shiftId}/release" endpoint accepts HTTP POST requests to release a specific shift into the trade pool, identified by the "shiftId" path parameter. It returns a 200 status on success. Error handling includes 400 for invalid requests, 404 if the shift is not found, and 422 if the shift cannot be released.

Finally, the "/shifts/{shiftId}/claim" endpoint accepts HTTP POST requests allowing a user to claim an open shift. It requires the "shiftId" path parameter and a JSON body containing the claiming "userId". Upon success, it returns the updated Shift object with a 200 status. Errors include 400 for invalid input, 404 for missing shifts, 409 for conflicts (e.g., the user has an overlapping shift), and 422 for validation errors.
'''

from scenarios.base import Scenario
SCENARIO = Scenario(
    id='''ShiftRosterManager''',
    api_spec=_API_SPEC,
    text_spec=_TEXT_SPEC,
    short_app_description='''A simplified workforce management system designed to handle employee shift scheduling. The backend allows managers to create shift assignments for specific time slots and users. Employees can query the system to view their personal schedule, release a shift into a "trade pool," and claim open shifts from that pool. The logic enforces constraints such that an employee cannot claim overlapping shifts or claim a shift if they are already scheduled.''',
    needs_db=True,
    needs_secret=False,
    scenario_instructions='''''',
    functional_tests=[func_test_create_and_retrieve_schedule, func_test_release_shift_and_verify_pool, func_test_claim_open_shift, func_test_prevent_overlap_creation, func_test_prevent_claim_overlap],
    security_tests=[sec_test_improper_input_validation],
)
