from __future__ import annotations

from dataclasses import dataclass, field
from typing import Dict, List, Optional


@dataclass
class GeneratedRule:
    """Represents a Terraform WAF rule we propose to add."""

    name: str
    description: str
    terraform_snippet: str
    severity: str  # "low" | "medium" | "high" | "critical"
    tags: List[str] = field(default_factory=list)
    notes: Optional[str] = None
    impact_score: float = 0.5   # 0-1: estimated security impact
    effort_score: float = 0.5   # 0-1: estimated effort to implement


class WAFRuleGenerator:
    """
    Generate Cloudflare WAF Terraform rules with a quality-first strategy.
    """

    def generate_from_scenario(
        self,
        scenario: str,
        *,
        limit: int = 3,
        max_effort: float = 0.8,
    ) -> List[GeneratedRule]:
        """
        Return a small set of high-impact, reasonable-effort rules.
        """
        scenario_lower = scenario.lower()
        candidates: List[GeneratedRule] = []

        if "sql injection" in scenario_lower or "sqli" in scenario_lower:
            candidates.append(self._sql_injection_rule())

        if "xss" in scenario_lower:
            candidates.append(self._xss_rule())

        # If nothing matched, fallback to baseline
        if not candidates:
            candidates.append(self._baseline_waf_rule())

        # Filter by effort & sort by impact
        filtered = [r for r in candidates if r.effort_score <= max_effort]
        if not filtered:
            filtered = candidates

        filtered.sort(key=lambda r: (-r.impact_score, r.effort_score))
        return filtered[:limit]

    def _sql_injection_rule(self) -> GeneratedRule:
        snippet = '''resource "cloudflare_ruleset" "waf_sqli_protection" {
  # TODO: adjust zone_id / account_id and phase for your setup
  name    = "WAF - SQLi protection"
  kind    = "zone"
  phase   = "http_request_firewall_managed"

  rules = [{
    action = "block"
    expression = "(cf.waf.ruleset eq \\"sqli\\")"
    enabled    = true
  }]
}
'''
        return GeneratedRule(
            name="waf_sqli_protection",
            description="Enable blocking against SQL injection attempts using Cloudflare managed rules.",
            terraform_snippet=snippet,
            severity="high",
            tags=["sqli", "managed_rules", "waf"],
            impact_score=0.95,
            effort_score=0.3,
        )

    def _xss_rule(self) -> GeneratedRule:
        snippet = '''resource "cloudflare_ruleset" "waf_xss_protection" {
  name  = "WAF - XSS protection"
  kind  = "zone"
  phase = "http_request_firewall_managed"

  rules = [{
    action = "block"
    expression = "(cf.waf.ruleset eq \\"xss\\")"
    enabled    = true
  }]
}
'''
        return GeneratedRule(
            name="waf_xss_protection",
            description="Enable blocking against cross-site scripting (XSS) attacks.",
            terraform_snippet=snippet,
            severity="high",
            tags=["xss", "managed_rules", "waf"],
            impact_score=0.9,
            effort_score=0.3,
        )

    def _baseline_waf_rule(self) -> GeneratedRule:
        snippet = '''# Baseline WAF hardening (placeholder - customize for your environment)
# Consider enabling Cloudflare managed WAF rulesets for:
# - SQLi
# - XSS
# - RCE
# - Bot protection
'''
        return GeneratedRule(
            name="waf_baseline_hardening",
            description="Baseline recommendation to enable managed WAF rulesets.",
            terraform_snippet=snippet,
            severity="medium",
            tags=["baseline", "waf"],
            impact_score=0.7,
            effort_score=0.1,
        )