/**
 * Security Audit Logger for Data Retention Access
 * Logs all access attempts to data retention metrics
 */

const fs = require('fs').promises;
const path = require('path');

class DataRetentionAuditLogger {
  constructor() {
    this.logDir = process.env.SECURITY_LOG_DIR || './logs';
    this.logFile = path.join(this.logDir, 'data_retention_access.log');
  }

  async ensureLogDir() {
    try {
      await fs.mkdir(this.logDir, { recursive: true });
    } catch (error) {
      console.error('Failed to create security log directory:', error);
    }
  }

  async logAccess(event) {
    try {
      await this.ensureLogDir();
      
      const logEntry = {
        timestamp: new Date().toISOString(),
        event: event.type,
        user: {
          id: event.user?.id,
          username: event.user?.username,
          role: event.user?.role
        },
        request: {
          ip: event.ip,
          userAgent: event.userAgent,
          endpoint: event.endpoint,
          method: event.method
        },
        result: event.result,
        error: event.error
      };

      const logLine = JSON.stringify(logEntry) + '\n';
      await fs.appendFile(this.logFile, logLine, 'utf8');
      
    } catch (error) {
      console.error('Failed to write security log:', error);
    }
  }

  // Log successful access
  async logSuccess(user, req, endpoint) {
    await this.logAccess({
      type: 'DATA_RETENTION_ACCESS_SUCCESS',
      user,
      ip: req.ip,
      userAgent: req.headers['user-agent'],
      endpoint,
      method: req.method,
      result: 'success'
    });
  }

  // Log authentication failure
  async logAuthFailure(req, endpoint, reason) {
    await this.logAccess({
      type: 'DATA_RETENTION_ACCESS_AUTH_FAILED',
      ip: req.ip,
      userAgent: req.headers['user-agent'],
      endpoint,
      method: req.method,
      result: 'auth_failed',
      error: reason
    });
  }

  // Log permission denied
  async logPermissionDenied(user, req, endpoint, reason) {
    await this.logAccess({
      type: 'DATA_RETENTION_ACCESS_PERMISSION_DENIED',
      user,
      ip: req.ip,
      userAgent: req.headers['user-agent'],
      endpoint,
      method: req.method,
      result: 'permission_denied',
      error: reason
    });
  }

  // Log network access denied
  async logNetworkDenied(req, endpoint) {
    await this.logAccess({
      type: 'DATA_RETENTION_ACCESS_NETWORK_DENIED',
      ip: req.ip,
      userAgent: req.headers['user-agent'],
      endpoint,
      method: req.method,
      result: 'network_denied',
      error: 'Access from unauthorized network'
    });
  }
}

module.exports = new DataRetentionAuditLogger();