package tests

import "testing"

import "codit/internal/models"

func createTestUserGroup(t *testing.T, store interface {
	CreateUserGroup(models.UserGroup) (models.UserGroup, error)
	AddUserGroupMember(string, string) error
}, name string, userID string) models.UserGroup {
	var group models.UserGroup
	var err error

	group = models.UserGroup{
		Name:        name,
		Description: name,
		Disabled:    false,
	}
	group, err = store.CreateUserGroup(group)
	if err != nil {
		t.Fatalf("create user group: %v", err)
	}
	err = store.AddUserGroupMember(group.ID, userID)
	if err != nil {
		t.Fatalf("add user group member: %v", err)
	}
	return group
}

func TestSSHAccessProfileVisibilityForUserAndGroupTargets(t *testing.T) {
	var store = openTestStore(t)
	var user models.User
	var other models.User
	var group models.UserGroup
	var server models.SSHServer
	var created models.SSHAccessProfile
	var visible []models.SSHAccessProfile
	var err error

	defer store.Close()
	user = createTestUser(t, store, "ssh-broker-alice")
	other = createTestUser(t, store, "ssh-broker-bob")
	group = createTestUserGroup(t, store, "ssh-broker-ops", other.ID)
	server, err = store.CreateSSHServer(models.SSHServer{
		Name:                 "web-01",
		Host:                 "10.0.0.11",
		Port:                 22,
		Description:          "web",
		Tags:                 []string{"prod", "web"},
		Enabled:              true,
		CreatedByKind:        "user",
		CreatedBySubjectID:   user.ID,
		CreatedBySubjectName: user.Username,
	})
	if err != nil {
		t.Fatalf("create ssh server: %v", err)
	}
	created, err = store.CreateSSHAccessProfile(models.SSHAccessProfile{
		ServerID:                 server.ID,
		Name:                     "web deploy",
		Description:              "deploy access",
		RemoteUsername:           "deploy",
		AuthMethod:               "stored_private_key",
		OwnerScope:               "admin_shared",
		Enabled:                  true,
		SecretPayload:            "PRIVATE KEY",
		AuthPublicKey:            "ssh-ed25519 AAAA",
		AuthPublicKeyFingerprint: "SHA256:test",
		DefaultValidSeconds:      3600,
		MaxValidSeconds:          3600,
		CreatedByKind:            "user",
		CreatedBySubjectID:       user.ID,
		CreatedBySubjectName:     user.Username,
		Targets: []models.SSHAccessProfileTarget{
			{TargetType: "user", TargetID: user.ID},
			{TargetType: "group", TargetID: group.ID},
		},
	})
	if err != nil {
		t.Fatalf("create ssh access profile: %v", err)
	}
	visible, err = store.ListSSHAccessProfilesForUser(user.ID)
	if err != nil {
		t.Fatalf("list visible ssh access profiles for user: %v", err)
	}
	if len(visible) != 1 {
		t.Fatalf("unexpected direct visibility count: got=%d want=1", len(visible))
	}
	if visible[0].ID != created.ID {
		t.Fatalf("unexpected direct visible profile id: got=%s want=%s", visible[0].ID, created.ID)
	}
	visible, err = store.ListSSHAccessProfilesForUser(other.ID)
	if err != nil {
		t.Fatalf("list visible ssh access profiles for group member: %v", err)
	}
	if len(visible) != 1 {
		t.Fatalf("unexpected group visibility count: got=%d want=1", len(visible))
	}
	if visible[0].ID != created.ID {
		t.Fatalf("unexpected group visible profile id: got=%s want=%s", visible[0].ID, created.ID)
	}
	if len(visible[0].Targets) != 2 {
		t.Fatalf("unexpected target count: got=%d want=2", len(visible[0].Targets))
	}
}