package markitect_test

import (
	"testing"

	"github.com/netkingdom/flex-auth/internal/markitect"
	"github.com/netkingdom/flex-auth/pkg/api"
)

func TestGatewayDecisionAllowContract(t *testing.T) {
	got := markitect.ToGatewayDecision(baseEnvelope(api.DecisionEffectAllow))

	if got.Effect != markitect.GatewayEffectAllow {
		t.Fatalf("Effect = %q; want allow", got.Effect)
	}
	if got.Reason != "reader_group" || got.RuleID != "reader_group" {
		t.Fatalf("reason/rule = %q/%q; want reader_group", got.Reason, got.RuleID)
	}
	if got.PolicyVersion != "markitect-gateway-v1" {
		t.Fatalf("PolicyVersion = %q", got.PolicyVersion)
	}
	if got.ResourceMetadata["trust_zone"] != "internal" {
		t.Fatalf("ResourceMetadata = %+v; want trust_zone", got.ResourceMetadata)
	}
	if got.CaringDescriptor == nil || got.CaringDescriptor.CanonicalRole != api.CanonicalRoleDoer {
		t.Fatalf("CaringDescriptor = %+v; want Doer descriptor", got.CaringDescriptor)
	}
}

func TestGatewayDecisionDenyContract(t *testing.T) {
	got := markitect.ToGatewayDecision(baseEnvelope(api.DecisionEffectDeny))
	if got.Effect != markitect.GatewayEffectDeny {
		t.Fatalf("Effect = %q; want deny", got.Effect)
	}
}

func TestGatewayDecisionRedactContract(t *testing.T) {
	envelope := baseEnvelope(api.DecisionEffectRedact)
	envelope.Obligations = []api.Obligation{
		{Type: "mask_fields", Parameters: map[string]any{"fields": []string{"email"}}},
	}

	got := markitect.ToGatewayDecision(envelope)
	if got.Effect != markitect.GatewayEffectRedact {
		t.Fatalf("Effect = %q; want redact", got.Effect)
	}
	if len(got.Obligations) != 1 || got.Obligations[0].Type != "mask_fields" {
		t.Fatalf("Obligations = %+v; want mask_fields", got.Obligations)
	}
}

func TestGatewayDecisionAuditDeniedContract(t *testing.T) {
	envelope := baseEnvelope(api.DecisionEffectDeny)
	envelope.Diagnostics["audit_denied"] = true

	got := markitect.ToGatewayDecision(envelope)
	if got.Effect != markitect.GatewayEffectAuditDenied {
		t.Fatalf("Effect = %q; want audit_denied", got.Effect)
	}

	envelope = baseEnvelope(api.DecisionEffectAuditOnly)
	got = markitect.ToGatewayDecision(envelope)
	if got.Effect != markitect.GatewayEffectAuditDenied {
		t.Fatalf("audit_only Effect = %q; want audit_denied", got.Effect)
	}
}

func baseEnvelope(effect api.DecisionEffect) api.DecisionEnvelope {
	return api.DecisionEnvelope{
		ID:                   "decision:markitect",
		Effect:               effect,
		Reason:               "reader_group",
		MatchedRule:          "reader_group",
		MatchedPolicyVersion: "markitect-gateway-v1",
		Resource: api.ResourceRef{
			ID:     "document:internal-note",
			Type:   "document",
			System: markitect.SystemID,
			Attributes: map[string]any{
				"trust_zone": "internal",
				"labels":     []string{"internal"},
			},
		},
		Subject: api.SubjectRef{ID: "user:alice"},
		Diagnostics: map[string]any{
			"policy_package": "markitect.gateway.check-fixtures",
		},
		Provenance: api.DecisionProvenance{
			PolicyVersion: "markitect-gateway-v1",
		},
		Caring: &api.CaringDecisionMetadata{
			Descriptor: &api.CaringAccessDescriptor{
				ID:                   "descriptor:internal-document-reader",
				Profile:              api.CaringProfileCaring040RC2,
				SubjectType:          api.SubjectTypeHuman,
				OrganizationRelation: api.OrganizationRelationCustomer,
				CanonicalRole:        api.CanonicalRoleDoer,
				Scope: api.CaringScope{
					Level: api.ScopeLevelResource,
					ID:    "document:internal-note",
				},
				Planes:       []api.Plane{api.PlaneData},
				Capabilities: []api.Capability{api.CapabilityView},
			},
			ExposureModes: []api.ExposureMode{api.ExposureModeMasked},
			ConformanceFindings: []api.CaringConformanceFinding{
				{Code: "MARKITECT-INTERNAL-READER", Severity: "info", Message: "reader group matched"},
			},
		},
	}
}