"""Setup secret resolution tests."""

from __future__ import annotations

import pytest

from sandboxer.models import Profile, SetupSpec
from sandboxer.secrets.resolver import resolve_secret_ref, resolve_setup_secrets


def test_resolve_secret_ref_from_env(monkeypatch: pytest.MonkeyPatch) -> None:
    monkeypatch.setenv("SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN", "tok123")
    assert resolve_secret_ref("build-registry-token") == "tok123"


def test_resolve_setup_secrets_success(monkeypatch: pytest.MonkeyPatch) -> None:
    monkeypatch.setenv("SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN", "tok123")
    profile = Profile.model_validate(
        {
            "id": "profile.build",
            "version": "1.0.0",
            "extension": "ext.vm-packer",
            "setup": SetupSpec(secret_refs=["build-registry-token"]).model_dump(),
        }
    )
    secrets = resolve_setup_secrets(profile)
    assert secrets["build-registry-token"] == "tok123"


def test_resolve_setup_secrets_missing_raises() -> None:
    profile = Profile.model_validate(
        {
            "id": "profile.build",
            "version": "1.0.0",
            "extension": "ext.vm-packer",
            "setup": SetupSpec(secret_refs=["missing-ref"]).model_dump(),
        }
    )
    with pytest.raises(ValueError, match="Unresolved secret_refs"):
        resolve_setup_secrets(profile)


def test_empty_secret_refs() -> None:
    profile = Profile.model_validate(
        {
            "id": "profile.compose-e2e",
            "version": "1.0.0",
            "extension": "ext.compose-ssh",
        }
    )
    assert resolve_setup_secrets(profile) == {}