package security

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/gofiber/fiber/v2"
	"golang.org/x/oauth2"
)

func TestConfig_IsValid(t *testing.T) {
	c := &Config{
		Basic: nil,
		OIDC:  nil,
	}
	if c.IsValid() {
		t.Error("expected empty config to be valid")
	}
}

func TestConfig_ApplySecurityMiddleware(t *testing.T) {
	///////////
	// BASIC //
	///////////
	t.Run("basic", func(t *testing.T) {
		// Bcrypt
		c := &Config{Basic: &BasicConfig{
			Username:                        "john.doe",
			PasswordBcryptHashBase64Encoded: "JDJhJDA4JDFoRnpPY1hnaFl1OC9ISlFsa21VS09wOGlPU1ZOTDlHZG1qeTFvb3dIckRBUnlHUmNIRWlT",
		}}
		app := fiber.New()
		if err := c.ApplySecurityMiddleware(app); err != nil {
			t.Error("expected no error, got", err)
		}
		app.Get("/test", func(c *fiber.Ctx) error {
			return c.SendStatus(200)
		})
		// Try to access the route without basic auth
		request := httptest.NewRequest("GET", "/test", http.NoBody)
		response, err := app.Test(request)
		if err != nil {
			t.Fatal("expected no error, got", err)
		}
		if response.StatusCode != 401 {
			t.Error("expected code to be 401, but was", response.StatusCode)
		}
		// Try again, but with basic auth
		request = httptest.NewRequest("GET", "/test", http.NoBody)
		request.SetBasicAuth("john.doe", "hunter2")
		response, err = app.Test(request)
		if err != nil {
			t.Fatal("expected no error, got", err)
		}
		if response.StatusCode != 200 {
			t.Error("expected code to be 200, but was", response.StatusCode)
		}
	})
	//////////
	// OIDC //
	//////////
	t.Run("oidc", func(t *testing.T) {
		c := &Config{OIDC: &OIDCConfig{
			IssuerURL:       "https://sso.gatus.io/",
			RedirectURL:     "http://localhost:80/authorization-code/callback",
			Scopes:          []string{"openid"},
			AllowedSubjects: []string{"user1@example.com"},
			oauth2Config:    oauth2.Config{},
			verifier:        nil,
		}}
		app := fiber.New()
		if err := c.ApplySecurityMiddleware(app); err != nil {
			t.Error("expected no error, got", err)
		}
		app.Get("/test", func(c *fiber.Ctx) error {
			return c.SendStatus(200)
		})
		// Try without any session cookie
		request := httptest.NewRequest("GET", "/test", http.NoBody)
		response, err := app.Test(request)
		if err != nil {
			t.Fatal("expected no error, got", err)
		}
		if response.StatusCode != 401 {
			t.Error("expected code to be 401, but was", response.StatusCode)
		}
		// Try with a session cookie
		request = httptest.NewRequest("GET", "/test", http.NoBody)
		request.AddCookie(&http.Cookie{Name: "session", Value: "123"})
		response, err = app.Test(request)
		if err != nil {
			t.Fatal("expected no error, got", err)
		}
		if response.StatusCode != 401 {
			t.Error("expected code to be 401, but was", response.StatusCode)
		}
	})
}

func TestConfig_RegisterHandlers(t *testing.T) {
	c := &Config{}
	app := fiber.New()
	c.RegisterHandlers(app)
	// Try to access the OIDC handler. This should fail, because the security config doesn't have OIDC
	request := httptest.NewRequest("GET", "/oidc/login", http.NoBody)
	response, err := app.Test(request)
	if err != nil {
		t.Fatal("expected no error, got", err)
	}
	if response.StatusCode != 404 {
		t.Error("expected code to be 404, but was", response.StatusCode)
	}
	// Set an empty OIDC config. This should fail, because the IssuerURL is required.
	c.OIDC = &OIDCConfig{}
	if err := c.RegisterHandlers(app); err == nil {
		t.Fatal("expected an error, but got none")
	}
	// Set the OIDC config and try again
	c.OIDC = &OIDCConfig{
		IssuerURL:       "https://sso.gatus.io/",
		RedirectURL:     "http://localhost:80/authorization-code/callback",
		Scopes:          []string{"openid"},
		AllowedSubjects: []string{"user1@example.com"},
	}
	if err := c.RegisterHandlers(app); err != nil {
		t.Fatal("expected no error, but got", err)
	}
	request = httptest.NewRequest("GET", "/oidc/login", http.NoBody)
	response, err = app.Test(request)
	if err != nil {
		t.Fatal("expected no error, got", err)
	}
	if response.StatusCode != 302 {
		t.Error("expected code to be 302, but was", response.StatusCode)
	}
}