package webingress

import (
	"crypto/ed25519"
	"crypto/rand"
	"encoding/base64"
	"errors"
	"testing"
)

func TestParseTrustedKeysJSONAcceptsMapAndArray(t *testing.T) {
	publicKey, _, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		t.Fatalf("generate key: %v", err)
	}
	keyB64 := base64.StdEncoding.EncodeToString(publicKey)

	resolver, err := ParseTrustedKeysJSON(`{"key-1":"` + keyB64 + `"}`)
	if err != nil {
		t.Fatalf("parse map: %v", err)
	}
	if got, ok, err := resolver.PublicKey(nil, "key-1"); err != nil || !ok || string(got) != string(publicKey) {
		t.Fatalf("map resolver got=%x ok=%t err=%v", got, ok, err)
	}

	resolver, err = ParseTrustedKeysJSON(`[{"key_id":"key-2","public_key":"` + keyB64 + `"}]`)
	if err != nil {
		t.Fatalf("parse array: %v", err)
	}
	if _, ok, err := resolver.PublicKey(nil, "key-2"); err != nil || !ok {
		t.Fatalf("array resolver ok=%t err=%v", ok, err)
	}
}

func TestParseTrustedKeysJSONRejectsInvalidKeys(t *testing.T) {
	_, err := ParseTrustedKeysJSON(`{"":"abc"}`)
	if !errors.Is(err, ErrFabricEnvelopeSignatureInvalid) {
		t.Fatalf("empty key err = %v", err)
	}

	_, err = ParseTrustedKeysJSON(`{"key-1":"abc"}`)
	if !errors.Is(err, ErrFabricEnvelopeSignatureInvalid) {
		t.Fatalf("bad public key err = %v", err)
	}

	_, err = ParseTrustedKeysJSON(`not-json`)
	if !errors.Is(err, ErrFabricEnvelopeSignatureInvalid) {
		t.Fatalf("bad json err = %v", err)
	}
}

func TestTrustedKeysJSONForPublicKey(t *testing.T) {
	publicKey, _, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		t.Fatalf("generate key: %v", err)
	}
	resolver, err := ParseTrustedKeysJSON(TrustedKeysJSONForPublicKey("key-1", publicKey))
	if err != nil {
		t.Fatalf("parse generated json: %v", err)
	}
	if _, ok, err := resolver.PublicKey(nil, "key-1"); err != nil || !ok {
		t.Fatalf("generated resolver ok=%t err=%v", ok, err)
	}
}