package webingress

import (
	"context"
	"crypto/ed25519"
	"crypto/rand"
	"encoding/base64"
	"errors"
	"testing"
)

func TestEd25519EnvelopeSignerSignsCanonicalEnvelope(t *testing.T) {
	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		t.Fatalf("generate key: %v", err)
	}
	signer, err := NewEd25519EnvelopeSigner(base64.StdEncoding.EncodeToString(privateKey), "")
	if err != nil {
		t.Fatalf("new signer: %v", err)
	}
	signer.Now = fixedEnvelopeNow

	signature, err := signer.Sign(context.Background(), []byte(`{"schema_version":"test"}`))
	if err != nil {
		t.Fatalf("sign: %v", err)
	}
	decoded, err := base64.StdEncoding.DecodeString(signature.Signature)
	if err != nil {
		t.Fatalf("decode signature: %v", err)
	}
	if !ed25519.Verify(publicKey, []byte(`{"schema_version":"test"}`), decoded) {
		t.Fatal("signature did not verify")
	}
	if signature.KeyID != ed25519EnvelopeKeyID(publicKey) ||
		signature.Alg != "ed25519" ||
		signature.SignedAt != "2026-05-17T00:00:01Z" {
		t.Fatalf("signature metadata = %+v", signature)
	}
}

func TestEd25519EnvelopeSignerUsesExplicitKeyID(t *testing.T) {
	_, privateKey, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		t.Fatalf("generate key: %v", err)
	}
	signer, err := NewEd25519EnvelopeSigner(base64.RawStdEncoding.EncodeToString(privateKey), "node-explicit")
	if err != nil {
		t.Fatalf("new signer: %v", err)
	}
	signature, err := signer.Sign(context.Background(), []byte(`{}`))
	if err != nil {
		t.Fatalf("sign: %v", err)
	}
	if signature.KeyID != "node-explicit" {
		t.Fatalf("key id = %q", signature.KeyID)
	}
}

func TestEd25519EnvelopeSignerRejectsInvalidKeyAndPayload(t *testing.T) {
	_, err := NewEd25519EnvelopeSigner("not-base64", "")
	if !errors.Is(err, ErrFabricEnvelopeSigningKeyInvalid) {
		t.Fatalf("invalid key error = %v", err)
	}

	signer := Ed25519EnvelopeSigner{}
	_, err = signer.Sign(context.Background(), []byte(`{}`))
	if !errors.Is(err, ErrFabricEnvelopeSigningKeyInvalid) {
		t.Fatalf("missing key error = %v", err)
	}

	_, privateKey, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		t.Fatalf("generate key: %v", err)
	}
	signer = Ed25519EnvelopeSigner{PrivateKey: privateKey}
	_, err = signer.Sign(context.Background(), nil)
	if !errors.Is(err, ErrFabricEnvelopeSigningKeyInvalid) {
		t.Fatalf("empty canonical error = %v", err)
	}
}