package secrets

import (
	"encoding/json"
	"errors"
	"slices"
	"testing"
)

func TestValidateResourceSecretReadinessAllowsPlaintextInDevelopment(t *testing.T) {
	metadata := json.RawMessage(`{"username":"m","password":"secret"}`)
	if err := ValidateResourceSecretReadiness("rdp", nil, metadata, "development"); err != nil {
		t.Fatalf("development metadata should remain allowed for smoke/dev: %v", err)
	}
}

func TestValidateResourceSecretReadinessRejectsPlaintextCredentialsInProduction(t *testing.T) {
	metadata := json.RawMessage(`{"rdp_host":"host","credentials":{"username":"m","password":"secret"}}`)
	err := ValidateResourceSecretReadiness("rdp", stringPtr("vault://org/resource"), metadata, "production")
	if !errors.Is(err, ErrPlaintextResourceCredentials) {
		t.Fatalf("expected plaintext credential rejection, got %v", err)
	}

	paths, err := PlaintextCredentialMetadataPaths(metadata)
	if err != nil {
		t.Fatalf("metadata paths: %v", err)
	}
	for _, expected := range []string{"credentials", "credentials.password", "credentials.username"} {
		if !slices.Contains(paths, expected) {
			t.Fatalf("expected sensitive path %q in %v", expected, paths)
		}
	}
}

func TestValidateResourceSecretReadinessRequiresSecretRefForProductionRDP(t *testing.T) {
	metadata := json.RawMessage(`{"rdp_host":"host","rdp_port":3389}`)
	err := ValidateResourceSecretReadiness("rdp", nil, metadata, "production")
	if !errors.Is(err, ErrMissingResourceSecretRef) {
		t.Fatalf("expected missing secret_ref rejection, got %v", err)
	}
}

func TestValidateResourceSecretReadinessAllowsProductionSecretRef(t *testing.T) {
	metadata := json.RawMessage(`{"rdp_host":"host","rdp_port":3389,"secret_ref":"vault://org/resource"}`)
	if err := ValidateResourceSecretReadiness("rdp", stringPtr("vault://org/resource"), metadata, "production"); err != nil {
		t.Fatalf("production secret_ref metadata should be accepted: %v", err)
	}
}

func stringPtr(value string) *string {
	return &value
}