package authority

import (
	"crypto/ed25519"
	"encoding/base64"
	"encoding/json"
	"strings"
	"testing"
	"time"

	"github.com/example/remote-access-platform/backend/internal/platform/config"
)

func TestVerifierAcceptsSignedActivation(t *testing.T) {
	publicKey, privateKey, err := ed25519.GenerateKey(nil)
	if err != nil {
		t.Fatalf("generate key: %v", err)
	}
	verifier, err := NewVerifier(config.InstallationConfig{
		AuthorityMode:              ModeStrict,
		ProductRootPublicKeyBase64: base64.StdEncoding.EncodeToString(publicKey),
	})
	if err != nil {
		t.Fatalf("NewVerifier: %v", err)
	}
	verifier.now = func() time.Time { return time.Date(2026, 4, 28, 12, 0, 0, 0, time.UTC) }

	payload := json.RawMessage(`{
		"platform_role":"platform_admin",
		"owner_email":"Owner@Example.test",
		"install_id":"install-1",
		"schema_version":"rap.installation.activation.v1",
		"issued_at":"2026-04-28T11:00:00Z",
		"expires_at":"2026-04-29T11:00:00Z"
	}`)
	canonical, err := CanonicalJSON(payload)
	if err != nil {
		t.Fatalf("CanonicalJSON: %v", err)
	}
	signature := base64.StdEncoding.EncodeToString(ed25519.Sign(privateKey, canonical))

	activation, err := verifier.VerifyActivation(payload, signature)
	if err != nil {
		t.Fatalf("VerifyActivation: %v", err)
	}
	if activation.OwnerEmail != "owner@example.test" || activation.PlatformRole != PlatformRoleAdmin {
		t.Fatalf("unexpected activation: %+v", activation)
	}
	if verifier.RootFingerprint() == "" {
		t.Fatal("expected root fingerprint")
	}
}

func TestVerifierRejectsTamperedActivation(t *testing.T) {
	publicKey, privateKey, err := ed25519.GenerateKey(nil)
	if err != nil {
		t.Fatalf("generate key: %v", err)
	}
	verifier, err := NewVerifier(config.InstallationConfig{
		AuthorityMode:              ModeStrict,
		ProductRootPublicKeyBase64: base64.StdEncoding.EncodeToString(publicKey),
	})
	if err != nil {
		t.Fatalf("NewVerifier: %v", err)
	}
	verifier.now = func() time.Time { return time.Date(2026, 4, 28, 12, 0, 0, 0, time.UTC) }

	payload := json.RawMessage(`{
		"schema_version":"rap.installation.activation.v1",
		"install_id":"install-1",
		"owner_email":"owner@example.test",
		"platform_role":"platform_admin",
		"issued_at":"2026-04-28T11:00:00Z"
	}`)
	canonical, err := CanonicalJSON(payload)
	if err != nil {
		t.Fatalf("CanonicalJSON: %v", err)
	}
	signature := base64.StdEncoding.EncodeToString(ed25519.Sign(privateKey, canonical))
	tampered := json.RawMessage(strings.Replace(string(payload), "platform_admin", "platform_recovery_admin", 1))

	if _, err := verifier.VerifyActivation(tampered, signature); err == nil {
		t.Fatal("expected tampered activation to fail")
	}
}