package sessionbroker

import (
	"context"
	"encoding/json"
	"errors"
	"testing"

	"github.com/example/remote-access-platform/backend/internal/platform/config"
	"github.com/example/remote-access-platform/backend/internal/platform/module"
	"github.com/example/remote-access-platform/backend/internal/platform/secrets"
	workercontracts "github.com/example/remote-access-platform/backend/pkg/contracts/worker"
)

type fakeSecretResolver struct {
	response *secrets.ResolvedResourceSecret
	err      error
	request  secrets.ResolveResourceSecretRequest
}

func testAppConfig(env string) config.AppConfig {
	return config.AppConfig{Name: "rap-api-test", Env: env}
}

func (r *fakeSecretResolver) ResolveForSession(_ context.Context, req secrets.ResolveResourceSecretRequest) (*secrets.ResolvedResourceSecret, error) {
	r.request = req
	if r.err != nil {
		return nil, r.err
	}
	return r.response, nil
}

func TestRuntimeAssignmentMetadataMergesResolvedSecretWithoutMutatingSessionMetadata(t *testing.T) {
	resolver := &fakeSecretResolver{
		response: &secrets.ResolvedResourceSecret{
			Descriptor: secrets.ResourceSecretDescriptor{Version: 3},
			Payload:    json.RawMessage(`{"username":"user","password":"secret","domain":"corp"}`),
		},
	}
	service := NewService(module.Dependencies{
		Config: module.Config{App: testAppConfig("production")},
	}, nil, nil, nil, nil, resolver)
	sessionMetadata := mustJSON(t, map[string]any{
		"resource": map[string]any{
			"id":              "resource-1",
			"organization_id": "org-1",
			"secret_ref":      "rap-secret://org/org-1/resources/resource-1/primary",
			"metadata": map[string]any{
				"rdp_host": "host",
			},
		},
	})
	session := RemoteSession{
		ID:             "session-1",
		OrganizationID: "org-1",
		ResourceID:     "resource-1",
		WorkerID:       "worker-1",
		Metadata:       sessionMetadata,
	}
	metadata, secretRef, version, err := service.runtimeAssignmentMetadata(context.Background(), session, &workercontracts.WorkerLease{LeaseID: "lease-1"})
	if err != nil {
		t.Fatalf("runtimeAssignmentMetadata returned error: %v", err)
	}
	if secretRef == "" || version != 3 {
		t.Fatalf("expected secret ref and version, got ref=%q version=%d", secretRef, version)
	}
	resource := metadata["resource"].(map[string]any)
	resourceMetadata := resource["metadata"].(map[string]any)
	if resourceMetadata["username"] != "user" || resourceMetadata["password"] != "secret" || resourceMetadata["domain"] != "corp" {
		t.Fatalf("resolved secret was not merged: %#v", resourceMetadata)
	}
	var persisted map[string]any
	if err := json.Unmarshal(session.Metadata, &persisted); err != nil {
		t.Fatalf("decode persisted metadata: %v", err)
	}
	persistedResource := persisted["resource"].(map[string]any)
	persistedMetadata := persistedResource["metadata"].(map[string]any)
	if _, ok := persistedMetadata["password"]; ok {
		t.Fatalf("session metadata was mutated with plaintext secret")
	}
	if resolver.request.LeaseID != "lease-1" || resolver.request.WorkerID != "worker-1" {
		t.Fatalf("resolver request missed lease/worker proof: %#v", resolver.request)
	}
}

func TestRuntimeAssignmentMetadataRequiresResolverInProduction(t *testing.T) {
	service := NewService(module.Dependencies{
		Config: module.Config{App: testAppConfig("production")},
	}, nil, nil, nil, nil)
	session := RemoteSession{
		ID:             "session-1",
		OrganizationID: "org-1",
		ResourceID:     "resource-1",
		WorkerID:       "worker-1",
		Metadata: mustJSON(t, map[string]any{
			"resource": map[string]any{
				"secret_ref": "rap-secret://org/org-1/resources/resource-1/primary",
			},
		}),
	}
	_, _, _, err := service.runtimeAssignmentMetadata(context.Background(), session, &workercontracts.WorkerLease{LeaseID: "lease-1"})
	if !errors.Is(err, secrets.ErrSecretEncryptionKeyMissing) {
		t.Fatalf("expected missing resolver error, got %v", err)
	}
}

func TestRuntimeAssignmentMetadataAllowsDevelopmentMetadataWithoutResolver(t *testing.T) {
	service := NewService(module.Dependencies{
		Config: module.Config{App: testAppConfig("development")},
	}, nil, nil, nil, nil)
	session := RemoteSession{
		ID:             "session-1",
		OrganizationID: "org-1",
		ResourceID:     "resource-1",
		WorkerID:       "worker-1",
		Metadata: mustJSON(t, map[string]any{
			"resource": map[string]any{
				"secret_ref": "rap-secret://org/org-1/resources/resource-1/primary",
				"metadata": map[string]any{
					"username": "dev-user",
					"password": "dev-password",
				},
			},
		}),
	}
	metadata, secretRef, _, err := service.runtimeAssignmentMetadata(context.Background(), session, nil)
	if err != nil {
		t.Fatalf("development metadata should not require resolver: %v", err)
	}
	if secretRef != "" {
		t.Fatalf("development fallback should not audit resolver use, got %q", secretRef)
	}
	resource := metadata["resource"].(map[string]any)
	resourceMetadata := resource["metadata"].(map[string]any)
	if resourceMetadata["password"] != "dev-password" {
		t.Fatalf("development metadata was not preserved")
	}
}