package secrets

import (
	"encoding/base64"
	"encoding/json"
	"testing"
)

func TestEncryptorRoundTrip(t *testing.T) {
	key := base64.StdEncoding.EncodeToString([]byte("0123456789abcdef0123456789abcdef"))
	encryptor, err := NewEncryptor(key, "test-key")
	if err != nil {
		t.Fatalf("NewEncryptor returned error: %v", err)
	}
	aad := ResourceSecretAAD("org-1", "resource-1", "rap-secret://test", "rdp")
	encrypted, err := encryptor.Encrypt([]byte(`{"username":"user","password":"secret"}`), aad)
	if err != nil {
		t.Fatalf("Encrypt returned error: %v", err)
	}
	plaintext, err := encryptor.Decrypt(encrypted, aad)
	if err != nil {
		t.Fatalf("Decrypt returned error: %v", err)
	}
	if string(plaintext) != `{"username":"user","password":"secret"}` {
		t.Fatalf("unexpected plaintext: %s", plaintext)
	}
}

func TestEncryptorRejectsWrongAAD(t *testing.T) {
	key := base64.StdEncoding.EncodeToString([]byte("0123456789abcdef0123456789abcdef"))
	encryptor, err := NewEncryptor(key, "test-key")
	if err != nil {
		t.Fatalf("NewEncryptor returned error: %v", err)
	}
	encrypted, err := encryptor.Encrypt([]byte(`{"password":"secret"}`), ResourceSecretAAD("org-1", "resource-1", "ref", "rdp"))
	if err != nil {
		t.Fatalf("Encrypt returned error: %v", err)
	}
	if _, err := encryptor.Decrypt(encrypted, ResourceSecretAAD("org-2", "resource-1", "ref", "rdp")); err == nil {
		t.Fatalf("expected decrypt with wrong aad to fail")
	}
}

func TestMergeResourceSecretIntoAssignmentMetadata(t *testing.T) {
	metadata := map[string]any{
		"resource": map[string]any{
			"id": "resource-1",
			"metadata": map[string]any{
				"rdp_host": "host",
			},
		},
	}
	merged, err := MergeResourceSecretIntoAssignmentMetadata(metadata, json.RawMessage(`{"username":"user","password":"secret","domain":"corp"}`))
	if err != nil {
		t.Fatalf("MergeResourceSecretIntoAssignmentMetadata returned error: %v", err)
	}
	resource := merged.Metadata["resource"].(map[string]any)
	resourceMetadata := resource["metadata"].(map[string]any)
	if resourceMetadata["rdp_host"] != "host" {
		t.Fatalf("existing metadata was not preserved")
	}
	if resourceMetadata["username"] != "user" || resourceMetadata["password"] != "secret" || resourceMetadata["domain"] != "corp" {
		t.Fatalf("secret payload was not merged: %#v", resourceMetadata)
	}
}