package main

import (
	"testing"

	"atlas9.dev/c/core"
	"atlas9.dev/c/core/iam"
)

func addGrant(t *testing.T, url string, g iam.Grant) {
	t.Helper()
	mustRPC[iam.Grant, AddGrantRes](t, url, "/grants/add", g)
}

func TestAddGrant(t *testing.T) {
	s := setupTestServer(t)
	userID := core.NewID()

	saveRole(t, s.URL, "app.editor", "Editor", "posts.read")
	addGrant(t, s.URL, iam.Grant{PrincipalID: userID, RoleID: "app.editor"})
}

func TestAddGrantIdempotent(t *testing.T) {
	s := setupTestServer(t)
	userID := core.NewID()

	saveRole(t, s.URL, "app.editor", "Editor")
	g := iam.Grant{PrincipalID: userID, RoleID: "app.editor"}

	addGrant(t, s.URL, g)
	addGrant(t, s.URL, g)
}

func TestAddGrantInvalidRoleID(t *testing.T) {
	s := setupTestServer(t)

	r := rpcCall[iam.Grant, AddGrantRes](t, s.URL, "/grants/add", iam.Grant{
		PrincipalID: core.NewID(),
		RoleID:      "no_namespace",
	})
	if r.Error == "" {
		t.Error("expected error for invalid role ID")
	}
}

func TestRemoveGrant(t *testing.T) {
	s := setupTestServer(t)
	userID := core.NewID()

	saveRole(t, s.URL, "app.editor", "Editor")
	g := iam.Grant{PrincipalID: userID, RoleID: "app.editor"}
	addGrant(t, s.URL, g)

	mustRPC[iam.Grant, RemoveGrantRes](t, s.URL, "/grants/remove", g)

	page := mustRPC[ListGrantsReq, ListGrantsRes](t, s.URL, "/grants/list", ListGrantsReq{PrincipalID: userID})
	if len(page.Items) != 0 {
		t.Errorf("expected 0 grants after remove, got %d", len(page.Items))
	}
}

func TestListGrants(t *testing.T) {
	s := setupTestServer(t)
	userID := core.NewID()

	saveRole(t, s.URL, "app.editor", "Editor")
	saveRole(t, s.URL, "app.viewer", "Viewer")

	addGrant(t, s.URL, iam.Grant{PrincipalID: userID, RoleID: "app.editor"})
	addGrant(t, s.URL, iam.Grant{PrincipalID: userID, RoleID: "app.viewer"})

	page := mustRPC[ListGrantsReq, ListGrantsRes](t, s.URL, "/grants/list", ListGrantsReq{PrincipalID: userID})
	if len(page.Items) != 2 {
		t.Errorf("expected 2 grants, got %d", len(page.Items))
	}
}

func TestListGrantsIsolation(t *testing.T) {
	s := setupTestServer(t)
	user1 := core.NewID()
	user2 := core.NewID()

	saveRole(t, s.URL, "app.editor", "Editor")
	addGrant(t, s.URL, iam.Grant{PrincipalID: user1, RoleID: "app.editor"})

	page := mustRPC[ListGrantsReq, ListGrantsRes](t, s.URL, "/grants/list", ListGrantsReq{PrincipalID: user2})
	if len(page.Items) != 0 {
		t.Errorf("expected 0 grants for user2, got %d", len(page.Items))
	}
}