using ZB.MOM.WW.ScadaBridge.ManagementService;

namespace ZB.MOM.WW.ScadaBridge.ManagementService.Tests;

/// <summary>
/// Tests for <see cref="DebugStreamHub"/> per-instance site-scope authorization
/// (finding ManagementService-003).
/// </summary>
public class DebugStreamHubTests
{
    [Fact]
    public void IsInstanceAccessAllowed_SiteScopedUser_InScopeInstance_Allowed()
    {
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "Deployer" },
            permittedSiteIds: new[] { "1", "2" },
            instanceSiteId: 2);

        Assert.True(allowed);
    }

    [Fact]
    public void IsInstanceAccessAllowed_SiteScopedUser_OutOfScopeInstance_Denied()
    {
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "Deployer" },
            permittedSiteIds: new[] { "1", "2" },
            instanceSiteId: 99);

        Assert.False(allowed);
    }

    [Fact]
    public void IsInstanceAccessAllowed_SystemWideDeployment_AnySiteAllowed()
    {
        // Empty permitted set == system-wide Deployer.
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "Deployer" },
            permittedSiteIds: Array.Empty<string>(),
            instanceSiteId: 99);

        Assert.True(allowed);
    }

    [Fact]
    public void IsInstanceAccessAllowed_AdminRole_BypassesSiteScope()
    {
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "Administrator", "Deployer" },
            permittedSiteIds: new[] { "1" },
            instanceSiteId: 99);

        Assert.True(allowed);
    }

    [Fact]
    public void IsInstanceAccessAllowed_AdminRoleCheck_IsCaseInsensitive()
    {
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "administrator" },
            permittedSiteIds: new[] { "1" },
            instanceSiteId: 99);

        Assert.True(allowed);
    }
}