using ZB.MOM.WW.Auth.Abstractions.Roles;
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Security;
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
using ZB.MOM.WW.ScadaBridge.Security;

namespace ZB.MOM.WW.ScadaBridge.Security.Tests;

#region Task 1.1: ScadaBridgeGroupRoleMapper (IGroupRoleMapper<string> seam)

public class ScadaBridgeGroupRoleMapperTests
{
    // A minimal in-memory ISecurityRepository so the seam test needs no database.
    // Only the two reads RoleMapper.MapGroupsToRolesAsync uses are implemented;
    // the rest throw to make any accidental dependency on them obvious.
    private sealed class FakeSecurityRepository : ISecurityRepository
    {
        private readonly IReadOnlyList<LdapGroupMapping> _mappings;
        private readonly IReadOnlyDictionary<int, IReadOnlyList<SiteScopeRule>> _scopeRules;

        public FakeSecurityRepository(
            IReadOnlyList<LdapGroupMapping> mappings,
            IReadOnlyDictionary<int, IReadOnlyList<SiteScopeRule>> scopeRules)
        {
            _mappings = mappings;
            _scopeRules = scopeRules;
        }

        public Task<IReadOnlyList<LdapGroupMapping>> GetAllMappingsAsync(CancellationToken cancellationToken = default)
            => Task.FromResult(_mappings);

        public Task<IReadOnlyList<SiteScopeRule>> GetScopeRulesForMappingAsync(int ldapGroupMappingId, CancellationToken cancellationToken = default)
            => Task.FromResult(_scopeRules.TryGetValue(ldapGroupMappingId, out var rules)
                ? rules
                : (IReadOnlyList<SiteScopeRule>)Array.Empty<SiteScopeRule>());

        public Task<LdapGroupMapping?> GetMappingByIdAsync(int id, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task<IReadOnlyList<LdapGroupMapping>> GetMappingsByRoleAsync(string role, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task AddMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task UpdateMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task DeleteMappingAsync(int id, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task<SiteScopeRule?> GetScopeRuleByIdAsync(int id, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task AddScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task UpdateScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task DeleteScopeRuleAsync(int id, CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
        public Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
            => throw new NotSupportedException();
    }

    private static LdapGroupMapping Mapping(int id, string group, string role)
    {
        var m = new LdapGroupMapping(group, role);
        m.Id = id;
        return m;
    }

    [Fact]
    public async Task MapAsync_ReturnsSameRolesAsRoleMapper_AndCarriesResultInScope_SiteScoped()
    {
        // Two matched mappings: an Admin group and a site-scoped Deployment group.
        var mappings = new List<LdapGroupMapping>
        {
            Mapping(1, "SCADA-Admins", Roles.Admin),
            Mapping(2, "SiteDeployers", Roles.Deployment),
        };
        var scopeRules = new Dictionary<int, IReadOnlyList<SiteScopeRule>>
        {
            [2] = new[]
            {
                new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 11 },
                new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 22 },
            },
        };
        var repo = new FakeSecurityRepository(mappings, scopeRules);
        var roleMapper = new RoleMapper(repo);
        var sut = new ScadaBridgeGroupRoleMapper(roleMapper);

        var groups = new[] { "SCADA-Admins", "SiteDeployers" };

        // The wrapped RoleMapper result is the oracle the seam must preserve.
        var expected = await roleMapper.MapGroupsToRolesAsync(groups, CancellationToken.None);
        var mapping = await sut.MapAsync(groups, CancellationToken.None);

        // Roles: same set as RoleMapper.
        Assert.Equal(expected.Roles.OrderBy(r => r), mapping.Roles.OrderBy(r => r));
        Assert.Contains(Roles.Admin, mapping.Roles);
        Assert.Contains(Roles.Deployment, mapping.Roles);

        // Scope: carries the full RoleMappingResult (no site-scope info lost).
        var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
        Assert.False(scope.IsSystemWideDeployment);
        Assert.Contains("11", scope.PermittedSiteIds);
        Assert.Contains("22", scope.PermittedSiteIds);
        Assert.Equal(expected.PermittedSiteIds.OrderBy(s => s), scope.PermittedSiteIds.OrderBy(s => s));
        Assert.Equal(expected.IsSystemWideDeployment, scope.IsSystemWideDeployment);
    }

    [Fact]
    public async Task MapAsync_PreservesSystemWideDeploymentFlagInScope()
    {
        // Unscoped Deployment mapping -> system-wide, empty PermittedSiteIds.
        var mappings = new List<LdapGroupMapping>
        {
            Mapping(1, "GlobalDeployers", Roles.Deployment),
        };
        var repo = new FakeSecurityRepository(mappings, new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
        var roleMapper = new RoleMapper(repo);
        var sut = new ScadaBridgeGroupRoleMapper(roleMapper);

        var mapping = await sut.MapAsync(new[] { "GlobalDeployers" }, CancellationToken.None);

        Assert.Contains(Roles.Deployment, mapping.Roles);
        var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
        Assert.True(scope.IsSystemWideDeployment);
        Assert.Empty(scope.PermittedSiteIds);
    }
}

#endregion