using Opc.Ua;
using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;

namespace ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests;

/// <summary>
///     Task 11 — the inbound operator-write authz gate + fire-and-forget dispatch. The OnWriteValue handler
///     on a writable equipment-tag node extracts the caller's <see cref="RoleCarryingUserIdentity"/>, gates
///     on the <see cref="OpcUaDataPlaneRoles.WriteOperate"/> role (deny otherwise), and on pass kicks off the
///     fire-and-forget route through the <see cref="OtOpcUaNodeManager.NodeWriteRouter"/> and returns
///     <c>Good</c> (optimistic write). The pure decision is extracted into
///     <see cref="OtOpcUaNodeManager.EvaluateEquipmentWrite"/> so the gate + dispatch are unit-testable
///     without booting an SDK server: the handler just supplies the extracted identity and a thunk that
///     starts the router (or null when no router is wired).
/// </summary>
public sealed class EquipmentWriteGateTests
{
    /// <summary>(a) A null identity (anonymous / no role-carrying identity on the context) is denied with
    /// <c>BadUserAccessDenied</c> and the route thunk is NEVER invoked — the gate fails closed.</summary>
    [Fact]
    public void Null_identity_is_denied_and_does_not_route()
    {
        var routed = false;
        var result = OtOpcUaNodeManager.EvaluateEquipmentWrite(
            identity: null,
            route: () => routed = true);

        result.StatusCode.Code.ShouldBe(StatusCodes.BadUserAccessDenied);
        routed.ShouldBeFalse();
    }

    /// <summary>(b) An identity WITHOUT the <c>WriteOperate</c> role is denied with
    /// <c>BadUserAccessDenied</c> and the route thunk is NEVER invoked.</summary>
    [Fact]
    public void Identity_without_WriteOperate_is_denied_and_does_not_route()
    {
        var routed = false;
        var identity = IdentityWith("ReadOnly", OpcUaDataPlaneRoles.AlarmAck); // no WriteOperate
        var result = OtOpcUaNodeManager.EvaluateEquipmentWrite(
            identity,
            route: () => routed = true);

        result.StatusCode.Code.ShouldBe(StatusCodes.BadUserAccessDenied);
        routed.ShouldBeFalse();
    }

    /// <summary>(c) An identity WITH the <c>WriteOperate</c> role and a non-null route invokes the route
    /// thunk (fire-and-forget) and returns <c>ServiceResult.Good</c> so the SDK applies the value
    /// optimistically. The role match is case-insensitive (the role set + gate both use
    /// <c>OrdinalIgnoreCase</c>).</summary>
    [Fact]
    public void Identity_with_WriteOperate_routes_and_returns_good()
    {
        var routed = false;
        var identity = IdentityWith("readonly", "writeoperate"); // lower-cased: case-insensitive match
        var result = OtOpcUaNodeManager.EvaluateEquipmentWrite(
            identity,
            route: () => routed = true);

        routed.ShouldBeTrue();
        result.ShouldBe(ServiceResult.Good);
    }

    /// <summary>(d) An identity WITH the <c>WriteOperate</c> role but a null route (no router wired — e.g.
    /// admin-only nodes) maps to <c>BadNotWritable</c> ("writes unavailable") — the gate passes but there is
    /// nowhere to route the write.</summary>
    [Fact]
    public void Identity_with_WriteOperate_and_null_route_maps_to_bad_not_writable()
    {
        var identity = IdentityWith(OpcUaDataPlaneRoles.WriteOperate);
        var result = OtOpcUaNodeManager.EvaluateEquipmentWrite(
            identity,
            route: null);

        result.StatusCode.Code.ShouldBe(StatusCodes.BadNotWritable);
        result.LocalizedText.Text.ShouldContain("writes unavailable");
    }

    private static RoleCarryingUserIdentity IdentityWith(params string[] roles) =>
        new(new UserNameIdentityToken { UserName = "op" }, roles);
}