using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
using ZB.MOM.WW.OtOpcUa.Server.Security;

namespace ZB.MOM.WW.OtOpcUa.Server.Tests;

[Trait("Category", "Unit")]
public sealed class SecurityConfigurationTests
{
    [Fact]
    public async Task DenyAllAuthenticator_rejects_every_credential()
    {
        var auth = new DenyAllUserAuthenticator();
        var r = await auth.AuthenticateAsync("admin", "admin", CancellationToken.None);
        r.Success.ShouldBeFalse();
        r.Error.ShouldContain("not supported");
    }

    [Fact]
    public async Task LdapAuthenticator_rejects_blank_credentials_without_hitting_server()
    {
        var options = new LdapOptions { Enabled = true, AllowInsecureLdap = true };
        var auth = new LdapUserAuthenticator(options, Microsoft.Extensions.Logging.Abstractions.NullLogger<LdapUserAuthenticator>.Instance);

        var empty = await auth.AuthenticateAsync("", "", CancellationToken.None);
        empty.Success.ShouldBeFalse();
        empty.Error.ShouldContain("Credentials");
    }

    [Fact]
    public async Task LdapAuthenticator_rejects_when_disabled()
    {
        var options = new LdapOptions { Enabled = false };
        var auth = new LdapUserAuthenticator(options, Microsoft.Extensions.Logging.Abstractions.NullLogger<LdapUserAuthenticator>.Instance);

        var r = await auth.AuthenticateAsync("alice", "pw", CancellationToken.None);
        r.Success.ShouldBeFalse();
        r.Error.ShouldContain("disabled");
    }

    [Fact]
    public async Task LdapAuthenticator_rejects_plaintext_when_both_TLS_and_insecure_are_disabled()
    {
        var options = new LdapOptions { Enabled = true, UseTls = false, AllowInsecureLdap = false };
        var auth = new LdapUserAuthenticator(options, Microsoft.Extensions.Logging.Abstractions.NullLogger<LdapUserAuthenticator>.Instance);

        var r = await auth.AuthenticateAsync("alice", "pw", CancellationToken.None);
        r.Success.ShouldBeFalse();
        r.Error.ShouldContain("Insecure");
    }

    [Theory]
    [InlineData("hello", "hello")]
    [InlineData("hi(there)", "hi\\28there\\29")]
    [InlineData("name*", "name\\2a")]
    [InlineData("a\\b", "a\\5cb")]
    public void LdapFilter_escapes_reserved_characters(string input, string expected)
    {
        LdapUserAuthenticator.EscapeLdapFilter(input).ShouldBe(expected);
    }

    [Theory]
    [InlineData("cn=alice,ou=Engineering,dc=example,dc=com", "Engineering")]
    [InlineData("cn=bob,dc=example,dc=com", null)]
    [InlineData("cn=carol,ou=Ops,dc=example,dc=com", "Ops")]
    public void ExtractOuSegment_pulls_primary_group_from_DN(string dn, string? expected)
    {
        LdapUserAuthenticator.ExtractOuSegment(dn).ShouldBe(expected);
    }

    [Theory]
    [InlineData("cn=Operators,ou=Groups,dc=example", "Operators")]
    [InlineData("cn=LoneValue", "LoneValue")]
    [InlineData("plain-no-equals", "plain-no-equals")]
    public void ExtractFirstRdnValue_returns_first_rdn(string dn, string expected)
    {
        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe(expected);
    }

    [Fact]
    public void OpcUaServerOptions_default_is_anonymous_only()
    {
        var opts = new OpcUaServerOptions();
        opts.SecurityProfile.ShouldBe(OpcUaSecurityProfile.None);
        opts.Ldap.Enabled.ShouldBeFalse();
    }
}