using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Server.Security;

namespace ZB.MOM.WW.OtOpcUa.Server.Tests;

[Trait("Category", "Unit")]
public sealed class LdapOptionsTests
{
    // Server-009 regression: the out-of-the-box posture must be secure. AllowInsecureLdap
    // is a dev-only escape hatch — a deployment that enables LDAP without explicitly
    // opting in must not bind credentials over an unencrypted socket.

    [Fact]
    public void AllowInsecureLdap_DefaultsToFalse()
    {
        new LdapOptions().AllowInsecureLdap.ShouldBeFalse();
    }

    [Fact]
    public void UseTls_DefaultsToFalse_SoInsecureBindRequiresExplicitOptIn()
    {
        // UseTls=false on its own is fine — without AllowInsecureLdap the bind path
        // refuses to send plaintext credentials. The two flags together are the only
        // way to reach the insecure path, and both must be set deliberately.
        var options = new LdapOptions();

        options.UseTls.ShouldBeFalse();
        options.AllowInsecureLdap.ShouldBeFalse();
    }
}