using System.Security.Claims;
using Microsoft.Extensions.Options;
using MxGateway.Server.Configuration;
using MxGateway.Server.Dashboard;

namespace MxGateway.Tests.Gateway.Dashboard;

public sealed class DashboardApiKeyAuthorizationTests
{
    [Fact]
    public void CanManage_AuthenticatedUserWithShortRequiredGroupClaim_ReturnsTrue()
    {
        DashboardApiKeyAuthorization authorization = CreateAuthorization();
        ClaimsPrincipal user = CreatePrincipal("GwAdmin");

        Assert.True(authorization.CanManage(user));
    }

    [Fact]
    public void CanManage_AuthenticatedUserWithRequiredGroupDnClaim_ReturnsTrue()
    {
        DashboardApiKeyAuthorization authorization = CreateAuthorization();
        ClaimsPrincipal user = CreatePrincipal("ou=GwAdmin,ou=groups,dc=lmxopcua,dc=local");

        Assert.True(authorization.CanManage(user));
    }

    [Fact]
    public void CanManage_AnonymousUser_ReturnsFalse()
    {
        DashboardApiKeyAuthorization authorization = CreateAuthorization();
        ClaimsPrincipal user = new(new ClaimsIdentity());

        Assert.False(authorization.CanManage(user));
    }

    [Fact]
    public void CanManage_AuthenticatedUserWithoutRequiredGroup_ReturnsFalse()
    {
        DashboardApiKeyAuthorization authorization = CreateAuthorization();
        ClaimsPrincipal user = CreatePrincipal("ReadOnly");

        Assert.False(authorization.CanManage(user));
    }

    private static DashboardApiKeyAuthorization CreateAuthorization()
    {
        return new DashboardApiKeyAuthorization(Options.Create(new GatewayOptions
        {
            Ldap = new LdapOptions
            {
                RequiredGroup = "GwAdmin",
            },
        }));
    }

    private static ClaimsPrincipal CreatePrincipal(string group)
    {
        ClaimsIdentity identity = new(
            [new Claim(DashboardAuthenticationDefaults.LdapGroupClaimType, group)],
            DashboardAuthenticationDefaults.AuthenticationScheme);

        return new ClaimsPrincipal(identity);
    }
}