"""Tests for the Python CLI."""

import json

import click
import pytest
from click.testing import CliRunner

from mxgateway import __version__
from mxgateway_cli.commands import _use_plaintext, main


def test_version_json_is_deterministic() -> None:
    runner = CliRunner()

    result = runner.invoke(main, ["version", "--json"])

    assert result.exit_code == 0
    assert json.loads(result.output) == {
        "client": "mxgw-py",
        "package": "mxaccess-gateway-client",
        "version": __version__,
    }


def test_write_parser_rejects_unknown_value_type() -> None:
    runner = CliRunner()

    result = runner.invoke(
        main,
        [
            "write",
            "--session-id",
            "session-1",
            "--server-handle",
            "12",
            "--item-handle",
            "34",
            "--type",
            "unsupported",
            "--value",
            "123",
            "--api-key",
            "mxgw_test_secret",
            "--json",
        ],
    )

    assert result.exit_code != 0
    assert "unsupported value type" in result.output


def test_cli_error_output_redacts_api_key() -> None:
    runner = CliRunner()

    result = runner.invoke(
        main,
        [
            "open-session",
            "--endpoint",
            "127.0.0.1:1",
            "--api-key",
            "mxgw_test_secret",
            "--plaintext",
            "--json",
        ],
    )

    assert result.exit_code != 0
    assert "mxgw_test_secret" not in result.output


# Regression tests for Client.Python-013: ``_use_plaintext`` must not silently
# downgrade ``localhost:`` / ``127.0.0.1:`` endpoints to plaintext. TLS is the
# default; users must pass ``--plaintext`` to opt in.


def test_use_plaintext_requires_explicit_flag_for_localhost_endpoint() -> None:
    """A ``localhost:`` endpoint with no flags must resolve to TLS."""

    assert (
        _use_plaintext(
            {"endpoint": "localhost:5000", "plaintext": False, "use_tls": False}
        )
        is False
    )


def test_use_plaintext_requires_explicit_flag_for_loopback_ip_endpoint() -> None:
    """A ``127.0.0.1:`` endpoint with no flags must resolve to TLS."""

    assert (
        _use_plaintext(
            {"endpoint": "127.0.0.1:5000", "plaintext": False, "use_tls": False}
        )
        is False
    )


def test_use_plaintext_explicit_plaintext_flag_opts_in() -> None:
    """``--plaintext`` must select plaintext regardless of endpoint host."""

    assert (
        _use_plaintext(
            {"endpoint": "localhost:5000", "plaintext": True, "use_tls": False}
        )
        is True
    )
    assert (
        _use_plaintext(
            {
                "endpoint": "mxgateway.example.local:5001",
                "plaintext": True,
                "use_tls": False,
            }
        )
        is True
    )


def test_use_plaintext_explicit_tls_flag_is_accepted_and_idempotent() -> None:
    """``--tls`` is accepted as a redundant affirmation of the default."""

    assert (
        _use_plaintext(
            {
                "endpoint": "mxgateway.example.local:5001",
                "plaintext": False,
                "use_tls": True,
            }
        )
        is False
    )
    # Even for a localhost endpoint, ``--tls`` (the default) must yield TLS.
    assert (
        _use_plaintext(
            {"endpoint": "localhost:5000", "plaintext": False, "use_tls": True}
        )
        is False
    )


def test_use_plaintext_rejects_conflicting_flags() -> None:
    """``--plaintext`` combined with ``--tls`` is a usage error."""

    with pytest.raises(click.UsageError):
        _use_plaintext(
            {"endpoint": "localhost:5000", "plaintext": True, "use_tls": True}
        )


def test_cli_localhost_endpoint_defaults_to_tls_via_open_session(
    monkeypatch: pytest.MonkeyPatch,
) -> None:
    """End-to-end: ``open-session`` against ``localhost:`` with no flags
    must build a TLS ``ClientOptions`` (plaintext=False)."""

    captured: dict[str, object] = {}

    async def _fake_connect(options):  # type: ignore[no-untyped-def]
        captured["plaintext"] = options.plaintext
        raise RuntimeError("stop-before-network")

    monkeypatch.setattr(
        "mxgateway_cli.commands.GatewayClient.connect", _fake_connect
    )

    runner = CliRunner()
    result = runner.invoke(
        main,
        [
            "open-session",
            "--endpoint",
            "localhost:5000",
            "--api-key",
            "mxgw_test_secret",
            "--json",
        ],
    )

    assert result.exit_code != 0  # connect was stubbed to raise
    assert captured.get("plaintext") is False, (
        "localhost endpoint must default to TLS without an explicit --plaintext "
        "flag (Client.Python-013 regression)."
    )


def test_cli_localhost_endpoint_with_plaintext_flag_uses_plaintext(
    monkeypatch: pytest.MonkeyPatch,
) -> None:
    """End-to-end: ``--plaintext`` opts in to plaintext as expected."""

    captured: dict[str, object] = {}

    async def _fake_connect(options):  # type: ignore[no-untyped-def]
        captured["plaintext"] = options.plaintext
        raise RuntimeError("stop-before-network")

    monkeypatch.setattr(
        "mxgateway_cli.commands.GatewayClient.connect", _fake_connect
    )

    runner = CliRunner()
    result = runner.invoke(
        main,
        [
            "open-session",
            "--endpoint",
            "localhost:5000",
            "--api-key",
            "mxgw_test_secret",
            "--plaintext",
            "--json",
        ],
    )

    assert result.exit_code != 0
    assert captured.get("plaintext") is True