using System.Security.Claims;
using ZB.MOM.WW.MxGateway.Server.Dashboard;

namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;

public sealed class DashboardApiKeyAuthorizationTests
{
    /// <summary>Verifies that CanManage returns true for authenticated admin user.</summary>
    [Fact]
    public void CanManage_AuthenticatedAdmin_ReturnsTrue()
    {
        DashboardApiKeyAuthorization authorization = new();
        ClaimsPrincipal user = CreatePrincipal(DashboardRoles.Admin);

        Assert.True(authorization.CanManage(user));
    }

    /// <summary>Verifies that CanManage returns false for anonymous user.</summary>
    [Fact]
    public void CanManage_AnonymousUser_ReturnsFalse()
    {
        DashboardApiKeyAuthorization authorization = new();
        ClaimsPrincipal user = new(new ClaimsIdentity());

        Assert.False(authorization.CanManage(user));
    }

    /// <summary>Verifies that CanManage returns false for authenticated viewer user.</summary>
    [Fact]
    public void CanManage_AuthenticatedViewer_ReturnsFalse()
    {
        DashboardApiKeyAuthorization authorization = new();
        ClaimsPrincipal user = CreatePrincipal(DashboardRoles.Viewer);

        Assert.False(authorization.CanManage(user));
    }

    private static ClaimsPrincipal CreatePrincipal(string role)
    {
        ClaimsIdentity identity = new(
            [new Claim(ClaimTypes.Role, role)],
            DashboardAuthenticationDefaults.AuthenticationScheme,
            ClaimTypes.Name,
            ClaimTypes.Role);

        return new ClaimsPrincipal(identity);
    }
}