using NATS.Server.Tls;

namespace NATS.Server.Transport.Tests;

public class OcspStaplingTests
{
    [Fact]
    public void OcspMode_Must_is_strictest()
    {
        var config = new OcspConfig { Mode = OcspMode.Must };
        config.Mode.ShouldBe(OcspMode.Must);
    }

    [Fact]
    public void OcspMode_Never_disables_all()
    {
        var config = new OcspConfig { Mode = OcspMode.Never };
        config.Mode.ShouldBe(OcspMode.Never);
    }

    [Fact]
    public void OcspPeerVerify_default_is_false()
    {
        var options = new NatsOptions();
        options.OcspPeerVerify.ShouldBeFalse();
    }

    [Fact]
    public void OcspConfig_default_mode_is_Auto()
    {
        var config = new OcspConfig();
        config.Mode.ShouldBe(OcspMode.Auto);
    }

    [Fact]
    public void OcspConfig_default_OverrideUrls_is_empty()
    {
        var config = new OcspConfig();
        config.OverrideUrls.ShouldBeEmpty();
    }

    [Fact]
    public void BuildCertificateContext_returns_null_when_no_tls()
    {
        var options = new NatsOptions
        {
            OcspConfig = new OcspConfig { Mode = OcspMode.Always },
        };
        // HasTls is false because TlsCert and TlsKey are not set
        options.HasTls.ShouldBeFalse();
        var context = TlsHelper.BuildCertificateContext(options);
        context.ShouldBeNull();
    }

    [Fact]
    public void BuildCertificateContext_returns_null_when_mode_is_Never()
    {
        var options = new NatsOptions
        {
            TlsCert = "server.pem",
            TlsKey = "server-key.pem",
            OcspConfig = new OcspConfig { Mode = OcspMode.Never },
        };
        // OcspMode.Never must short-circuit even when TLS cert paths are set
        var context = TlsHelper.BuildCertificateContext(options);
        context.ShouldBeNull();
    }

    [Fact]
    public void BuildCertificateContext_returns_null_when_OcspConfig_is_null()
    {
        var options = new NatsOptions
        {
            TlsCert = "server.pem",
            TlsKey = "server-key.pem",
            OcspConfig = null,
        };
        var context = TlsHelper.BuildCertificateContext(options);
        context.ShouldBeNull();
    }

    [Fact]
    public void OcspPeerVerify_can_be_enabled()
    {
        var options = new NatsOptions { OcspPeerVerify = true };
        options.OcspPeerVerify.ShouldBeTrue();
    }

    [Fact]
    public void OcspMode_values_have_correct_ordinals()
    {
        ((int)OcspMode.Auto).ShouldBe(0);
        ((int)OcspMode.Always).ShouldBe(1);
        ((int)OcspMode.Must).ShouldBe(2);
        ((int)OcspMode.Never).ShouldBe(3);
    }
}