namespace ScadaLink.NotificationService.Tests;

/// <summary>
/// NS-009: Tests for scrubbing SMTP credential secrets out of log/result text.
/// </summary>
public class CredentialRedactorTests
{
    [Fact]
    public void Scrub_BasicAuthPassword_IsMasked()
    {
        var text = "535 5.7.8 Authentication failed for user 'svc' with password 'Hunter2pw!'";
        var result = CredentialRedactor.Scrub(text, "svc:Hunter2pw!");

        Assert.DoesNotContain("Hunter2pw!", result);
        Assert.DoesNotContain("svc:Hunter2pw!", result);
    }

    [Fact]
    public void Scrub_OAuth2ClientSecret_IsMasked()
    {
        var text = "Token request failed: client_secret=Sup3rSecretValue rejected by tenant";
        var result = CredentialRedactor.Scrub(text, "tenant-guid:client-guid:Sup3rSecretValue");

        Assert.DoesNotContain("Sup3rSecretValue", result);
    }

    [Fact]
    public void Scrub_NullCredentials_ReturnsTextUnchanged()
    {
        Assert.Equal("plain text", CredentialRedactor.Scrub("plain text", null));
    }

    [Fact]
    public void Scrub_NullText_ReturnsEmpty()
    {
        Assert.Equal(string.Empty, CredentialRedactor.Scrub(null, "user:pass"));
    }
}