using ScadaLink.ManagementService;

namespace ScadaLink.ManagementService.Tests;

/// <summary>
/// Tests for <see cref="DebugStreamHub"/> per-instance site-scope authorization
/// (finding ManagementService-003).
/// </summary>
public class DebugStreamHubTests
{
    [Fact]
    public void IsInstanceAccessAllowed_SiteScopedUser_InScopeInstance_Allowed()
    {
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "Deployment" },
            permittedSiteIds: new[] { "1", "2" },
            instanceSiteId: 2);

        Assert.True(allowed);
    }

    [Fact]
    public void IsInstanceAccessAllowed_SiteScopedUser_OutOfScopeInstance_Denied()
    {
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "Deployment" },
            permittedSiteIds: new[] { "1", "2" },
            instanceSiteId: 99);

        Assert.False(allowed);
    }

    [Fact]
    public void IsInstanceAccessAllowed_SystemWideDeployment_AnySiteAllowed()
    {
        // Empty permitted set == system-wide Deployment.
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "Deployment" },
            permittedSiteIds: Array.Empty<string>(),
            instanceSiteId: 99);

        Assert.True(allowed);
    }

    [Fact]
    public void IsInstanceAccessAllowed_AdminRole_BypassesSiteScope()
    {
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "Admin", "Deployment" },
            permittedSiteIds: new[] { "1" },
            instanceSiteId: 99);

        Assert.True(allowed);
    }

    [Fact]
    public void IsInstanceAccessAllowed_AdminRoleCheck_IsCaseInsensitive()
    {
        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
            roles: new[] { "admin" },
            permittedSiteIds: new[] { "1" },
            instanceSiteId: 99);

        Assert.True(allowed);
    }
}