package domaininfo

import (
	"errors"
	"os"
	"testing"

	"blitiri.com.ar/go/chasquid/internal/testlib"
	"blitiri.com.ar/go/chasquid/internal/trace"
)

func TestBasic(t *testing.T) {
	dir := testlib.MustTempDir(t)
	defer testlib.RemoveIfOk(t, dir)
	db, err := New(dir)
	if err != nil {
		t.Fatal(err)
	}
	tr := trace.New("test", "basic")
	defer tr.Finish()

	// IncomingSecLevel checks.
	if !db.IncomingSecLevel(tr, "d1", SecLevel_PLAIN) {
		t.Errorf("incoming: new domain as plain not allowed")
	}
	if !db.IncomingSecLevel(tr, "d1", SecLevel_TLS_SECURE) {
		t.Errorf("incoming: increment to tls-secure not allowed")
	}
	if db.IncomingSecLevel(tr, "d1", SecLevel_TLS_INSECURE) {
		t.Errorf("incoming: decrement to tls-insecure was allowed")
	}

	// OutgoingSecLevel checks.
	if !db.OutgoingSecLevel(tr, "d1", SecLevel_PLAIN) {
		t.Errorf("outgoing: new domain as plain not allowed")
	}
	if !db.OutgoingSecLevel(tr, "d1", SecLevel_TLS_SECURE) {
		t.Errorf("outgoing: increment to tls-secure not allowed")
	}
	if db.OutgoingSecLevel(tr, "d1", SecLevel_TLS_INSECURE) {
		t.Errorf("outgoing: decrement to tls-insecure was allowed")
	}

	// Check that it was added to the store and a new db sees it.
	db2, err := New(dir)
	if err != nil {
		t.Fatal(err)
	}
	if db2.IncomingSecLevel(tr, "d1", SecLevel_TLS_INSECURE) {
		t.Errorf("decrement to tls-insecure was allowed in new DB")
	}

	// Check that Clear resets the entry back to plain.
	ok := db.Clear(tr, "d1")
	if !ok {
		t.Errorf("Clear(d1) did not find the domain")
	}
	if !db.IncomingSecLevel(tr, "d1", SecLevel_PLAIN) {
		t.Errorf("Clear did not reset the domain back to plain (incoming)")
	}
	if !db.OutgoingSecLevel(tr, "d1", SecLevel_PLAIN) {
		t.Errorf("Clear did not reset the domain back to plain (outgoing)")
	}

	// Check that Clear returns false if the domain does not exist.
	ok = db.Clear(tr, "notexist")
	if ok {
		t.Errorf("Clear(notexist) returned true")
	}
}

func TestNewDomain(t *testing.T) {
	dir := testlib.MustTempDir(t)
	defer testlib.RemoveIfOk(t, dir)
	db, err := New(dir)
	if err != nil {
		t.Fatal(err)
	}
	tr := trace.New("test", "newdomain")
	defer tr.Finish()

	cases := []struct {
		domain string
		level  SecLevel
	}{
		{"plain", SecLevel_PLAIN},
		{"insecure", SecLevel_TLS_INSECURE},
		{"secure", SecLevel_TLS_SECURE},
	}
	for _, c := range cases {
		// The other tests do an incoming check first, so new domains would get
		// created via that path. We switch the order here to exercise that
		// OutgoingSecLevel also handles new domains successfully.
		if !db.OutgoingSecLevel(tr, c.domain, c.level) {
			t.Errorf("domain %q not allowed (out) at %s", c.domain, c.level)
		}
		if !db.IncomingSecLevel(tr, c.domain, c.level) {
			t.Errorf("domain %q not allowed (in) at %s", c.domain, c.level)
		}
	}
}

func TestProgressions(t *testing.T) {
	dir := testlib.MustTempDir(t)
	defer testlib.RemoveIfOk(t, dir)
	db, err := New(dir)
	if err != nil {
		t.Fatal(err)
	}
	tr := trace.New("test", "progressions")
	defer tr.Finish()

	cases := []struct {
		domain string
		lvl    SecLevel
		ok     bool
	}{
		{"pisis", SecLevel_PLAIN, true},
		{"pisis", SecLevel_TLS_INSECURE, true},
		{"pisis", SecLevel_TLS_SECURE, true},
		{"pisis", SecLevel_TLS_INSECURE, false},
		{"pisis", SecLevel_TLS_SECURE, true},

		{"ssip", SecLevel_TLS_SECURE, true},
		{"ssip", SecLevel_TLS_SECURE, true},
		{"ssip", SecLevel_TLS_INSECURE, false},
		{"ssip", SecLevel_PLAIN, false},
	}
	for i, c := range cases {
		if ok := db.IncomingSecLevel(tr, c.domain, c.lvl); ok != c.ok {
			t.Errorf("%2d %q in  attempt for %s failed: got %v, expected %v",
				i, c.domain, c.lvl, ok, c.ok)
		}
		if ok := db.OutgoingSecLevel(tr, c.domain, c.lvl); ok != c.ok {
			t.Errorf("%2d %q out attempt for %s failed: got %v, expected %v",
				i, c.domain, c.lvl, ok, c.ok)
		}
	}
}

func TestErrors(t *testing.T) {
	// Non-existent directory.
	_, err := New("/doesnotexists")
	if err == nil {
		t.Error("could create a DB on a non-existent directory")
	}

	// Corrupt/invalid file.
	dir := testlib.MustTempDir(t)
	defer testlib.RemoveIfOk(t, dir)
	db, err := New(dir)
	if err != nil {
		t.Fatal(err)
	}

	tr := trace.New("test", "errors")
	defer tr.Finish()

	if !db.IncomingSecLevel(tr, "d1", SecLevel_TLS_SECURE) {
		t.Errorf("increment to tls-secure not allowed")
	}

	testlib.Rewrite(t, dir+"/s:d1", "invalid-text-protobuf-contents")

	err = db.Reload()
	if err == nil {
		t.Errorf("no error when reloading db with invalid file")
	}

	// Creating a db with an invalid file should also result in an error.
	_, err = New(dir)
	if err == nil {
		t.Errorf("no error when creating db with invalid file")
	}
}

func TestDirectoryErrors(t *testing.T) {
	dir := testlib.MustTempDir(t)
	defer testlib.RemoveIfOk(t, dir)
	db, err := New(dir + "/db")
	if err != nil {
		t.Fatal(err)
	}

	tr := trace.New("test", "direrrors")
	defer tr.Finish()

	// We want to cause store.ListIDs to return an error. To do so, we will
	// cause Readdir to fail by removing the underlying db directory.
	err = os.Remove(dir + "/db")
	if err != nil {
		t.Fatal(err)
	}

	err = db.Reload()
	if !errors.Is(err, os.ErrNotExist) {
		t.Errorf("got %v, expected %v", err, os.ErrNotExist)
	}

	// We expect write() to also fail to store data in this scenario.
	d := Domain{Name: "d1"}
	err = db.write(tr, &d)
	if !errors.Is(err, os.ErrNotExist) {
		t.Errorf("got %v, expected %v", err, os.ErrNotExist)
	}
}