package checker

import (
	"context"
	"encoding/json"
	"strings"
	"testing"
	"time"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

// stubObsGetter is a minimal ObservationGetter for tests: it serves a
// canned CAAData under ObservationKeyCAA and a canned list of related
// observations under TLSRelatedKey.
type stubObsGetter struct {
	data    CAAData
	related []sdk.RelatedObservation
}

func (s *stubObsGetter) Get(_ context.Context, key sdk.ObservationKey, dest any) error {
	if key != ObservationKeyCAA {
		return nil
	}
	b, _ := json.Marshal(s.data)
	return json.Unmarshal(b, dest)
}

func (s *stubObsGetter) GetRelated(_ context.Context, _ sdk.ObservationKey) ([]sdk.RelatedObservation, error) {
	return s.related, nil
}

// mkTLSObs wraps a single probe into the {"probes": {<ref>: …}} shape
// checker-tls actually emits.
func mkTLSObs(t *testing.T, ref string, probe map[string]any) sdk.RelatedObservation {
	t.Helper()
	payload := map[string]any{
		"probes": map[string]any{ref: probe},
	}
	b, err := json.Marshal(payload)
	if err != nil {
		t.Fatalf("marshal tls payload: %v", err)
	}
	return sdk.RelatedObservation{
		CheckerID:   "tls",
		Key:         TLSRelatedKey,
		Data:        b,
		CollectedAt: time.Now(),
		Ref:         ref,
	}
}

// TestRule_OK: CAA allows letsencrypt.org and the probe is from a
// Let's Encrypt intermediate. Expect StatusOK.
func TestRule_OK(t *testing.T) {
	obs := &stubObsGetter{
		data: CAAData{
			Domain:  "example.com",
			Records: []CAARecord{{Flag: 0, Tag: "issue", Value: "letsencrypt.org"}},
		},
		related: []sdk.RelatedObservation{
			mkTLSObs(t, "ep-1", map[string]any{
				"host":       "www.example.com",
				"port":       443,
				"endpoint":   "www.example.com:443",
				"issuer":     "R10",
				"issuer_dn":  "CN=R10,O=Let's Encrypt,C=US",
				"issuer_aki": "BBBCC347A5E4BCA9C6C3A4720C108DA235E1C8E8",
			}),
		},
	}
	state := Rule().Evaluate(context.Background(), obs, nil)
	if state.Status != sdk.StatusOK {
		t.Fatalf("expected StatusOK, got %s: %s", state.Status, state.Message)
	}
	if state.Code != CodeOK {
		t.Errorf("expected code %q, got %q", CodeOK, state.Code)
	}
}

// TestRule_NotAuthorized: CAA only allows digicert.com but the probe
// shows a Let's Encrypt cert. Expect StatusCrit / caa_not_authorized.
func TestRule_NotAuthorized(t *testing.T) {
	obs := &stubObsGetter{
		data: CAAData{
			Domain:  "example.com",
			Records: []CAARecord{{Flag: 0, Tag: "issue", Value: "digicert.com"}},
		},
		related: []sdk.RelatedObservation{
			mkTLSObs(t, "ep-1", map[string]any{
				"host":       "www.example.com",
				"port":       443,
				"endpoint":   "www.example.com:443",
				"issuer":     "R10",
				"issuer_aki": "BBBCC347A5E4BCA9C6C3A4720C108DA235E1C8E8",
			}),
		},
	}
	state := Rule().Evaluate(context.Background(), obs, nil)
	if state.Status != sdk.StatusCrit {
		t.Fatalf("expected StatusCrit, got %s: %s", state.Status, state.Message)
	}
	if state.Code != CodeNotAuthorized {
		t.Errorf("expected code %q, got %q", CodeNotAuthorized, state.Code)
	}
	if !strings.Contains(state.Message, "letsencrypt.org") {
		t.Errorf("expected message to mention letsencrypt.org, got %q", state.Message)
	}
}

// TestRule_IssuanceDisallowed: CAA says `issue ";"` but a cert was
// observed. Expect StatusCrit / caa_issuance_disallowed regardless of
// the issuer.
func TestRule_IssuanceDisallowed(t *testing.T) {
	obs := &stubObsGetter{
		data: CAAData{
			Domain:  "example.com",
			Records: []CAARecord{{Flag: 0, Tag: "issue", Value: ";"}},
		},
		related: []sdk.RelatedObservation{
			mkTLSObs(t, "ep-1", map[string]any{
				"host":       "www.example.com",
				"port":       443,
				"endpoint":   "www.example.com:443",
				"issuer_aki": "BBBCC347A5E4BCA9C6C3A4720C108DA235E1C8E8",
			}),
		},
	}
	state := Rule().Evaluate(context.Background(), obs, nil)
	if state.Status != sdk.StatusCrit {
		t.Fatalf("expected StatusCrit, got %s: %s", state.Status, state.Message)
	}
	if state.Code != CodeIssuanceDisallowed {
		t.Errorf("expected code %q, got %q", CodeIssuanceDisallowed, state.Code)
	}
}

// TestRule_IssuerUnknown: the observed AKI is not in CCADB. Expect
// StatusInfo / caa_issuer_unknown.
func TestRule_IssuerUnknown(t *testing.T) {
	obs := &stubObsGetter{
		data: CAAData{
			Domain:  "example.com",
			Records: []CAARecord{{Flag: 0, Tag: "issue", Value: "letsencrypt.org"}},
		},
		related: []sdk.RelatedObservation{
			mkTLSObs(t, "ep-1", map[string]any{
				"host":       "www.example.com",
				"port":       443,
				"endpoint":   "www.example.com:443",
				"issuer_aki": "DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF",
				"issuer_dn":  "CN=Totally Made Up CA,O=Nope,C=XX",
			}),
		},
	}
	state := Rule().Evaluate(context.Background(), obs, nil)
	if state.Status != sdk.StatusInfo {
		t.Fatalf("expected StatusInfo, got %s: %s", state.Status, state.Message)
	}
	if state.Code != CodeIssuerUnknown {
		t.Errorf("expected code %q, got %q", CodeIssuerUnknown, state.Code)
	}
}

// TestRule_NoTLS: no related TLS observations yet. Steady state during
// the eventual-consistency window before checker-tls has produced data.
func TestRule_NoTLS(t *testing.T) {
	obs := &stubObsGetter{
		data: CAAData{
			Domain:  "example.com",
			Records: []CAARecord{{Flag: 0, Tag: "issue", Value: "letsencrypt.org"}},
		},
		related: nil,
	}
	state := Rule().Evaluate(context.Background(), obs, nil)
	if state.Status != sdk.StatusUnknown {
		t.Fatalf("expected StatusUnknown, got %s: %s", state.Status, state.Message)
	}
	if state.Code != CodeNoTLS {
		t.Errorf("expected code %q, got %q", CodeNoTLS, state.Code)
	}
}

// TestRule_NoCAAPublished: valid TLS cert, but the zone has no CAA
// records. Rule should nudge the user (StatusInfo) with a suggestion
// to publish CAA.
func TestRule_NoCAAPublished(t *testing.T) {
	obs := &stubObsGetter{
		data: CAAData{Domain: "example.com", Records: nil},
		related: []sdk.RelatedObservation{
			mkTLSObs(t, "ep-1", map[string]any{
				"host":       "www.example.com",
				"port":       443,
				"endpoint":   "www.example.com:443",
				"issuer":     "R10",
				"issuer_aki": "BBBCC347A5E4BCA9C6C3A4720C108DA235E1C8E8",
			}),
		},
	}
	state := Rule().Evaluate(context.Background(), obs, nil)
	if state.Status != sdk.StatusInfo {
		t.Fatalf("expected StatusInfo (no policy), got %s: %s", state.Status, state.Message)
	}
	if !strings.Contains(state.Message, "letsencrypt.org") {
		t.Errorf("expected suggestion to mention letsencrypt.org, got %q", state.Message)
	}
}

// TestBuildAllowList is a unit test for the policy parser. The ';'
// sentinel and parameter stripping are the two subtle bits worth
// covering directly.
func TestBuildAllowList(t *testing.T) {
	al := buildAllowList([]CAARecord{
		{Flag: 0, Tag: "issue", Value: "letsencrypt.org"},
		{Flag: 0, Tag: "issue", Value: "sectigo.com; account=12345"},
		{Flag: 0, Tag: "issuewild", Value: ";"},
	})
	if !al.issueAll["letsencrypt.org"] {
		t.Error("expected letsencrypt.org in issueAll")
	}
	if !al.issueAll["sectigo.com"] {
		t.Errorf("expected sectigo.com (stripped) in issueAll, got %v", al.issueAll)
	}
	if al.disallowIssue {
		t.Error("disallowIssue should be false; only issuewild was ';'")
	}
	if !al.disallowWildcardIssue {
		t.Error("expected disallowWildcardIssue=true")
	}
}