package main

import (
	"io"
	"os"
	"path/filepath"
	"strings"
	"testing"

	"github.com/pinchtab/pinchtab/internal/config"
)

func TestHandleSecurityCommandDefaultConfigSkipsEmptySections(t *testing.T) {
	cfg := testRuntimeConfig()

	output := captureStdout(t, func() {
		handleSecurityCommand(cfg)
	})

	required := []string{
		"Security",
		"All recommended security defaults are active.",
	}
	for _, needle := range required {
		if !strings.Contains(output, needle) {
			t.Fatalf("expected output to contain %q\n%s", needle, output)
		}
	}

	unwanted := []string{
		"Security posture",
		"Warnings",
		"Recommended security defaults",
		"Recommended defaults",
		"Restore recommended security defaults in config?",
		"Interactive restore skipped because stdin/stdout is not a terminal.",
	}
	for _, needle := range unwanted {
		if strings.Contains(output, needle) {
			t.Fatalf("expected output to skip %q\n%s", needle, output)
		}
	}
}

func captureStdout(t *testing.T, fn func()) string {
	t.Helper()

	orig := os.Stdout
	r, w, err := os.Pipe()
	if err != nil {
		t.Fatalf("os.Pipe() error = %v", err)
	}
	os.Stdout = w
	defer func() {
		os.Stdout = orig
	}()

	fn()

	if err := w.Close(); err != nil {
		t.Fatalf("close writer error = %v", err)
	}
	data, err := io.ReadAll(r)
	if err != nil {
		t.Fatalf("ReadAll() error = %v", err)
	}
	if err := r.Close(); err != nil {
		t.Fatalf("close reader error = %v", err)
	}
	return string(data)
}

func TestApplyGuardsDownPreset(t *testing.T) {
	configPath := filepath.Join(t.TempDir(), "pinchtab", "config.json")
	t.Setenv("PINCHTAB_CONFIG", configPath)

	fc := config.DefaultFileConfig()
	fc.Server.Token = "guarded-token"
	if err := os.MkdirAll(filepath.Dir(configPath), 0o755); err != nil {
		t.Fatalf("MkdirAll() error = %v", err)
	}
	if err := config.SaveFileConfig(&fc, configPath); err != nil {
		t.Fatalf("SaveFileConfig() error = %v", err)
	}

	cfg, gotPath, changed, err := applyGuardsDownPreset()
	if err != nil {
		t.Fatalf("applyGuardsDownPreset() error = %v", err)
	}
	if !changed {
		t.Fatal("expected guards down preset to change config")
	}
	if gotPath != configPath {
		t.Fatalf("config path = %q, want %q", gotPath, configPath)
	}

	if cfg.Bind != "127.0.0.1" {
		t.Fatalf("Bind = %q, want 127.0.0.1", cfg.Bind)
	}
	if cfg.Token != "guarded-token" {
		t.Fatalf("Token = %q, want existing token to remain", cfg.Token)
	}
	if !cfg.AllowEvaluate || !cfg.AllowMacro || !cfg.AllowScreencast || !cfg.AllowDownload || !cfg.AllowUpload {
		t.Fatalf("expected sensitive endpoints enabled, got %+v", cfg)
	}
	if !cfg.AttachEnabled {
		t.Fatal("expected attach endpoint enabled")
	}
	if got := strings.Join(cfg.AttachAllowHosts, ","); got != "127.0.0.1,localhost,::1" {
		t.Fatalf("AttachAllowHosts = %q", got)
	}
	if got := strings.Join(cfg.AttachAllowSchemes, ","); got != "ws,wss" {
		t.Fatalf("AttachAllowSchemes = %q", got)
	}
	if cfg.IDPI.Enabled || cfg.IDPI.StrictMode || cfg.IDPI.ScanContent || cfg.IDPI.WrapContent {
		t.Fatalf("expected IDPI protections disabled, got %+v", cfg.IDPI)
	}
}

func testRuntimeConfig() *config.RuntimeConfig {
	return &config.RuntimeConfig{
		Bind:               "127.0.0.1",
		Token:              "abcd1234efgh5678",
		AllowEvaluate:      false,
		AllowMacro:         false,
		AllowScreencast:    false,
		AllowDownload:      false,
		AllowUpload:        false,
		AttachEnabled:      false,
		AttachAllowHosts:   []string{"127.0.0.1", "localhost", "::1"},
		AttachAllowSchemes: []string{"ws", "wss"},
		IDPI: config.IDPIConfig{
			Enabled:        true,
			AllowedDomains: []string{"127.0.0.1", "localhost", "::1"},
			StrictMode:     true,
			ScanContent:    true,
			WrapContent:    true,
		},
	}
}