import pytest

from backend.app.core.security import ApiSecurity


def test_security_allows_without_required_key(monkeypatch) -> None:
    monkeypatch.setattr("backend.app.core.security.API_KEYS", "")
    sec = ApiSecurity()
    principal = sec.authenticate(api_key=None, client_id="local")
    assert principal.role == "operator"


def test_security_rejects_invalid_key(monkeypatch) -> None:
    monkeypatch.setattr("backend.app.core.security.API_KEYS", "abc")
    sec = ApiSecurity()
    with pytest.raises(Exception):
        sec.authenticate(api_key="wrong", client_id="local")


def test_security_role_mapping(monkeypatch) -> None:
    monkeypatch.setattr("backend.app.core.security.API_KEYS", "k1:viewer,k2:admin")
    sec = ApiSecurity()
    viewer = sec.authenticate(api_key="k1", client_id="local")
    admin = sec.authenticate(api_key="k2", client_id="local")
    assert viewer.role == "viewer"
    assert admin.role == "admin"