"""Tests for security analysis logic."""

import pytest
from src.analyzer import IncidentAnalyzer, RiskLevel, SecurityAnalysis
from src.llm import MockLLMProvider


@pytest.fixture
def analyzer():
    """Create analyzer with mock provider for tests."""
    provider = MockLLMProvider()
    return IncidentAnalyzer(provider)


@pytest.mark.asyncio
async def test_analyze_basic(analyzer):
    """Test basic analysis flow."""
    log = "Failed authentication attempts from 192.168.1.100"
    result = await analyzer.analyze(log)

    assert isinstance(result, SecurityAnalysis)
    assert result.summary
    assert result.risk_level in RiskLevel
    assert result.remediation
    assert result.raw_response


def test_parse_response_critical(analyzer):
    """Test parsing of critical risk level."""
    response = """
    What Happened: Ransomware detected
    Risk Level: CRITICAL
    Suggested Actions:
    - Isolate affected systems
    """
    result = analyzer._parse_response(response)

    assert result.risk_level == RiskLevel.CRITICAL


def test_parse_response_fallback_risk(analyzer):
    """Test risk level defaults to MEDIUM if not found."""
    response = "This is a generic response with no risk level specified"
    result = analyzer._parse_response(response)

    assert result.risk_level == RiskLevel.MEDIUM


def test_parse_response_indicators(analyzer):
    """Test extraction of indicators."""
    response = """What Happened: Suspicious activity
Risk Level: HIGH
Suggested Actions: Review logs

Indicators:
- Multiple failed logins
- Unusual IP address"""
    result = analyzer._parse_response(response)

    assert len(result.indicators) >= 2
    assert any("failed" in ind.lower() for ind in result.indicators)