import sys
from pathlib import Path
import pytest

# Ensure backend package is importable
backend_dir = Path(__file__).parent.parent
sys.path.insert(0, str(backend_dir))

from mcp_server.common import access_control
from mcp_server.common.utils import execute_tool


@pytest.mark.asyncio
async def test_execute_tool_denies_without_permission():
    async def handler(context, payload):
        return {"ok": True}

    payload = {
        "tenant_id": "tenant123",
        "session_id": "s1",
        "role": "viewer",
    }

    result = await execute_tool("rag.ingest", payload, handler)
    assert result["status"] == "error"
    assert result["error_type"] == "validation_error"
    assert "not permitted" in result["message"]


@pytest.mark.asyncio
async def test_execute_tool_allows_authorized_role():
    async def handler(context, payload):
        return {"ok": True}

    payload = {
        "tenant_id": "tenant123",
        "session_id": "s1",
        "role": "admin",
    }

    result = await execute_tool("rag.ingest", payload, handler)
    assert result["status"] == "ok"
    assert result["data"]["ok"] is True


def test_normalize_role_defaults_to_viewer():
    assert access_control.normalize_role(None) == "viewer"
    assert access_control.normalize_role("ADMIN") == "admin"
    assert access_control.normalize_role("unknown") == "viewer"


def test_role_allows_matrix():
    assert access_control.role_allows("owner", "manage_rules")
    assert not access_control.role_allows("viewer", "manage_rules")