from fastapi.testclient import TestClient

from agent.tools.sandbox_client import _SANDBOX_SERVER, Sandbox


def _sandbox_app(
    monkeypatch,
    token: str | None = "sandbox-secret",
    *,
    hf_token: str | None = None,
):
    monkeypatch.delenv("SANDBOX_API_TOKEN", raising=False)
    monkeypatch.delenv("HF_TOKEN", raising=False)
    if token is not None:
        monkeypatch.setenv("SANDBOX_API_TOKEN", token)
    if hf_token is not None:
        monkeypatch.setenv("HF_TOKEN", hf_token)
    namespace = {}
    exec(_SANDBOX_SERVER, namespace)
    return namespace["app"]


def test_health_is_public(monkeypatch):
    client = TestClient(_sandbox_app(monkeypatch))

    response = client.get("/api/health")

    assert response.status_code == 200
    assert response.json() == {"status": "ok"}


def test_file_and_command_routes_require_bearer_token(monkeypatch):
    client = TestClient(_sandbox_app(monkeypatch, "sandbox-secret"))

    response = client.post("/api/exists", json={"path": "/tmp"})

    assert response.status_code == 401


def test_file_and_command_routes_reject_authorization_bearer_token(monkeypatch):
    client = TestClient(_sandbox_app(monkeypatch, "sandbox-secret"))

    response = client.post(
        "/api/exists",
        json={"path": "/tmp"},
        headers={"Authorization": "Bearer sandbox-secret"},
    )

    assert response.status_code == 401


def test_file_and_command_routes_accept_sandbox_header_with_hf_bearer(monkeypatch):
    client = TestClient(
        _sandbox_app(monkeypatch, "sandbox-secret", hf_token="hf-secret")
    )

    response = client.post(
        "/api/exists",
        json={"path": "/tmp"},
        headers={
            "Authorization": "Bearer hf-secret",
            "X-Sandbox-Authorization": "Bearer sandbox-secret",
        },
    )

    assert response.status_code == 200
    assert response.json()["success"] is True


def test_hf_bearer_alone_is_rejected_when_sandbox_token_is_configured(monkeypatch):
    client = TestClient(
        _sandbox_app(monkeypatch, "sandbox-secret", hf_token="hf-secret")
    )

    response = client.post(
        "/api/exists",
        json={"path": "/tmp"},
        headers={"Authorization": "Bearer hf-secret"},
    )

    assert response.status_code == 401


def test_legacy_hf_token_fallback_is_rejected(monkeypatch):
    client = TestClient(_sandbox_app(monkeypatch, token=None, hf_token="hf-secret"))

    response = client.post(
        "/api/exists",
        json={"path": "/tmp"},
        headers={"Authorization": "Bearer hf-secret"},
    )

    assert response.status_code == 503


def test_protected_routes_fail_closed_without_configured_token(monkeypatch):
    client = TestClient(_sandbox_app(monkeypatch, None))

    response = client.post(
        "/api/exists",
        json={"path": "/tmp"},
        headers={"Authorization": "Bearer anything"},
    )

    assert response.status_code == 503


def test_sandbox_sends_hub_auth_and_control_plane_header():
    sandbox = Sandbox("owner/name", token="hf-token", api_token="sandbox-secret")

    assert sandbox._client.headers["authorization"] == "Bearer hf-token"
    assert sandbox._client.headers["x-sandbox-authorization"] == "Bearer sandbox-secret"


def test_sandbox_api_token_is_hidden_from_repr():
    sandbox = Sandbox("owner/name", token="hf-token", api_token="sandbox-secret")

    assert "sandbox-secret" not in repr(sandbox)