import os
from fastapi.testclient import TestClient
from tensorus.api import app


def test_security_headers_default(monkeypatch):
    monkeypatch.delenv("TENSORUS_X_FRAME_OPTIONS", raising=False)
    monkeypatch.delenv("TENSORUS_CONTENT_SECURITY_POLICY", raising=False)
    with TestClient(app) as client:
        resp = client.get("/")
    assert resp.headers.get("X-Frame-Options") == "SAMEORIGIN"
    assert resp.headers.get("Content-Security-Policy") == "default-src 'self'"


def test_security_headers_custom(monkeypatch):
    monkeypatch.setenv("TENSORUS_X_FRAME_OPTIONS", "ALLOW-FROM https://example.com")
    policy = "default-src 'self'; script-src 'self' https://cdn.example.com"
    monkeypatch.setenv("TENSORUS_CONTENT_SECURITY_POLICY", policy)
    with TestClient(app) as client:
        resp = client.get("/")
    assert resp.headers["X-Frame-Options"] == "ALLOW-FROM https://example.com"
    assert resp.headers["Content-Security-Policy"] == policy


def test_security_headers_omitted(monkeypatch):
    monkeypatch.setenv("TENSORUS_X_FRAME_OPTIONS", "NONE")
    monkeypatch.setenv("TENSORUS_CONTENT_SECURITY_POLICY", "")
    with TestClient(app) as client:
        resp = client.get("/")
    assert "X-Frame-Options" not in resp.headers
    assert "Content-Security-Policy" not in resp.headers