<?php

declare(strict_types=1);

namespace App\Tests\Integration\Auth;

use App\Domain\Auth\Role;
use App\Domain\Auth\TokenKind;
use App\Tests\Integration\Support\AppTestCase;

/**
 * Behavioural tests for the /api/v1/auth/* endpoints. These verify the
 * upsert flows and OIDC role resolution from group mappings.
 */
final class AuthEndpointsTest extends AppTestCase
{
    public function testUpsertLocalCreatesUserOnFirstCall(): void
    {
        $token = $this->createToken(TokenKind::Service);

        // No local row exists yet; the first upsert mints it.
        $response = $this->request(
            'POST',
            '/api/v1/auth/users/upsert-local',
            [
                'Authorization' => 'Bearer ' . $token,
                'Content-Type' => 'application/json',
            ],
            json_encode(['username' => 'admin']) ?: null
        );
        self::assertSame(200, $response->getStatusCode());

        $body = $this->decode($response);
        self::assertIsInt($body['user_id']);
        self::assertSame('admin', $body['role']);
        self::assertNull($body['email']);
        self::assertSame('admin', $body['display_name']);
        self::assertTrue($body['is_local']);

        self::assertSame(
            1,
            (int) $this->db->fetchOne('SELECT COUNT(*) FROM users WHERE is_local = 1'),
            'first call must create exactly one local row'
        );
    }

    /**
     * SEC_REVIEW F3 regression. A service-token holder must not be able
     * to mint additional Admin user rows by rotating the `username` field
     * over `POST /api/v1/auth/users/upsert-local`. Before the fix every
     * fresh username produced a new is_local=1, role=admin row that the
     * caller could then impersonate via X-Acting-User-Id.
     */
    public function testRotatingUsernamesNeverCreatesAdditionalLocalAdmins(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        $headers = [
            'Authorization' => 'Bearer ' . $token,
            'Content-Type' => 'application/json',
        ];

        $userIds = [];
        foreach (['attacker-1', 'attacker-2', 'attacker-3'] as $name) {
            $body = $this->decode($this->request(
                'POST',
                '/api/v1/auth/users/upsert-local',
                $headers,
                json_encode(['username' => $name]) ?: null
            ));
            $userIds[] = $body['user_id'];
            self::assertSame($adminId, $body['user_id']);
            self::assertSame('admin', $body['role']);
            self::assertSame($name, $body['display_name']);
        }

        // Same user_id returned every call.
        self::assertSame([$adminId, $adminId, $adminId], $userIds);

        // And only one is_local=1 row in the DB.
        self::assertSame(
            1,
            (int) $this->db->fetchOne('SELECT COUNT(*) FROM users WHERE is_local = 1'),
            'rotating usernames must not mint additional local-admin rows'
        );
    }

    /**
     * Defense-in-depth: even if application code regresses, the partial
     * unique index added in 20260504100000_add_unique_local_user_index
     * must reject a second is_local=1 insert.
     */
    public function testDbLayerRejectsSecondLocalAdminInsert(): void
    {
        $this->createUser(Role::Admin, isLocal: true);

        $this->expectException(\Doctrine\DBAL\Exception\UniqueConstraintViolationException::class);

        $this->db->insert('users', [
            'subject' => null,
            'email' => null,
            'display_name' => 'second-local',
            'role' => Role::Admin->value,
            'is_local' => 1,
        ]);
    }

    public function testUpsertLocalIsIdempotent(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        $headers = [
            'Authorization' => 'Bearer ' . $token,
            'X-Acting-User-Id' => (string) $adminId,
            'Content-Type' => 'application/json',
        ];
        $body = json_encode(['username' => 'idempotent']) ?: null;

        $first = $this->decode($this->request('POST', '/api/v1/auth/users/upsert-local', $headers, $body));
        $second = $this->decode($this->request('POST', '/api/v1/auth/users/upsert-local', $headers, $body));

        self::assertSame($first['user_id'], $second['user_id']);
    }

    public function testUpsertOidcResolvesRoleFromGroups(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        // Seed a role mapping: group "ops-group" → operator
        $this->db->insert('oidc_role_mappings', [
            'group_id' => 'ops-group',
            'role' => Role::Operator->value,
        ]);
        $this->db->insert('oidc_role_mappings', [
            'group_id' => 'admin-group',
            'role' => Role::Admin->value,
        ]);

        $response = $this->request(
            'POST',
            '/api/v1/auth/users/upsert-oidc',
            [
                'Authorization' => 'Bearer ' . $token,
                'X-Acting-User-Id' => (string) $adminId,
                'Content-Type' => 'application/json',
            ],
            json_encode([
                'subject' => 'sub-1',
                'email' => 'alice@example.com',
                'display_name' => 'Alice',
                'groups' => ['ops-group', 'admin-group'],
            ]) ?: null
        );
        self::assertSame(200, $response->getStatusCode());

        $body = $this->decode($response);
        self::assertSame('admin', $body['role'], 'highest matching role wins');
        self::assertSame('alice@example.com', $body['email']);
        self::assertSame('Alice', $body['display_name']);
        self::assertFalse($body['is_local']);
    }

    public function testUpsertOidcFallsBackToDefaultRoleWithNoMatchingGroup(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        $response = $this->request(
            'POST',
            '/api/v1/auth/users/upsert-oidc',
            [
                'Authorization' => 'Bearer ' . $token,
                'X-Acting-User-Id' => (string) $adminId,
                'Content-Type' => 'application/json',
            ],
            json_encode([
                'subject' => 'sub-default',
                'email' => 'b@example.com',
                'display_name' => 'B',
                'groups' => ['unknown-group'],
            ]) ?: null
        );
        self::assertSame(200, $response->getStatusCode());

        // Default in tests is Role::Viewer.
        self::assertSame('viewer', $this->decode($response)['role']);
    }

    public function testUpsertOidcRecomputesRoleOnSubsequentLogins(): void
    {
        $token = $this->createToken(TokenKind::Service);
        $adminId = $this->createUser(Role::Admin, isLocal: true);

        $this->db->insert('oidc_role_mappings', [
            'group_id' => 'g1',
            'role' => Role::Operator->value,
        ]);

        $headers = [
            'Authorization' => 'Bearer ' . $token,
            'X-Acting-User-Id' => (string) $adminId,
            'Content-Type' => 'application/json',
        ];

        $first = $this->decode($this->request(
            'POST',
            '/api/v1/auth/users/upsert-oidc',
            $headers,
            json_encode([
                'subject' => 'churn',
                'email' => 'c@example.com',
                'display_name' => 'C',
                'groups' => ['g1'],
            ]) ?: null
        ));
        self::assertSame('operator', $first['role']);

        // Subsequent login with no matching group → role drops to default viewer.
        $second = $this->decode($this->request(
            'POST',
            '/api/v1/auth/users/upsert-oidc',
            $headers,
            json_encode([
                'subject' => 'churn',
                'email' => 'c@example.com',
                'display_name' => 'C',
                'groups' => [],
            ]) ?: null
        ));
        self::assertSame($first['user_id'], $second['user_id']);
        self::assertSame('viewer', $second['role']);
    }

    public function testUpsertOidcRejectsAdminToken(): void
    {
        // Even an admin token can't call /auth/* — those are service-only.
        $token = $this->createToken(TokenKind::Admin, role: Role::Admin);

        $response = $this->request(
            'POST',
            '/api/v1/auth/users/upsert-local',
            [
                'Authorization' => 'Bearer ' . $token,
                'Content-Type' => 'application/json',
            ],
            json_encode(['username' => 'admin']) ?: null
        );
        self::assertSame(403, $response->getStatusCode());
    }
}