/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/

package cloudcmd

import (
	"bytes"
	"context"
	"encoding/base64"
	"encoding/json"
	"errors"
	"testing"

	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestIAMCreator(t *testing.T) {
	validGCPIAMConfig := GCPIAMConfig{
		Region:           "europe-west1",
		Zone:             "europe-west1-a",
		ProjectID:        "project-1234",
		ServiceAccountID: "const-test",
	}
	validGCPIAMOutput := terraform.IAMOutput{
		GCP: terraform.GCPIAMOutput{
			SaKey: "not_a_secret",
		},
	}
	validGCPIAMIDFile := IAMOutput{
		CloudProvider: cloudprovider.GCP,
		GCPOutput: GCPIAMOutput{
			ServiceAccountKey: "not_a_secret",
		},
	}

	validAzureIAMConfig := AzureIAMConfig{
		Location:         "westus",
		ServicePrincipal: "constell-test",
		ResourceGroup:    "constell-test",
	}
	validAzureIAMOutput := terraform.IAMOutput{
		Azure: terraform.AzureIAMOutput{
			SubscriptionID: "test_subscription_id",
			TenantID:       "test_tenant_id",
			UAMIID:         "test_uami_id",
		},
	}
	validAzureIAMIDFile := IAMOutput{
		CloudProvider: cloudprovider.Azure,
		AzureOutput: AzureIAMOutput{
			SubscriptionID: "test_subscription_id",
			TenantID:       "test_tenant_id",
			UAMIID:         "test_uami_id",
		},
	}

	validAWSIAMConfig := AWSIAMConfig{
		Region: "us-east-2",
		Prefix: "test",
	}
	validAWSIAMOutput := terraform.IAMOutput{
		AWS: terraform.AWSIAMOutput{
			WorkerNodeInstanceProfile:   "test_worker_node_instance_profile",
			ControlPlaneInstanceProfile: "test_control_plane_instance_profile",
		},
	}
	validAWSIAMIDFile := IAMOutput{
		CloudProvider: cloudprovider.AWS,
		AWSOutput: AWSIAMOutput{
			ControlPlaneInstanceProfile: "test_control_plane_instance_profile",
			WorkerNodeInstanceProfile:   "test_worker_node_instance_profile",
		},
	}

	testCases := map[string]struct {
		tfClient       tfIAMClient
		newTfClientErr error
		config         *IAMConfigOptions
		provider       cloudprovider.Provider
		wantIAMIDFile  IAMOutput
		wantErr        bool
	}{
		"new terraform client err": {
			tfClient:       &stubTerraformClient{},
			newTfClientErr: assert.AnError,
			wantErr:        true,
			config:         &IAMConfigOptions{TFWorkspace: "test"},
		},
		"create iam config err": {
			tfClient: &stubTerraformClient{iamOutputErr: assert.AnError},
			wantErr:  true,
			config:   &IAMConfigOptions{TFWorkspace: "test"},
		},
		"gcp": {
			tfClient:      &stubTerraformClient{iamOutput: validGCPIAMOutput},
			wantIAMIDFile: validGCPIAMIDFile,
			provider:      cloudprovider.GCP,
			config:        &IAMConfigOptions{GCP: validGCPIAMConfig, TFWorkspace: "test"},
		},
		"azure": {
			tfClient:      &stubTerraformClient{iamOutput: validAzureIAMOutput},
			wantIAMIDFile: validAzureIAMIDFile,
			provider:      cloudprovider.Azure,
			config:        &IAMConfigOptions{Azure: validAzureIAMConfig, TFWorkspace: "test"},
		},
		"aws": {
			tfClient:      &stubTerraformClient{iamOutput: validAWSIAMOutput},
			wantIAMIDFile: validAWSIAMIDFile,
			provider:      cloudprovider.AWS,
			config:        &IAMConfigOptions{AWS: validAWSIAMConfig, TFWorkspace: "test"},
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)

			creator := &IAMCreator{
				out: &bytes.Buffer{},
				newTerraformClient: func(_ context.Context, _ string) (tfIAMClient, error) {
					return tc.tfClient, tc.newTfClientErr
				},
			}

			idFile, err := creator.Create(context.Background(), tc.provider, tc.config)

			if tc.wantErr {
				assert.Error(err)
			} else {
				assert.NoError(err)
				assert.Equal(tc.provider, idFile.CloudProvider)
				switch tc.provider {
				case cloudprovider.GCP:
					assert.Equal(tc.wantIAMIDFile.GCPOutput, idFile.GCPOutput)
				case cloudprovider.Azure:
					assert.Equal(tc.wantIAMIDFile.AzureOutput, idFile.AzureOutput)
				case cloudprovider.AWS:
					assert.Equal(tc.wantIAMIDFile.AWSOutput, idFile.AWSOutput)
				}
			}
		})
	}
}

func TestDestroyIAMConfiguration(t *testing.T) {
	newError := func() error {
		return errors.New("failed")
	}

	testCases := map[string]struct {
		tfClient                   *stubTerraformClient
		wantErr                    bool
		wantDestroyCalled          bool
		wantCleanupWorkspaceCalled bool
	}{
		"destroy error": {
			tfClient:          &stubTerraformClient{destroyErr: newError()},
			wantErr:           true,
			wantDestroyCalled: true,
		},
		"destroy": {
			tfClient:                   &stubTerraformClient{},
			wantDestroyCalled:          true,
			wantCleanupWorkspaceCalled: true,
		},
		"cleanup error": {
			tfClient:                   &stubTerraformClient{cleanUpWorkspaceErr: newError()},
			wantErr:                    true,
			wantDestroyCalled:          true,
			wantCleanupWorkspaceCalled: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)
			destroyer := &IAMDestroyer{newTerraformClient: func(_ context.Context, _ string) (tfIAMClient, error) {
				return tc.tfClient, nil
			}}

			err := destroyer.DestroyIAMConfiguration(context.Background(), "", terraform.LogLevelNone)

			if tc.wantErr {
				assert.Error(err)
			} else {
				assert.NoError(err)
			}

			assert.Equal(tc.wantDestroyCalled, tc.tfClient.destroyCalled)
			assert.Equal(tc.wantCleanupWorkspaceCalled, tc.tfClient.cleanUpWorkspaceCalled)
		})
	}
}

func TestGetTfstateServiceAccountKey(t *testing.T) {
	gcpFile := `
	{
		"auth_provider_x509_cert_url": "",
		"auth_uri": "",
		"client_email": "",
		"client_id": "",
		"client_x509_cert_url": "",
		"private_key": "",
		"private_key_id": "",
		"project_id": "",
		"token_uri": "",
		"type": ""
	}
	`
	gcpFileB64 := base64.StdEncoding.EncodeToString([]byte(gcpFile))

	testCases := map[string]struct {
		cl             *stubTerraformClient
		wantValidSaKey bool
		wantErr        bool
		wantShowCalled bool
	}{
		"valid": {
			cl: &stubTerraformClient{
				iamOutput: terraform.IAMOutput{
					GCP: terraform.GCPIAMOutput{
						SaKey: gcpFileB64,
					},
				},
			},
			wantValidSaKey: true,
			wantShowCalled: true,
		},
		"show error": {
			cl: &stubTerraformClient{
				showIAMErr: assert.AnError,
			},
			wantErr:        true,
			wantShowCalled: true,
		},
		"nil tfstate values": {
			cl: &stubTerraformClient{
				iamOutput: terraform.IAMOutput{},
			},
			wantErr:        true,
			wantShowCalled: true,
		},
		"invalid base64": {
			cl: &stubTerraformClient{
				iamOutput: terraform.IAMOutput{
					GCP: terraform.GCPIAMOutput{
						SaKey: "iamnotvalid",
					},
				},
			},
			wantErr:        true,
			wantShowCalled: true,
		},
		"valid base64 invalid json": {
			cl: &stubTerraformClient{
				iamOutput: terraform.IAMOutput{
					GCP: terraform.GCPIAMOutput{
						SaKey: base64.StdEncoding.EncodeToString([]byte("asdf")),
					},
				},
			},
			wantErr:        true,
			wantShowCalled: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)

			destroyer := IAMDestroyer{newTerraformClient: func(_ context.Context, _ string) (tfIAMClient, error) {
				return tc.cl, nil
			}}

			saKey, err := destroyer.GetTfStateServiceAccountKey(context.Background(), "")

			if tc.wantErr {
				assert.Error(err)
				return
			}
			assert.NoError(err)

			var saKeyComp gcpshared.ServiceAccountKey
			require.NoError(t, json.Unmarshal([]byte(gcpFile), &saKeyComp))

			assert.Equal(saKey, saKeyComp)
			assert.Equal(tc.wantShowCalled, tc.cl.showCalled)
		})
	}
}