/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package azureshared

import (
	"net/url"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"go.uber.org/goleak"
)

func TestMain(m *testing.M) {
	goleak.VerifyTestMain(m)
}

func TestApplicationCredentialsFromURI(t *testing.T) {
	creds := ApplicationCredentials{
		TenantID:            "tenant-id",
		AppClientID:         "client-id",
		ClientSecretValue:   "client-secret",
		Location:            "location",
		UamiResourceID:      "subscriptions/9b352db0-82af-408c-a02c-36fbffbf7015/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UAMIName",
		PreferredAuthMethod: AuthMethodServicePrincipal,
	}
	credsWithoutSecret := ApplicationCredentials{
		TenantID:            "tenant-id",
		Location:            "location",
		UamiResourceID:      "subscriptions/9b352db0-82af-408c-a02c-36fbffbf7015/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UAMIName",
		PreferredAuthMethod: AuthMethodUserAssignedIdentity,
	}
	credsWithoutPreferrredAuthMethod := ApplicationCredentials{
		TenantID:          "tenant-id",
		AppClientID:       "client-id",
		ClientSecretValue: "client-secret",
		Location:          "location",
	}
	testCases := map[string]struct {
		cloudServiceAccountURI string
		wantCreds              ApplicationCredentials
		wantErr                bool
	}{
		"getApplicationCredentials works": {
			cloudServiceAccountURI: "serviceaccount://azure?tenant_id=tenant-id&client_id=client-id&client_secret=client-secret&location=location&preferred_auth_method=serviceprincipal&uami_resource_id=subscriptions%2F9b352db0-82af-408c-a02c-36fbffbf7015%2FresourceGroups%2FresourceGroupName%2Fproviders%2FMicrosoft.ManagedIdentity%2FuserAssignedIdentities%2FUAMIName",
			wantCreds:              creds,
		},
		"can parse URI without app registration / secret": {
			cloudServiceAccountURI: "serviceaccount://azure?tenant_id=tenant-id&location=location&preferred_auth_method=userassignedidentity&uami_resource_id=subscriptions%2F9b352db0-82af-408c-a02c-36fbffbf7015%2FresourceGroups%2FresourceGroupName%2Fproviders%2FMicrosoft.ManagedIdentity%2FuserAssignedIdentities%2FUAMIName",
			wantCreds:              credsWithoutSecret,
		},
		"can parse URI without preferred auth method": {
			cloudServiceAccountURI: "serviceaccount://azure?tenant_id=tenant-id&client_id=client-id&client_secret=client-secret&location=location",
			wantCreds:              credsWithoutPreferrredAuthMethod,
		},
		"invalid URI fails": {
			cloudServiceAccountURI: "\x00",
			wantErr:                true,
		},
		"incorrect URI scheme fails": {
			cloudServiceAccountURI: "invalid",
			wantErr:                true,
		},
		"incorrect URI host fails": {
			cloudServiceAccountURI: "serviceaccount://incorrect",
			wantErr:                true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)
			require := require.New(t)

			creds, err := ApplicationCredentialsFromURI(tc.cloudServiceAccountURI)
			if tc.wantErr {
				assert.Error(err)
				return
			}
			require.NoError(err)
			assert.Equal(tc.wantCreds, creds)
		})
	}
}

func TestToCloudServiceAccountURI(t *testing.T) {
	testCases := map[string]struct {
		credentials   ApplicationCredentials
		wantURLValues url.Values
	}{
		"client id and secret without preferred auth method": {
			credentials: ApplicationCredentials{
				TenantID:          "tenant-id",
				AppClientID:       "client-id",
				ClientSecretValue: "client-secret",
				Location:          "location",
			},
			wantURLValues: url.Values{
				"tenant_id":     []string{"tenant-id"},
				"client_id":     []string{"client-id"},
				"client_secret": []string{"client-secret"},
				"location":      []string{"location"},
			},
		},
		"client id and secret with preferred auth method": {
			credentials: ApplicationCredentials{
				TenantID:            "tenant-id",
				AppClientID:         "client-id",
				ClientSecretValue:   "client-secret",
				Location:            "location",
				PreferredAuthMethod: AuthMethodServicePrincipal,
			},
			wantURLValues: url.Values{
				"tenant_id":             []string{"tenant-id"},
				"client_id":             []string{"client-id"},
				"client_secret":         []string{"client-secret"},
				"location":              []string{"location"},
				"preferred_auth_method": []string{"ServicePrincipal"},
			},
		},
		"only preferred auth method": {
			credentials: ApplicationCredentials{
				TenantID:            "tenant-id",
				Location:            "location",
				PreferredAuthMethod: AuthMethodUserAssignedIdentity,
			},
			wantURLValues: url.Values{
				"tenant_id":             []string{"tenant-id"},
				"location":              []string{"location"},
				"preferred_auth_method": []string{"UserAssignedIdentity"},
			},
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)
			require := require.New(t)

			cloudServiceAccountURI := tc.credentials.ToCloudServiceAccountURI()
			uri, err := url.Parse(cloudServiceAccountURI)
			require.NoError(err)
			query := uri.Query()
			assert.Equal("serviceaccount", uri.Scheme)
			assert.Equal("azure", uri.Host)
			assert.Equal(tc.wantURLValues, query)
		})
	}
}