import { assertEquals } from 'jsr:@std/assert';
import { afterAll, beforeAll, describe, it } from 'jsr:@std/testing/bdd';
import { TypedRequest } from '@api.global/typedrequest';
import {
  createTestContainer,
  getTestPorts,
  loginAndGetIdentity,
  TEST_ACCESS_KEY,
} from './helpers/server.helper.ts';
import { ObjectStorageContainer } from '../ts/index.ts';
import type * as interfaces from '../ts_interfaces/index.ts';
import type {
  IReq_GetCredentials,
  IReq_AddCredential,
  IReq_RemoveCredential,
} from '../ts_interfaces/requests/credentials.ts';

const PORT_INDEX = 6;
const ports = getTestPorts(PORT_INDEX);
const url = `http://localhost:${ports.uiPort}/typedrequest`;

describe('Credential management', { sanitizeResources: false, sanitizeOps: false }, () => {
  let container: ObjectStorageContainer;
  let identity: interfaces.data.IIdentity;

  beforeAll(async () => {
    container = createTestContainer(PORT_INDEX);
    await container.start();
    identity = await loginAndGetIdentity(ports.uiPort);
  });

  afterAll(async () => {
    await container.stop();
  });

  it('should get credentials with masked secrets', async () => {
    const req = new TypedRequest<IReq_GetCredentials>(url, 'getCredentials');
    const response = await req.fire({ identity });
    assertEquals(response.credentials.length, 1);
    assertEquals(response.credentials[0].accessKeyId, TEST_ACCESS_KEY);
    // Secret should be masked: first 4 chars + ****
    assertEquals(response.credentials[0].secretAccessKey.includes('****'), true);
  });

  it('should add a new credential', async () => {
    const req = new TypedRequest<IReq_AddCredential>(url, 'addCredential');
    const response = await req.fire({
      identity,
      accessKeyId: 'newkey',
      secretAccessKey: 'newsecret',
    });
    assertEquals(response.ok, true);
  });

  it('should list credentials showing both', async () => {
    const req = new TypedRequest<IReq_GetCredentials>(url, 'getCredentials');
    const response = await req.fire({ identity });
    assertEquals(response.credentials.length, 2);
    const keys = response.credentials.map((c) => c.accessKeyId);
    assertEquals(keys.includes(TEST_ACCESS_KEY), true);
    assertEquals(keys.includes('newkey'), true);
  });

  it('should verify new credential is stored in config', () => {
    const creds = container.config.accessCredentials;
    const newCred = creds.find((c) => c.accessKeyId === 'newkey');
    assertEquals(newCred?.secretAccessKey, 'newsecret');
  });

  it('should remove a credential', async () => {
    const req = new TypedRequest<IReq_RemoveCredential>(url, 'removeCredential');
    const response = await req.fire({ identity, accessKeyId: 'newkey' });
    assertEquals(response.ok, true);
  });

  it('should list credentials showing one remaining', async () => {
    const req = new TypedRequest<IReq_GetCredentials>(url, 'getCredentials');
    const response = await req.fire({ identity });
    assertEquals(response.credentials.length, 1);
    assertEquals(response.credentials[0].accessKeyId, TEST_ACCESS_KEY);
  });

  it('should reject removing the last credential', async () => {
    const req = new TypedRequest<IReq_RemoveCredential>(url, 'removeCredential');
    let threw = false;
    try {
      await req.fire({ identity, accessKeyId: TEST_ACCESS_KEY });
    } catch {
      threw = true;
    }
    assertEquals(threw, true);
  });
});