import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as crypto from 'node:crypto';
import { AcmeCrypto } from '../ts/acme/acme.classes.crypto.js';
import { AcmeChallengeManager } from '../ts/acme/acme.classes.challenge.js';

// Create a shared key and fake httpClient for all tests
let accountKeyPem: string;
let challengeManager: AcmeChallengeManager;

tap.test('setup: create key and challenge manager', async () => {
  accountKeyPem = AcmeCrypto.createRsaPrivateKey();
  // AcmeChallengeManager only needs httpClient for complete(), not for getKeyAuthorization()
  // Pass null since we only test the sync crypto method
  challengeManager = new AcmeChallengeManager(null as any, accountKeyPem);
});

// --- http-01 ---

tap.test('http-01 returns token.thumbprint', async () => {
  const challenge = { type: 'http-01', url: 'https://acme.example/chall/1', status: 'pending', token: 'test-token-abc' };
  const result = challengeManager.getKeyAuthorization(challenge);

  const jwk = AcmeCrypto.getJwk(accountKeyPem);
  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
  expect(result).toEqual(`test-token-abc.${thumbprint}`);
});

// --- dns-01 ---

tap.test('dns-01 returns base64url(sha256(token.thumbprint))', async () => {
  const challenge = { type: 'dns-01', url: 'https://acme.example/chall/2', status: 'pending', token: 'dns-token-xyz' };
  const result = challengeManager.getKeyAuthorization(challenge);

  // Manual computation
  const jwk = AcmeCrypto.getJwk(accountKeyPem);
  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
  const keyAuth = `dns-token-xyz.${thumbprint}`;
  const expected = crypto.createHash('sha256').update(keyAuth).digest().toString('base64url');
  expect(result).toEqual(expected);
});

tap.test('dns-01 output is base64url (no +, /, =)', async () => {
  const challenge = { type: 'dns-01', url: 'https://acme.example/chall/3', status: 'pending', token: 'another-token' };
  const result = challengeManager.getKeyAuthorization(challenge);
  expect(result).not.toInclude('+');
  expect(result).not.toInclude('/');
  expect(result).not.toInclude('=');
});

tap.test('http-01 and dns-01 differ for same token', async () => {
  const token = 'shared-token-123';
  const httpResult = challengeManager.getKeyAuthorization({ type: 'http-01', url: 'https://acme.example/c/1', status: 'pending', token });
  const dnsResult = challengeManager.getKeyAuthorization({ type: 'dns-01', url: 'https://acme.example/c/2', status: 'pending', token });
  expect(httpResult).not.toEqual(dnsResult);
});

tap.test('deterministic across calls', async () => {
  const challenge = { type: 'http-01', url: 'https://acme.example/c/x', status: 'pending', token: 'stable-token' };
  const r1 = challengeManager.getKeyAuthorization(challenge);
  const r2 = challengeManager.getKeyAuthorization(challenge);
  expect(r1).toEqual(r2);
});

export default tap.start();