package agentapi

import (
	"context"
	"crypto/sha256"
	"encoding/hex"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"
)

// storageStub serves the agent's {ok,data} envelope for GET /storage, requiring the bearer.
func storageStub(token string) http.Handler {
	mux := http.NewServeMux()
	mux.HandleFunc("GET /storage", func(w http.ResponseWriter, r *http.Request) {
		if r.Header.Get("Authorization") != "Bearer "+token {
			w.WriteHeader(http.StatusUnauthorized)
			_, _ = w.Write([]byte(`{"ok":false,"error":"unauthorized"}`))
			return
		}
		w.Header().Set("Content-Type", "application/json")
		_, _ = w.Write([]byte(`{"ok":true,"data":{"vmid":8200,"mounts":[{"key":"mp0","storage":"fast","mount_point":"/var/lib/docker","class":"fast","backup":true}]}}`))
	})
	return mux
}

func leafPin(t *testing.T, s *httptest.Server) string {
	t.Helper()
	der := s.Certificate().Raw
	sum := sha256.Sum256(der)
	return hex.EncodeToString(sum[:])
}

// The correct pin + token reaches /storage and decodes the mounts.
func TestClient_PinnedStorageOK(t *testing.T) {
	s := httptest.NewTLSServer(storageStub("TOK"))
	defer s.Close()
	endpoint := strings.TrimPrefix(s.URL, "https://")

	c, err := New(endpoint, "TOK", leafPin(t, s))
	if err != nil {
		t.Fatalf("new: %v", err)
	}
	resp, err := c.Storage(context.Background())
	if err != nil {
		t.Fatalf("storage: %v", err)
	}
	if resp.VMID != 8200 || len(resp.Mounts) != 1 || resp.Mounts[0].Class != "fast" {
		t.Fatalf("unexpected storage response: %+v", resp)
	}
}

// A WRONG pin fails closed — the TLS handshake is rejected before any data flows.
func TestClient_WrongPinFailsClosed(t *testing.T) {
	s := httptest.NewTLSServer(storageStub("TOK"))
	defer s.Close()
	endpoint := strings.TrimPrefix(s.URL, "https://")

	wrong := strings.Repeat("ab", 32) // 64 hex chars, valid format, wrong value
	c, err := New(endpoint, "TOK", wrong)
	if err != nil {
		t.Fatalf("new: %v", err)
	}
	if _, err := c.Storage(context.Background()); err == nil {
		t.Fatal("expected a TLS pin failure, got success")
	}
}

// A bad fingerprint format is rejected at construction.
func TestClient_BadFingerprintRejected(t *testing.T) {
	if _, err := New("host:8443", "TOK", "not-a-fingerprint"); err == nil {
		t.Fatal("expected an error for a non-SHA256 fingerprint")
	}
	if _, err := New("host:8443", "", strings.Repeat("a", 64)); err == nil {
		t.Fatal("expected an error for an empty token")
	}
}

// Colon-separated fingerprints (the agent logs them with ':') are accepted.
func TestClient_AcceptsColonFingerprint(t *testing.T) {
	s := httptest.NewTLSServer(storageStub("TOK"))
	defer s.Close()
	endpoint := strings.TrimPrefix(s.URL, "https://")

	pin := leafPin(t, s)
	var colon strings.Builder
	for i := 0; i < len(pin); i += 2 {
		if i > 0 {
			colon.WriteByte(':')
		}
		colon.WriteString(pin[i : i+2])
	}
	c, err := New(endpoint, "TOK", colon.String())
	if err != nil {
		t.Fatalf("new with colon fp: %v", err)
	}
	if _, err := c.Storage(context.Background()); err != nil {
		t.Fatalf("storage with colon fp: %v", err)
	}
}