package store

import (
	"errors"
	"testing"
)

func sampleAccount() Account {
	return Account{
		Name: "work", Mode: "RO",
		IMAPHost: "imap.example.com", IMAPPort: 993, IMAPSecurity: "tls",
		AuthType: "password", Username: "me@example.com",
		Password: "s3cr3t", SubjectRegex: "",
	}
}

func TestAddGetAccountDecryptsSecret(t *testing.T) {
	s := openTemp(t)
	id, err := s.AddAccount(sampleAccount())
	if err != nil {
		t.Fatalf("AddAccount: %v", err)
	}
	if id == 0 {
		t.Fatal("want non-zero id")
	}
	got, err := s.GetAccount("work")
	if err != nil {
		t.Fatalf("GetAccount: %v", err)
	}
	if got.Password != "s3cr3t" {
		t.Fatalf("password not decrypted: %q", got.Password)
	}
	if got.Mode != "RO" || got.IMAPPort != 993 {
		t.Fatalf("fields wrong: %+v", got)
	}
}

func TestPasswordStoredEncrypted(t *testing.T) {
	s := openTemp(t)
	_, _ = s.AddAccount(sampleAccount())
	var blob []byte
	if err := s.db.QueryRow("SELECT enc_password FROM accounts WHERE name='work'").Scan(&blob); err != nil {
		t.Fatalf("query: %v", err)
	}
	if string(blob) == "s3cr3t" || len(blob) == 0 {
		t.Fatalf("password not encrypted at rest: %q", blob)
	}
}

func TestGetAccountNotFound(t *testing.T) {
	s := openTemp(t)
	if _, err := s.GetAccount("nope"); !errors.Is(err, ErrAccountNotFound) {
		t.Fatalf("want ErrAccountNotFound, got %v", err)
	}
}

func TestListAccountsOmitsSecrets(t *testing.T) {
	s := openTemp(t)
	_, _ = s.AddAccount(sampleAccount())
	list, err := s.ListAccounts()
	if err != nil || len(list) != 1 {
		t.Fatalf("list: %v len=%d", err, len(list))
	}
	if list[0].Password != "" {
		t.Fatal("ListAccounts must not return secrets")
	}
}