package crypto

import (
	"bytes"
	"encoding/base64"
	"testing"
)

func testKey() []byte {
	k := make([]byte, 32)
	for i := range k {
		k[i] = byte(i)
	}
	return k
}

func TestSealOpenRoundTrip(t *testing.T) {
	key := testKey()
	msg := []byte("hunter2-the-password")
	blob, err := Seal(key, msg)
	if err != nil {
		t.Fatalf("Seal: %v", err)
	}
	if bytes.Contains(blob, msg) {
		t.Fatal("ciphertext must not contain plaintext")
	}
	got, err := Open(key, blob)
	if err != nil {
		t.Fatalf("Open: %v", err)
	}
	if !bytes.Equal(got, msg) {
		t.Fatalf("round-trip mismatch: %q", got)
	}
}

func TestSealUsesRandomNonce(t *testing.T) {
	key := testKey()
	a, _ := Seal(key, []byte("x"))
	b, _ := Seal(key, []byte("x"))
	if bytes.Equal(a, b) {
		t.Fatal("two seals of same plaintext must differ (random nonce)")
	}
}

func TestOpenWrongKeyFails(t *testing.T) {
	blob, _ := Seal(testKey(), []byte("secret"))
	wrong := make([]byte, 32) // all zeros
	if _, err := Open(wrong, blob); err == nil {
		t.Fatal("Open with wrong key must fail")
	}
}

func TestKeyFromEnv(t *testing.T) {
	t.Setenv("EMCLI_KEY", base64.StdEncoding.EncodeToString(testKey()))
	k, err := KeyFromEnv()
	if err != nil || len(k) != 32 {
		t.Fatalf("KeyFromEnv: key=%d err=%v", len(k), err)
	}

	t.Setenv("EMCLI_KEY", "")
	if _, err := KeyFromEnv(); err != ErrNoKey {
		t.Fatalf("empty key: want ErrNoKey, got %v", err)
	}

	t.Setenv("EMCLI_KEY", base64.StdEncoding.EncodeToString([]byte("tooshort")))
	if _, err := KeyFromEnv(); err != ErrBadKey {
		t.Fatalf("short key: want ErrBadKey, got %v", err)
	}
}