package secrets

import (
	"crypto/rand"
	"io"
	"os"
	"path/filepath"
	"testing"

	"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
)

func freshKey(t *testing.T) []byte {
	t.Helper()
	k := make([]byte, crypto.KeyLen)
	if _, err := io.ReadFull(rand.Reader, k); err != nil {
		t.Fatalf("rand: %v", err)
	}
	return k
}

func TestRoundTrip(t *testing.T) {
	t.Parallel()
	dir := t.TempDir()
	path := filepath.Join(dir, "secrets.enc")
	st, err := New(path, freshKey(t))
	if err != nil {
		t.Fatalf("new: %v", err)
	}

	// Empty file → zero-value Repo, no error.
	got, err := st.Load()
	if err != nil {
		t.Fatalf("load empty: %v", err)
	}
	if !got.Empty() {
		t.Errorf("first load should be empty, got %+v", got)
	}

	want := Repo{URL: "rest:https://r/host", Username: "user", Password: "pw"}
	if err := st.Save(want); err != nil {
		t.Fatalf("save: %v", err)
	}
	got, err = st.Load()
	if err != nil {
		t.Fatalf("load: %v", err)
	}
	if got != want {
		t.Errorf("round-trip mismatch: got %+v want %+v", got, want)
	}

	// File mode must be 0600.
	info, _ := os.Stat(path)
	if info.Mode().Perm() != 0o600 {
		t.Errorf("file mode = %o, want 0600", info.Mode().Perm())
	}
}

func TestRejectsWrongKey(t *testing.T) {
	t.Parallel()
	dir := t.TempDir()
	path := filepath.Join(dir, "secrets.enc")
	good, err := New(path, freshKey(t))
	if err != nil {
		t.Fatalf("new good: %v", err)
	}
	if err := good.Save(Repo{URL: "x", Password: "y"}); err != nil {
		t.Fatalf("save: %v", err)
	}
	bad, err := New(path, freshKey(t))
	if err != nil {
		t.Fatalf("new bad: %v", err)
	}
	if _, err := bad.Load(); err == nil {
		t.Error("load with wrong key must fail; got nil")
	}
}

func TestSaveIsAtomic(t *testing.T) {
	t.Parallel()
	// Sanity check: after Save(), there are no leftover .tmp files.
	dir := t.TempDir()
	path := filepath.Join(dir, "secrets.enc")
	st, err := New(path, freshKey(t))
	if err != nil {
		t.Fatalf("new: %v", err)
	}
	if err := st.Save(Repo{URL: "x", Password: "y"}); err != nil {
		t.Fatalf("save: %v", err)
	}
	entries, _ := os.ReadDir(dir)
	if len(entries) != 1 {
		var names []string
		for _, e := range entries {
			names = append(names, e.Name())
		}
		t.Errorf("dir should hold one file post-save, got %v", names)
	}
}