package policy

import (
	"context"
	"testing"

	"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"

	"github.com/open-policy-agent/opa/rego"
)

// TestReferenceRego_FailClosedOnWrites pins the security contract of the
// bundled reference Rego skeletons: they model READ-ACL only, so any non-read
// action must be DENIED even when the read-ACL would grant — and the commercial
// variant's only write-capable principal is an elevated admin. This is the
// behavior that, untested, previously let a verb-blind policy ship claiming to
// "mirror the internal decider exactly." See rego/access.rego.
func TestReferenceRego_FailClosedOnWrites(t *testing.T) {
	ctx := context.Background()

	mkQuery := func(module, src string) rego.PreparedEvalQuery {
		var pkg string
		switch module {
		case "access.rego":
			pkg = "data.zddc.access.allow"
		default:
			pkg = "data.zddc.access_federal.allow"
		}
		q, err := rego.New(rego.Query(pkg), rego.Module(module, src)).PrepareForEval(ctx)
		if err != nil {
			t.Fatalf("compile %s: %v", module, err)
		}
		return q
	}
	stdQ := mkQuery("access.rego", ReferenceRego)
	fedQ := mkQuery("access_federal.rego", FederalRego)

	// A chain that GRANTS full rwcd to alice — so any denial below is the
	// action gate, not a missing ACL.
	grant := zddc.PolicyChain{
		Levels:     []zddc.ZddcFile{{ACL: zddc.ACLRules{Permissions: map[string]string{"*@example.com": "rwcd"}}}},
		HasAnyFile: true,
	}

	evalAllow := func(q rego.PreparedEvalQuery, action string, admin bool) bool {
		in := AllowInput{Path: "/p/", Action: action, PolicyChain: chainToSerializable(grant)}
		in.User.Email = "alice@example.com"
		in.User.IsActiveAdmin = admin
		regoInput, err := canonicalInput(in)
		if err != nil {
			t.Fatalf("encode: %v", err)
		}
		rs, err := q.Eval(ctx, rego.EvalInput(regoInput))
		if err != nil {
			t.Fatalf("eval: %v", err)
		}
		if len(rs) == 0 {
			t.Fatalf("no result")
		}
		v, ok := rs[0].Expressions[0].Value.(bool)
		if !ok {
			t.Fatalf("result not bool: %v", rs[0].Expressions[0].Value)
		}
		return v
	}

	cases := []struct {
		name      string
		q         rego.PreparedEvalQuery
		action    string
		admin     bool
		wantAllow bool
	}{
		// Commercial: reads granted, every write verb denied (fail-closed).
		{"access read allowed", stdQ, ActionRead, false, true},
		{"access empty-action(read) allowed", stdQ, "", false, true},
		{"access write denied", stdQ, ActionWrite, false, false},
		{"access create denied", stdQ, ActionCreate, false, false},
		{"access delete denied", stdQ, ActionDelete, false, false},
		{"access admin-action denied", stdQ, ActionAdmin, false, false},
		// Commercial: an elevated admin is the one write-capable principal.
		{"access write allowed for active admin", stdQ, ActionWrite, true, true},
		{"access delete allowed for active admin", stdQ, ActionDelete, true, true},

		// Federal: reads granted, every write denied, and NO admin bypass.
		{"federal read allowed", fedQ, ActionRead, false, true},
		{"federal write denied", fedQ, ActionWrite, false, false},
		{"federal admin-action denied", fedQ, ActionAdmin, false, false},
		{"federal write denied even for active admin", fedQ, ActionWrite, true, false},
	}
	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			if got := evalAllow(tc.q, tc.action, tc.admin); got != tc.wantAllow {
				t.Errorf("allow=%v, want %v (action=%q active_admin=%v)", got, tc.wantAllow, tc.action, tc.admin)
			}
		})
	}
}