using Xunit;
using OpenHarbor.MCP.Gateway.Infrastructure.Security;
using OpenHarbor.MCP.Gateway.Core.Models;

namespace OpenHarbor.MCP.Gateway.Infrastructure.Tests.Security;

/// <summary>
/// Unit tests for ApiKeyAuthProvider following TDD approach.
/// Tests API key-based authentication.
/// </summary>
public class ApiKeyAuthProviderTests
{
    [Fact]
    public async Task AuthenticateAsync_WithValidApiKey_ReturnsSuccess()
    {
        // Arrange
        var validKeys = new Dictionary<string, string>
        {
            ["client-1"] = "secret-key-123",
            ["client-2"] = "secret-key-456"
        };

        var provider = new ApiKeyAuthProvider(validKeys);
        var context = new AuthenticationContext
        {
            ClientId = "client-1",
            Credentials = "secret-key-123"
        };

        // Act
        var result = await provider.AuthenticateAsync(context);

        // Assert
        Assert.True(result.IsAuthenticated);
        Assert.Equal("client-1", result.ClientId);
        Assert.Null(result.ErrorMessage);
    }

    [Fact]
    public async Task AuthenticateAsync_WithInvalidApiKey_ReturnsFailure()
    {
        // Arrange
        var validKeys = new Dictionary<string, string>
        {
            ["client-1"] = "secret-key-123"
        };

        var provider = new ApiKeyAuthProvider(validKeys);
        var context = new AuthenticationContext
        {
            ClientId = "client-1",
            Credentials = "wrong-key"
        };

        // Act
        var result = await provider.AuthenticateAsync(context);

        // Assert
        Assert.False(result.IsAuthenticated);
        Assert.Null(result.ClientId);
        Assert.NotNull(result.ErrorMessage);
        Assert.Contains("Invalid API key", result.ErrorMessage);
    }

    [Fact]
    public async Task AuthenticateAsync_WithUnknownClient_ReturnsFailure()
    {
        // Arrange
        var validKeys = new Dictionary<string, string>
        {
            ["client-1"] = "secret-key-123"
        };

        var provider = new ApiKeyAuthProvider(validKeys);
        var context = new AuthenticationContext
        {
            ClientId = "unknown-client",
            Credentials = "any-key"
        };

        // Act
        var result = await provider.AuthenticateAsync(context);

        // Assert
        Assert.False(result.IsAuthenticated);
        Assert.Contains("Unknown client", result.ErrorMessage);
    }

    [Fact]
    public async Task AuthenticateAsync_WithNullCredentials_ReturnsFailure()
    {
        // Arrange
        var provider = new ApiKeyAuthProvider(new Dictionary<string, string>
        {
            ["client-1"] = "secret-key-123"
        });

        var context = new AuthenticationContext
        {
            ClientId = "client-1",
            Credentials = null
        };

        // Act
        var result = await provider.AuthenticateAsync(context);

        // Assert
        Assert.False(result.IsAuthenticated);
        Assert.Contains("credentials", result.ErrorMessage, StringComparison.OrdinalIgnoreCase);
    }

    [Fact]
    public async Task AuthenticateAsync_WithEmptyClientId_ReturnsFailure()
    {
        // Arrange
        var provider = new ApiKeyAuthProvider(new Dictionary<string, string>
        {
            ["client-1"] = "secret-key-123"
        });

        var context = new AuthenticationContext
        {
            ClientId = "",
            Credentials = "secret-key-123"
        };

        // Act
        var result = await provider.AuthenticateAsync(context);

        // Assert
        Assert.False(result.IsAuthenticated);
        Assert.Contains("Client ID", result.ErrorMessage);
    }

    [Fact]
    public void Constructor_WithNullKeys_ThrowsArgumentNullException()
    {
        // Act & Assert
        Assert.Throws<ArgumentNullException>(() => new ApiKeyAuthProvider(null!));
    }

    [Fact]
    public async Task AuthenticateAsync_WithNullContext_ThrowsArgumentNullException()
    {
        // Arrange
        var provider = new ApiKeyAuthProvider(new Dictionary<string, string>());

        // Act & Assert
        await Assert.ThrowsAsync<ArgumentNullException>(() => provider.AuthenticateAsync(null!));
    }

    [Fact]
    public async Task AuthenticateAsync_CaseSensitiveApiKey_ReturnsFailure()
    {
        // Arrange
        var validKeys = new Dictionary<string, string>
        {
            ["client-1"] = "SecretKey123"
        };

        var provider = new ApiKeyAuthProvider(validKeys);
        var context = new AuthenticationContext
        {
            ClientId = "client-1",
            Credentials = "secretkey123" // Wrong case
        };

        // Act
        var result = await provider.AuthenticateAsync(context);

        // Assert
        Assert.False(result.IsAuthenticated);
    }

    [Fact]
    public async Task AuthorizeAsync_WithValidClient_ReturnsSuccess()
    {
        // Arrange
        var validKeys = new Dictionary<string, string>
        {
            ["client-1"] = "secret-key-123"
        };

        var provider = new ApiKeyAuthProvider(validKeys);
        var context = new AuthorizationContext
        {
            ClientId = "client-1",
            Resource = "search_codex",
            Action = "invoke"
        };

        // Act
        var result = await provider.AuthorizeAsync(context);

        // Assert
        Assert.True(result.IsAuthorized);
    }

    [Fact]
    public async Task AuthorizeAsync_WithNullContext_ThrowsArgumentNullException()
    {
        // Arrange
        var provider = new ApiKeyAuthProvider(new Dictionary<string, string>());

        // Act & Assert
        await Assert.ThrowsAsync<ArgumentNullException>(() => provider.AuthorizeAsync(null!));
    }
}