package auth

import (
	"sync"
	"testing"
	"time"

	"git.t-juice.club/torjus/oubliette/internal/config"
)

func newTestAuth(acceptAfter int, ttl time.Duration, statics ...config.Credential) *Authenticator {
	a := NewAuthenticator(config.AuthConfig{
		AcceptAfter:       acceptAfter,
		CredentialTTLDuration: ttl,
		StaticCredentials: statics,
	})
	return a
}

func TestStaticCredentialsAccepted(t *testing.T) {
	a := newTestAuth(10, time.Hour, config.Credential{Username: "root", Password: "toor"})
	d := a.Authenticate("1.2.3.4", "root", "toor")
	if !d.Accepted || d.Reason != "static_credential" {
		t.Errorf("got %+v, want accepted with static_credential", d)
	}
}

func TestStaticCredentialsWrongPassword(t *testing.T) {
	a := newTestAuth(10, time.Hour, config.Credential{Username: "root", Password: "toor"})
	d := a.Authenticate("1.2.3.4", "root", "wrong")
	if d.Accepted {
		t.Errorf("should not accept wrong password for static credential")
	}
}

func TestRejectionBeforeThreshold(t *testing.T) {
	a := newTestAuth(3, time.Hour)
	for i := 0; i < 2; i++ {
		d := a.Authenticate("1.2.3.4", "user", "pass")
		if d.Accepted {
			t.Fatalf("attempt %d should be rejected", i+1)
		}
		if d.Reason != "rejected" {
			t.Errorf("attempt %d reason = %q, want %q", i+1, d.Reason, "rejected")
		}
	}
}

func TestThresholdAcceptance(t *testing.T) {
	a := newTestAuth(3, time.Hour)
	for i := 0; i < 2; i++ {
		d := a.Authenticate("1.2.3.4", "user", "pass")
		if d.Accepted {
			t.Fatalf("attempt %d should be rejected", i+1)
		}
	}
	d := a.Authenticate("1.2.3.4", "user", "pass")
	if !d.Accepted || d.Reason != "threshold_reached" {
		t.Errorf("attempt 3 got %+v, want accepted with threshold_reached", d)
	}
}

func TestPerIPIsolation(t *testing.T) {
	a := newTestAuth(3, time.Hour)

	// IP1 gets 2 failures.
	for i := 0; i < 2; i++ {
		a.Authenticate("1.1.1.1", "user", "pass")
	}

	// IP2 should start at 0, not inherit IP1's count.
	d := a.Authenticate("2.2.2.2", "user", "pass")
	if d.Accepted {
		t.Error("IP2's first attempt should be rejected")
	}
}

func TestCredentialMemoryAcrossIPs(t *testing.T) {
	a := newTestAuth(2, time.Hour)

	// IP1 reaches threshold, credential is remembered.
	a.Authenticate("1.1.1.1", "user", "pass")
	d := a.Authenticate("1.1.1.1", "user", "pass")
	if !d.Accepted || d.Reason != "threshold_reached" {
		t.Fatalf("threshold not reached: %+v", d)
	}

	// IP2 should get in with the remembered credential.
	d = a.Authenticate("2.2.2.2", "user", "pass")
	if !d.Accepted || d.Reason != "remembered_credential" {
		t.Errorf("IP2 got %+v, want accepted with remembered_credential", d)
	}
}

func TestCredentialMemoryExpires(t *testing.T) {
	a := newTestAuth(2, time.Hour)
	now := time.Now()
	a.now = func() time.Time { return now }

	// Reach threshold to remember credential.
	a.Authenticate("1.1.1.1", "user", "pass")
	a.Authenticate("1.1.1.1", "user", "pass")

	// Advance past TTL.
	a.now = func() time.Time { return now.Add(2 * time.Hour) }

	d := a.Authenticate("2.2.2.2", "user", "pass")
	if d.Accepted {
		t.Errorf("expired credential should not be accepted: %+v", d)
	}
}

func TestCounterResetsAfterAcceptance(t *testing.T) {
	a := newTestAuth(2, time.Hour)

	// Reach threshold.
	a.Authenticate("1.1.1.1", "user", "pass")
	d := a.Authenticate("1.1.1.1", "user", "pass")
	if !d.Accepted {
		t.Fatal("threshold not reached")
	}

	// With a different credential, counter should be reset.
	d = a.Authenticate("1.1.1.1", "other", "cred")
	if d.Accepted {
		t.Error("first attempt after reset should be rejected")
	}
}

func TestConcurrentAccess(t *testing.T) {
	a := newTestAuth(5, time.Hour)
	var wg sync.WaitGroup

	for i := 0; i < 100; i++ {
		wg.Add(1)
		go func() {
			defer wg.Done()
			a.Authenticate("1.2.3.4", "user", "pass")
		}()
	}
	wg.Wait()
}