/**
 * IAM 后台 - 紧急豁免（Redis 落地）
 */
import { INestApplication } from '@nestjs/common';
import request from 'supertest';
import { PrismaService } from '@/core/database/prisma/prisma.service';
import { cleanupDatabase } from '../../helpers/cleanup.helper';
import { createTestApp } from '../../helpers/app.helper';
import { setupIntegrationTest } from '../../helpers/test-setup.helper';
import { EmergencyBypassService } from '@/common/services/emergency-bypass.service';

describe('IAM Admin - EmergencyBypass API', () => {
  let app: INestApplication;
  let prisma: PrismaService;
  let bypass: EmergencyBypassService;
  let adminToken: string;

  beforeAll(async () => {
    app = await createTestApp();
    prisma = app.get<PrismaService>(PrismaService);
    bypass = app.get<EmergencyBypassService>(EmergencyBypassService);
  });

  beforeEach(async () => {
    const ctx = await setupIntegrationTest(app, prisma);
    adminToken = ctx.adminToken;
  });

  afterEach(async () => {
    // 清掉本测试创建的豁免，避免污染下一个用例
    const active = await bypass.listActive();
    for (const a of active) await bypass.disable(a.endpoint);
    await cleanupDatabase(prisma);
  });

  afterAll(async () => {
    await app.close();
  });

  const b64u = (s: string) => Buffer.from(s).toString('base64url');

  it('[IAM-ADMIN-EB-001] POST 启用豁免，写入 Redis + 审计', async () => {
    const endpoint = `POST /api/v1/test-${Date.now()}`;
    const res = await request(app.getHttpServer())
      .post('/api/v1/iam/emergency-bypass')
      .set('Authorization', `Bearer ${adminToken}`)
      .send({ endpoint, reason: 'incident-001', ttlSec: 600 })
      .expect(201);

    expect(res.body.data.ok).toBe(true);
    expect(await bypass.isBypassed(endpoint)).toBe(true);

    const audits = await prisma.iamAuditLog.findMany({
      where: { resource: 'EmergencyBypass', action: 'CREATE' },
    });
    expect(audits.length).toBeGreaterThanOrEqual(1);
  });

  it('[IAM-ADMIN-EB-002] ttlSec 超过 4h 上限被 class-validator 拒', async () => {
    await request(app.getHttpServer())
      .post('/api/v1/iam/emergency-bypass')
      .set('Authorization', `Bearer ${adminToken}`)
      .send({ endpoint: 'POST /x', reason: 'too long', ttlSec: 5 * 60 * 60 })
      .expect(400);
  });

  it('[IAM-ADMIN-EB-003] reason 缺失被拒', async () => {
    await request(app.getHttpServer())
      .post('/api/v1/iam/emergency-bypass')
      .set('Authorization', `Bearer ${adminToken}`)
      .send({ endpoint: 'POST /x', ttlSec: 600 })
      .expect(400);
  });

  it('[IAM-ADMIN-EB-004] GET 列出当前生效豁免', async () => {
    const endpoint = `POST /api/v1/list-${Date.now()}`;
    await bypass.enableFor(endpoint, 'list test', 600);

    const res = await request(app.getHttpServer())
      .get('/api/v1/iam/emergency-bypass')
      .set('Authorization', `Bearer ${adminToken}`)
      .expect(200);

    expect(res.body.data.some((x: { endpoint: string }) => x.endpoint === endpoint)).toBe(true);
  });

  it('[IAM-ADMIN-EB-005] DELETE base64url 解除豁免', async () => {
    const endpoint = `POST /api/v1/del-${Date.now()}`;
    await bypass.enableFor(endpoint, 'del test', 600);

    await request(app.getHttpServer())
      .delete(`/api/v1/iam/emergency-bypass/${b64u(endpoint)}`)
      .set('Authorization', `Bearer ${adminToken}`)
      .expect(200);

    expect(await bypass.isBypassed(endpoint)).toBe(false);
  });
});