using System.Security.Claims;
using Socialize.Api.Infrastructure.Security;
using Socialize.Api.Modules.Identity.Contracts;

namespace Socialize.Tests.Security;

public class AccessScopeServiceTests
{
    [Fact]
    public void Manager_role_does_not_grant_workspace_access_without_workspace_scope()
    {
        Guid workspaceId = Guid.NewGuid();
        ClaimsPrincipal user = CreateUser(KnownRoles.Manager);

        Assert.False(AccessScopeService.CanAccessWorkspace(user, workspaceId));
        Assert.False(AccessScopeService.CanManageWorkspace(user, workspaceId));
    }

    [Fact]
    public void Administrator_role_does_not_grant_workspace_access_without_workspace_scope()
    {
        Guid workspaceId = Guid.NewGuid();
        ClaimsPrincipal user = CreateUser(KnownRoles.Administrator);

        Assert.False(AccessScopeService.CanAccessWorkspace(user, workspaceId));
        Assert.False(AccessScopeService.CanManageWorkspace(user, workspaceId));
    }

    [Fact]
    public void Manager_can_manage_only_workspaces_in_scope()
    {
        Guid workspaceId = Guid.NewGuid();
        ClaimsPrincipal user = CreateUser(KnownRoles.Manager, new Claim(KnownClaims.WorkspaceScope, workspaceId.ToString()));

        Assert.True(AccessScopeService.CanAccessWorkspace(user, workspaceId));
        Assert.True(AccessScopeService.CanManageWorkspace(user, workspaceId));
    }

    private static ClaimsPrincipal CreateUser(string role, params Claim[] claims)
    {
        Claim[] baseClaims =
        [
            new(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString()),
            new(ClaimTypes.Role, role),
        ];

        return new ClaimsPrincipal(new ClaimsIdentity(baseClaims.Concat(claims), "Test"));
    }
}