package cli

import (
	"errors"
	"strings"
	"testing"

	"forge.lclr.dev/AI/mcp-framework/secretstore"
)

func TestWriteSetupSecretVerifiedPersistsAndConfirmsReadability(t *testing.T) {
	store := &setupSecretStore{secrets: map[string]string{}}

	err := WriteSetupSecretVerified(SetupSecretWriteOptions{
		Store:       store,
		SecretName:  "api-token",
		SecretLabel: "API token",
		Value: SetupValue{
			Type:   SetupFieldSecret,
			String: "secret-v1",
			Set:    true,
		},
	})
	if err != nil {
		t.Fatalf("WriteSetupSecretVerified returned error: %v", err)
	}

	if got := store.secrets["api-token"]; got != "secret-v1" {
		t.Fatalf("stored secret = %q, want secret-v1", got)
	}
}

func TestWriteSetupSecretVerifiedReturnsContextForReadOnlyStores(t *testing.T) {
	store := &setupSecretStore{
		secrets: map[string]string{},
		setErr:  secretstore.ErrReadOnly,
	}

	err := WriteSetupSecretVerified(SetupSecretWriteOptions{
		Store:      store,
		SecretName: "api-token",
		TokenEnv:   "GRAYLOG_MCP_API_TOKEN",
		Value: SetupValue{
			Type:   SetupFieldSecret,
			String: "secret-v1",
			Set:    true,
		},
	})
	if err == nil {
		t.Fatal("expected error")
	}
	if !errors.Is(err, secretstore.ErrReadOnly) {
		t.Fatalf("error = %v, want ErrReadOnly", err)
	}
	if !strings.Contains(err.Error(), "GRAYLOG_MCP_API_TOKEN") {
		t.Fatalf("error = %v, want token env remediation", err)
	}
}

func TestWriteSetupSecretVerifiedValidatesKeptStoredSecret(t *testing.T) {
	store := &setupSecretStore{
		secrets: map[string]string{},
		getErr:  secretstore.ErrNotFound,
	}

	err := WriteSetupSecretVerified(SetupSecretWriteOptions{
		Store:      store,
		SecretName: "api-token",
		TokenEnv:   "GRAYLOG_MCP_API_TOKEN",
		Value: SetupValue{
			Type:             SetupFieldSecret,
			String:           "stored-token",
			Set:              true,
			KeptStoredSecret: true,
		},
	})
	if err == nil {
		t.Fatal("expected error")
	}
	if !errors.Is(err, secretstore.ErrNotFound) {
		t.Fatalf("error = %v, want ErrNotFound", err)
	}
	if !strings.Contains(err.Error(), "GRAYLOG_MCP_API_TOKEN") {
		t.Fatalf("error = %v, want token env remediation", err)
	}
}

type setupSecretStore struct {
	secrets map[string]string
	setErr  error
	getErr  error
}

func (s *setupSecretStore) SetSecret(name, label, secret string) error {
	if s.setErr != nil {
		return s.setErr
	}
	s.secrets[name] = secret
	return nil
}

func (s *setupSecretStore) GetSecret(name string) (string, error) {
	if s.getErr != nil {
		return "", s.getErr
	}
	value, ok := s.secrets[name]
	if !ok {
		return "", secretstore.ErrNotFound
	}
	return value, nil
}

func (s *setupSecretStore) DeleteSecret(name string) error {
	delete(s.secrets, name)
	return nil
}