(ns auto-ap.auth.role-based-test
  (:require
   [auto-ap.datomic :as datomic]
   [auto-ap.datomic.users :as users]
   [auto-ap.graphql.utils :as gql-utils]
   [auto-ap.handler :as handler]
   [auto-ap.integration.util :refer [admin-token setup-test-data test-account test-client test-vendor user-token wrap-setup]]
   [auto-ap.routes.auth :as auth]
   [clojure.test :refer [deftest is testing use-fixtures]]
   [datomic.api :as dc]))

(use-fixtures :each wrap-setup)

;; ============================================================================
;; Role-Based Access Behaviors (9.1 - 9.5)
;; ============================================================================

(deftest test-admin-access-all-clients
  (testing "Behavior 9.1: It should allow admin users to access all clients"
    (let [{:strs [test-client-id]} (setup-test-data [])]
      ;; Create another client
      @(dc/transact datomic/conn [{:db/id "client-2"
                                   :client/name "Second Client"
                                   :client/code "SC"
                                   :client/locations ["DT"]}])
      ;; Admin should have nil limited-clients (meaning all)
      (is (nil? (gql-utils/limited-clients (admin-token)))))))

(deftest test-regular-user-limited-clients
  (testing "Behavior 9.2: It should allow regular users to access only their assigned clients"
    (let [{:strs [test-client-id]} (setup-test-data [])
          user-identity {:user/role "user" :user/clients [{:db/id test-client-id}]}]
      (let [limited (gql-utils/limited-clients user-identity)]
        (is (= [test-client-id] (map :db/id limited)))))))

(deftest test-readonly-user-access
  (testing "Behavior 9.3: It should allow read-only users to access all clients with view-only permissions"
    (let [readonly-identity {:user/role "read-only" :user/clients [{:db/id 1} {:db/id 2}]}]
      ;; Read-only users get their full client list from limited-clients
      (let [limited (gql-utils/limited-clients readonly-identity)]
        (is (= [1 2] (map :db/id limited)))))))

(deftest test-admin-no-clients-empty-compressed
  (testing "Behavior 9.4: It should handle admin users with no clients by providing an empty compressed list"
    (let [admin-user {:db/id 1 :user/name "Admin" :user/role :user-role/admin :user/clients []}
          jwt-data (auth/user->jwt admin-user "fake-token")]
      (is (= "admin" (:user/role jwt-data)))
      (is (some? (:gz-clients jwt-data)))
      (let [decompressed (auth/gunzip (:gz-clients jwt-data))]
        (is (empty? decompressed))))))

(deftest test-regular-user-no-clients-empty-vector
  (testing "Behavior 9.5: It should handle regular users with no clients by providing an empty client vector"
    (let [regular-user {:db/id 2 :user/name "User" :user/role :user-role/user :user/clients []}
          jwt-data (auth/user->jwt regular-user "fake-token")]
      (is (= "user" (:user/role jwt-data)))
      (is (empty? (:user/clients jwt-data)))
      (is (nil? (:gz-clients jwt-data))))))