import { SystemRole } from "@nexus/shared";
import { describe, expect, it, vi, beforeEach } from "vitest";
import { webhookRouter } from "../router/webhook.js";
import { createCallerFactory } from "../trpc.js";

// ─── Hoisted mocks ────────────────────────────────────────────────────────────

const { assertWebhookUrlAllowed } = vi.hoisted(() => ({
  assertWebhookUrlAllowed: vi.fn().mockResolvedValue(undefined),
}));

const { sendWebhookTestRequest } = vi.hoisted(() => ({
  sendWebhookTestRequest: vi.fn(),
}));

vi.mock("../lib/ssrf-guard.js", () => ({ assertWebhookUrlAllowed }));

vi.mock("../router/webhook-support.js", async (importOriginal) => {
  const original = await importOriginal<typeof import("../router/webhook-support.js")>();
  return {
    ...original,
    sendWebhookTestRequest,
  };
});

vi.mock("../lib/audit.js", () => ({
  createAuditEntry: vi.fn().mockResolvedValue(undefined),
}));

// ─── Caller factory ───────────────────────────────────────────────────────────

const createCaller = createCallerFactory(webhookRouter);

function createAdminCaller(db: Record<string, unknown>) {
  return createCaller({
    session: {
      user: { email: "admin@example.com", name: "Admin", image: null },
      expires: "2099-01-01T00:00:00.000Z",
    },
    db: db as never,
    dbUser: {
      id: "user_admin",
      systemRole: SystemRole.ADMIN,
      permissionOverrides: null,
    },
    roleDefaults: null,
  });
}

function createManagerCaller(db: Record<string, unknown>) {
  return createCaller({
    session: {
      user: { email: "manager@example.com", name: "Manager", image: null },
      expires: "2099-01-01T00:00:00.000Z",
    },
    db: db as never,
    dbUser: {
      id: "user_manager",
      systemRole: SystemRole.MANAGER,
      permissionOverrides: null,
    },
    roleDefaults: null,
  });
}

// ─── Fixtures ─────────────────────────────────────────────────────────────────

const webhookFixture = {
  id: "wh_1",
  name: "Deploy Notifier",
  url: "https://hooks.example.com/deploy",
  secret: null,
  events: ["allocation.created"],
  isActive: true,
  createdAt: new Date("2025-01-01"),
};

// ─── Tests ────────────────────────────────────────────────────────────────────

describe("webhook.list", () => {
  it("returns all webhooks ordered by creation date descending", async () => {
    const findMany = vi.fn().mockResolvedValue([webhookFixture]);
    const caller = createAdminCaller({ webhook: { findMany } });

    const result = await caller.list();

    expect(findMany).toHaveBeenCalledWith({ orderBy: { createdAt: "desc" } });
    expect(result).toHaveLength(1);
    expect(result[0]).toMatchObject({ id: "wh_1", name: "Deploy Notifier" });
  });

  it("returns an empty array when no webhooks exist", async () => {
    const findMany = vi.fn().mockResolvedValue([]);
    const caller = createAdminCaller({ webhook: { findMany } });

    const result = await caller.list();

    expect(result).toHaveLength(0);
  });

  it("rejects non-admin callers with FORBIDDEN", async () => {
    const caller = createManagerCaller({ webhook: { findMany: vi.fn() } });

    await expect(caller.list()).rejects.toMatchObject({ code: "FORBIDDEN" });
  });
});

describe("webhook.getById", () => {
  it("returns the webhook when it exists", async () => {
    const findUnique = vi.fn().mockResolvedValue(webhookFixture);
    const caller = createAdminCaller({ webhook: { findUnique } });

    const result = await caller.getById({ id: "wh_1" });

    expect(findUnique).toHaveBeenCalledWith({ where: { id: "wh_1" } });
    expect(result).toMatchObject({ id: "wh_1", name: "Deploy Notifier" });
  });

  it("throws NOT_FOUND when the webhook does not exist", async () => {
    const findUnique = vi.fn().mockResolvedValue(null);
    const caller = createAdminCaller({ webhook: { findUnique } });

    await expect(caller.getById({ id: "missing" })).rejects.toMatchObject({
      code: "NOT_FOUND",
    });
  });
});

describe("webhook.create", () => {
  beforeEach(() => {
    assertWebhookUrlAllowed.mockReset().mockResolvedValue(undefined);
  });

  it("creates a webhook and returns it after SSRF validation", async () => {
    const created = { ...webhookFixture };
    const dbCreate = vi.fn().mockResolvedValue(created);
    const caller = createAdminCaller({ webhook: { create: dbCreate } });

    const result = await caller.create({
      name: "Deploy Notifier",
      url: "https://hooks.example.com/deploy",
      events: ["allocation.created"],
      isActive: true,
    });

    expect(assertWebhookUrlAllowed).toHaveBeenCalledWith("https://hooks.example.com/deploy");
    expect(dbCreate).toHaveBeenCalled();
    expect(result).toMatchObject({ id: "wh_1", name: "Deploy Notifier" });
  });

  it("rejects when the SSRF guard blocks the URL", async () => {
    const { TRPCError } = await import("@trpc/server");
    assertWebhookUrlAllowed.mockRejectedValue(
      new TRPCError({ code: "BAD_REQUEST", message: "Webhook URLs must use HTTPS." }),
    );

    const caller = createAdminCaller({ webhook: { create: vi.fn() } });

    await expect(
      caller.create({
        name: "Internal",
        url: "https://192.168.1.1/hook",
        events: ["project.created"],
        isActive: true,
      }),
    ).rejects.toMatchObject({ code: "BAD_REQUEST" });
  });

  it("rejects non-admin callers with FORBIDDEN", async () => {
    const caller = createManagerCaller({ webhook: { create: vi.fn() } });

    await expect(
      caller.create({
        name: "Test",
        url: "https://example.com/hook",
        events: ["allocation.created"],
        isActive: true,
      }),
    ).rejects.toMatchObject({ code: "FORBIDDEN" });
  });
});

describe("webhook.update", () => {
  beforeEach(() => {
    assertWebhookUrlAllowed.mockReset().mockResolvedValue(undefined);
  });

  it("updates a webhook name and returns the updated record", async () => {
    const updated = { ...webhookFixture, name: "CI Notifier" };
    const findUnique = vi.fn().mockResolvedValue(webhookFixture);
    const update = vi.fn().mockResolvedValue(updated);
    const caller = createAdminCaller({ webhook: { findUnique, update } });

    const result = await caller.update({ id: "wh_1", data: { name: "CI Notifier" } });

    expect(update).toHaveBeenCalledWith(expect.objectContaining({ where: { id: "wh_1" } }));
    expect(result).toMatchObject({ name: "CI Notifier" });
  });

  it("validates the new URL via SSRF guard when updating URL", async () => {
    const updated = { ...webhookFixture, url: "https://new.example.com/hook" };
    const findUnique = vi.fn().mockResolvedValue(webhookFixture);
    const update = vi.fn().mockResolvedValue(updated);
    const caller = createAdminCaller({ webhook: { findUnique, update } });

    await caller.update({ id: "wh_1", data: { url: "https://new.example.com/hook" } });

    expect(assertWebhookUrlAllowed).toHaveBeenCalledWith("https://new.example.com/hook");
  });

  it("throws NOT_FOUND when the webhook to update does not exist", async () => {
    const findUnique = vi.fn().mockResolvedValue(null);
    const caller = createAdminCaller({ webhook: { findUnique } });

    await expect(caller.update({ id: "missing", data: { name: "Ghost" } })).rejects.toMatchObject({
      code: "NOT_FOUND",
    });
  });
});

describe("webhook.delete", () => {
  it("deletes the webhook and resolves without error", async () => {
    const findUnique = vi.fn().mockResolvedValue(webhookFixture);
    const dbDelete = vi.fn().mockResolvedValue(undefined);
    const caller = createAdminCaller({ webhook: { findUnique, delete: dbDelete } });

    await caller.delete({ id: "wh_1" });

    expect(dbDelete).toHaveBeenCalledWith({ where: { id: "wh_1" } });
  });

  it("throws NOT_FOUND when the webhook does not exist", async () => {
    const findUnique = vi.fn().mockResolvedValue(null);
    const caller = createAdminCaller({ webhook: { findUnique } });

    await expect(caller.delete({ id: "missing" })).rejects.toMatchObject({
      code: "NOT_FOUND",
    });
  });
});

describe("webhook.test", () => {
  beforeEach(() => {
    assertWebhookUrlAllowed.mockReset().mockResolvedValue(undefined);
    sendWebhookTestRequest.mockReset();
  });

  it("sends a test request and returns the result on success", async () => {
    sendWebhookTestRequest.mockResolvedValue({
      success: true,
      statusCode: 200,
      statusText: "OK",
    });
    const findUnique = vi.fn().mockResolvedValue(webhookFixture);
    const caller = createAdminCaller({ webhook: { findUnique } });

    const result = await caller.test({ id: "wh_1" });

    expect(assertWebhookUrlAllowed).toHaveBeenCalledWith(webhookFixture.url);
    expect(sendWebhookTestRequest).toHaveBeenCalledWith(webhookFixture);
    expect(result).toMatchObject({ success: true, statusCode: 200 });
  });

  it("returns failure result when the remote endpoint rejects the request", async () => {
    sendWebhookTestRequest.mockResolvedValue({
      success: false,
      statusCode: 500,
      statusText: "Internal Server Error",
    });
    const findUnique = vi.fn().mockResolvedValue(webhookFixture);
    const caller = createAdminCaller({ webhook: { findUnique } });

    const result = await caller.test({ id: "wh_1" });

    expect(result.success).toBe(false);
    expect(result.statusCode).toBe(500);
  });

  it("throws NOT_FOUND when the webhook to test does not exist", async () => {
    const findUnique = vi.fn().mockResolvedValue(null);
    const caller = createAdminCaller({ webhook: { findUnique } });

    await expect(caller.test({ id: "missing" })).rejects.toMatchObject({
      code: "NOT_FOUND",
    });
  });
});