import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
import path from 'path';

describe('security.ts', () => {
  let originalEnv: NodeJS.ProcessEnv;

  beforeEach(() => {
    // Save original environment
    originalEnv = { ...process.env };
    // Reset modules to get fresh state
    vi.resetModules();
  });

  afterEach(() => {
    // Restore original environment
    process.env = originalEnv;
  });

  describe('initAllowedPaths', () => {
    it('should load ALLOWED_ROOT_DIRECTORY if set', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/projects';
      delete process.env.DATA_DIR;

      const { initAllowedPaths, getAllowedPaths } = await import('../src/security');
      initAllowedPaths();

      const allowed = getAllowedPaths();
      expect(allowed).toContain(path.resolve('/projects'));
    });

    it('should load DATA_DIR if set', async () => {
      delete process.env.ALLOWED_ROOT_DIRECTORY;
      process.env.DATA_DIR = '/data/directory';

      const { initAllowedPaths, getAllowedPaths } = await import('../src/security');
      initAllowedPaths();

      const allowed = getAllowedPaths();
      expect(allowed).toContain(path.resolve('/data/directory'));
    });

    it('should load both ALLOWED_ROOT_DIRECTORY and DATA_DIR if both set', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/projects';
      process.env.DATA_DIR = '/app/data';

      const { initAllowedPaths, getAllowedPaths } = await import('../src/security');
      initAllowedPaths();

      const allowed = getAllowedPaths();
      expect(allowed).toContain(path.resolve('/projects'));
      expect(allowed).toContain(path.resolve('/app/data'));
    });

    it('should handle missing environment variables gracefully', async () => {
      delete process.env.ALLOWED_ROOT_DIRECTORY;
      delete process.env.DATA_DIR;

      const { initAllowedPaths } = await import('../src/security');
      expect(() => initAllowedPaths()).not.toThrow();
    });
  });

  describe('isPathAllowed', () => {
    it('should allow paths within ALLOWED_ROOT_DIRECTORY', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/allowed';
      delete process.env.DATA_DIR;

      const { initAllowedPaths, isPathAllowed } = await import('../src/security');
      initAllowedPaths();

      expect(isPathAllowed('/allowed/file.txt')).toBe(true);
      expect(isPathAllowed('/allowed/subdir/file.txt')).toBe(true);
    });

    it('should deny paths outside ALLOWED_ROOT_DIRECTORY', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/allowed';
      delete process.env.DATA_DIR;

      const { initAllowedPaths, isPathAllowed } = await import('../src/security');
      initAllowedPaths();

      expect(isPathAllowed('/not-allowed/file.txt')).toBe(false);
      expect(isPathAllowed('/etc/passwd')).toBe(false);
    });

    it('should always allow DATA_DIR paths', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/projects';
      process.env.DATA_DIR = '/app/data';

      const { initAllowedPaths, isPathAllowed } = await import('../src/security');
      initAllowedPaths();

      // DATA_DIR paths are always allowed
      expect(isPathAllowed('/app/data/settings.json')).toBe(true);
      expect(isPathAllowed('/app/data/credentials.json')).toBe(true);
    });

    it('should allow all paths when no restrictions configured', async () => {
      delete process.env.ALLOWED_ROOT_DIRECTORY;
      delete process.env.DATA_DIR;

      const { initAllowedPaths, isPathAllowed } = await import('../src/security');
      initAllowedPaths();

      expect(isPathAllowed('/any/path')).toBe(true);
      expect(isPathAllowed('/etc/passwd')).toBe(true);
    });

    it('should allow all paths when only DATA_DIR is configured', async () => {
      delete process.env.ALLOWED_ROOT_DIRECTORY;
      process.env.DATA_DIR = '/data';

      const { initAllowedPaths, isPathAllowed } = await import('../src/security');
      initAllowedPaths();

      // DATA_DIR should be allowed
      expect(isPathAllowed('/data/file.txt')).toBe(true);
      // And all other paths should be allowed since no ALLOWED_ROOT_DIRECTORY restriction
      expect(isPathAllowed('/any/path')).toBe(true);
    });
  });

  describe('validatePath', () => {
    it('should return resolved path for allowed paths', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/allowed';
      delete process.env.DATA_DIR;

      const { initAllowedPaths, validatePath } = await import('../src/security');
      initAllowedPaths();

      const result = validatePath('/allowed/file.txt');
      expect(result).toBe(path.resolve('/allowed/file.txt'));
    });

    it('should throw error for paths outside allowed directories', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/allowed';
      delete process.env.DATA_DIR;

      const { initAllowedPaths, validatePath, PathNotAllowedError } =
        await import('../src/security');
      initAllowedPaths();

      expect(() => validatePath('/not-allowed/file.txt')).toThrow(PathNotAllowedError);
    });

    it('should resolve relative paths', async () => {
      const cwd = process.cwd();
      process.env.ALLOWED_ROOT_DIRECTORY = cwd;
      delete process.env.DATA_DIR;

      const { initAllowedPaths, validatePath } = await import('../src/security');
      initAllowedPaths();

      const result = validatePath('./file.txt');
      expect(result).toBe(path.resolve(cwd, './file.txt'));
    });

    it('should not throw when no restrictions configured', async () => {
      delete process.env.ALLOWED_ROOT_DIRECTORY;
      delete process.env.DATA_DIR;

      const { initAllowedPaths, validatePath } = await import('../src/security');
      initAllowedPaths();

      expect(() => validatePath('/any/path')).not.toThrow();
    });
  });

  describe('getAllowedPaths', () => {
    it('should return empty array when no paths configured', async () => {
      delete process.env.ALLOWED_ROOT_DIRECTORY;
      delete process.env.DATA_DIR;

      const { initAllowedPaths, getAllowedPaths } = await import('../src/security');
      initAllowedPaths();

      const allowed = getAllowedPaths();
      expect(Array.isArray(allowed)).toBe(true);
      expect(allowed).toHaveLength(0);
    });

    it('should return configured paths', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/projects';
      process.env.DATA_DIR = '/data';

      const { initAllowedPaths, getAllowedPaths } = await import('../src/security');
      initAllowedPaths();

      const allowed = getAllowedPaths();
      expect(allowed).toContain(path.resolve('/projects'));
      expect(allowed).toContain(path.resolve('/data'));
    });
  });

  describe('getAllowedRootDirectory', () => {
    it('should return the configured root directory', async () => {
      process.env.ALLOWED_ROOT_DIRECTORY = '/projects';

      const { initAllowedPaths, getAllowedRootDirectory } = await import('../src/security');
      initAllowedPaths();

      expect(getAllowedRootDirectory()).toBe(path.resolve('/projects'));
    });

    it('should return null when not configured', async () => {
      delete process.env.ALLOWED_ROOT_DIRECTORY;

      const { initAllowedPaths, getAllowedRootDirectory } = await import('../src/security');
      initAllowedPaths();

      expect(getAllowedRootDirectory()).toBeNull();
    });
  });

  describe('getDataDirectory', () => {
    it('should return the configured data directory', async () => {
      process.env.DATA_DIR = '/data';

      const { initAllowedPaths, getDataDirectory } = await import('../src/security');
      initAllowedPaths();

      expect(getDataDirectory()).toBe(path.resolve('/data'));
    });

    it('should return null when not configured', async () => {
      delete process.env.DATA_DIR;

      const { initAllowedPaths, getDataDirectory } = await import('../src/security');
      initAllowedPaths();

      expect(getDataDirectory()).toBeNull();
    });
  });
});