import unittest

from pydantic import ValidationError

from admin_app.core.security import AdminSecurityService
from admin_app.core.settings import AdminSettings


class AdminCredentialStrategyTests(unittest.TestCase):
    def test_admin_settings_expose_secure_defaults_for_credentials(self):
        settings = AdminSettings()

        self.assertEqual(settings.admin_auth_password_hash_scheme, "pbkdf2_sha256")
        self.assertEqual(settings.admin_auth_password_hash_iterations, 390000)
        self.assertEqual(settings.admin_auth_password_min_length, 12)
        self.assertEqual(settings.admin_auth_access_token_ttl_minutes, 30)
        self.assertEqual(settings.admin_auth_refresh_token_ttl_days, 7)
        self.assertFalse(settings.admin_bootstrap_enabled)
        self.assertEqual(settings.admin_bootstrap_role, "diretor")

    def test_admin_settings_reject_insecure_password_policy(self):
        with self.assertRaises(ValidationError):
            AdminSettings(admin_auth_password_min_length=8)

        with self.assertRaises(ValidationError):
            AdminSettings(admin_auth_password_hash_iterations=50000)

    def test_admin_settings_normalize_optional_bootstrap_values(self):
        settings = AdminSettings(
            admin_bootstrap_email="  ",
            admin_bootstrap_display_name="  ",
            admin_bootstrap_password="  ",
            admin_auth_password_pepper="  ",
        )

        self.assertIsNone(settings.admin_bootstrap_email)
        self.assertIsNone(settings.admin_bootstrap_display_name)
        self.assertIsNone(settings.admin_bootstrap_password)
        self.assertIsNone(settings.admin_auth_password_pepper)

    def test_admin_security_service_builds_runtime_credential_strategy(self):
        settings = AdminSettings(
            admin_auth_password_pepper="secret-pepper",
            admin_bootstrap_enabled=True,
            admin_bootstrap_email="diretor@empresa.com",
            admin_bootstrap_display_name="Diretor Inicial",
            admin_bootstrap_password="SenhaMuitoSegura!123",
        )

        strategy = AdminSecurityService(settings).build_credential_strategy()

        self.assertEqual(strategy.password.hash_scheme, "pbkdf2_sha256")
        self.assertTrue(strategy.password.pepper_configured)
        self.assertEqual(strategy.tokens.access_token_ttl_minutes, 30)
        self.assertTrue(strategy.bootstrap.enabled)
        self.assertEqual(strategy.bootstrap.email, "diretor@empresa.com")
        self.assertTrue(strategy.bootstrap.password_configured)
        self.assertEqual(strategy.bootstrap.role, "diretor")


if __name__ == "__main__":
    unittest.main()