using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using IdentityShroud.Core.Services;
using IdentityShroud.TestUtils.Substitutes;

namespace IdentityShroud.Core.Tests.Services;

public class DataEncryptionServiceTests
{
    private readonly IRealmContext _realmContext = Substitute.For<IRealmContext>();
    private readonly IDekEncryptionService _dekCryptor = new NullDekEncryptionService();// Substitute.For<IDekEncryptionService>();

    private readonly DekId _activeDekId = DekId.NewId();
    private readonly DekId _secondDekId = DekId.NewId();
    private DataEncryptionService CreateSut()
        => new(_realmContext, _dekCryptor);

    [Fact]
    public void Encrypt_UsesActiveKey()
    {
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([
            CreateRealmDek(_secondDekId, false),
            CreateRealmDek(_activeDekId, true),
        ]);

        var cipher = CreateSut().Encrypt("Hello"u8);
        
        Assert.Equal(_activeDekId, cipher.DekId);
    }

    [Fact]
    public void Decrypt_UsesCorrectKey()
    {
        var first = CreateRealmDek(_activeDekId, true);
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first ]);

        var sut = CreateSut();
        var cipher = sut.Encrypt("Hello"u8);

        // Deactivate original key
        first.Active = false;
        // Make new active
        var second = CreateRealmDek(_secondDekId, true);
        // Return both
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first, second ]);


        var decoded = sut.Decrypt(cipher);

        Assert.Equal("Hello"u8, decoded);
    }
    
    private RealmDek CreateRealmDek(DekId id, bool active)
        => new()
        {
            Id = id,
            Active = active,
            Algorithm = "AES",
            KeyData = new(KekId.NewId(), RandomNumberGenerator.GetBytes(32)),
            RealmId = default,
        };
}