package tests

import (
	"errors"
	"testing"

	"github.com/jfraeys/fetch_ml/internal/container"
)

// TestContainerSecurityPolicy enforces the security contract for container configurations.
// These tests serve as executable documentation of security requirements.
func TestContainerSecurityPolicy(t *testing.T) {
	tests := []struct {
		name       string
		reason     string
		config     container.PodmanConfig
		shouldFail bool
	}{
		{
			name: "reject privileged mode",
			config: container.PodmanConfig{
				Image:      "pytorch:latest",
				Privileged: true, // NEVER allowed
			},
			shouldFail: true,
			reason:     "privileged containers bypass isolation",
		},
		{
			name: "reject host network",
			config: container.PodmanConfig{
				Image:   "pytorch:latest",
				Network: "host", // NEVER allowed
			},
			shouldFail: true,
			reason:     "host network breaks isolation",
		},
		{
			name: "accept valid configuration",
			config: container.PodmanConfig{
				Image:          "pytorch:latest",
				Privileged:     false,
				Network:        "bridge",
				ReadOnlyMounts: true,
			},
			shouldFail: false,
			reason:     "valid secure configuration",
		},
		{
			name: "accept empty network (default bridge)",
			config: container.PodmanConfig{
				Image:      "pytorch:latest",
				Privileged: false,
				Network:    "", // Empty means default bridge
			},
			shouldFail: false,
			reason:     "empty network uses default bridge",
		},
		{
			name: "warn on non-read-only mounts",
			config: container.PodmanConfig{
				Image:          "pytorch:latest",
				Privileged:     false,
				Network:        "bridge",
				ReadOnlyMounts: false, // Warning-level issue
			},
			shouldFail: false, // Not a hard failure
			reason:     "non-read-only mounts are discouraged but allowed",
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			err := container.ValidateSecurityPolicy(tt.config)
			if tt.shouldFail {
				if err == nil {
					t.Errorf("%s: expected failure (%s), got success", tt.name, tt.reason)
				} else if !errors.Is(err, container.ErrSecurityViolation) {
					t.Errorf("%s: expected ErrSecurityViolation, got %v", tt.name, err)
				}
			} else {
				if err != nil {
					t.Errorf("%s: expected success (%s), got error: %v", tt.name, tt.reason, err)
				}
			}
		})
	}
}

// TestSecurityPolicy_IsolationEnforcement verifies isolation boundaries
func TestSecurityPolicy_IsolationEnforcement(t *testing.T) {
	t.Run("privileged_equals_root_access", func(t *testing.T) {
		cfg := container.PodmanConfig{
			Image:      "test:latest",
			Privileged: true,
		}
		err := container.ValidateSecurityPolicy(cfg)
		if err == nil {
			t.Fatal("privileged mode must be rejected - it grants root access to host")
		}
	})

	t.Run("host_network_equals_no_isolation", func(t *testing.T) {
		cfg := container.PodmanConfig{
			Image:   "test:latest",
			Network: "host",
		}
		err := container.ValidateSecurityPolicy(cfg)
		if err == nil {
			t.Fatal("host network must be rejected - it removes network isolation")
		}
	})
}