"""Tests for the AZ-407 CVE-2025-53644 fixture (AC-6, AC-7)."""

from __future__ import annotations

import hashlib
import os
import subprocess
import sys
from pathlib import Path

import pytest

REPO_ROOT = Path(__file__).resolve().parents[3]
GENERATOR = REPO_ROOT / "e2e" / "fixtures" / "security" / "generate_cve_jpeg.py"
COMMITTED_FIXTURE = REPO_ROOT / "e2e" / "fixtures" / "security" / "cve-2025-53644.jpg"

# Pin the committed fixture's SHA-256 so any change to the generator's
# byte layout fails the unit test explicitly.
COMMITTED_SHA256 = "c281d2f2595916dbbaca8173d2ab37507b6e3c6511aa8e420c1f4e81c877002e"


def _generator_run(out_path: Path) -> None:
    env = dict(os.environ, PYTHONHASHSEED="0")
    subprocess.run(
        [sys.executable, str(GENERATOR), str(out_path)],
        check=True,
        capture_output=True,
        text=True,
        env=env,
    )


def test_generator_is_idempotent(tmp_path: Path) -> None:
    """AC-6 / determinism: same call → identical bytes."""

    # Arrange
    out_a = tmp_path / "a.jpg"
    out_b = tmp_path / "b.jpg"

    # Act
    _generator_run(out_a)
    _generator_run(out_b)

    # Assert
    assert out_a.read_bytes() == out_b.read_bytes()


def test_committed_fixture_matches_generator(tmp_path: Path) -> None:
    """The checked-in JPEG must equal the generator's current output."""

    # Arrange
    regen = tmp_path / "regen.jpg"

    # Act
    _generator_run(regen)

    # Assert
    assert COMMITTED_FIXTURE.exists(), "the AZ-407 deliverable JPEG must be checked in"
    assert COMMITTED_FIXTURE.read_bytes() == regen.read_bytes(), (
        "committed cve-2025-53644.jpg drifted from generator output; "
        "re-run `make fixtures-cve` to regenerate"
    )
    assert hashlib.sha256(COMMITTED_FIXTURE.read_bytes()).hexdigest() == COMMITTED_SHA256


def test_jpeg_has_soi_and_truncated_sos() -> None:
    """Structural sanity: SOI present, SOS present, NO EOI (truncated stream)."""

    # Arrange
    data = COMMITTED_FIXTURE.read_bytes()

    # Assert
    assert data.startswith(b"\xff\xd8"), "missing SOI marker"
    assert b"\xff\xda" in data, "missing SOS marker"
    assert not data.endswith(b"\xff\xd9"), "EOI present — CVE truncation is gone"


def test_opencv_rejects_without_crash() -> None:
    """AC-6: OpenCV must return a clean None imdecode result, no crash."""

    # Arrange
    cv2 = pytest.importorskip("cv2", reason="opencv-python not in test venv")
    import numpy as np  # noqa: PLC0415

    # Act
    buf = np.fromfile(str(COMMITTED_FIXTURE), dtype=np.uint8)
    img = cv2.imdecode(buf, cv2.IMREAD_COLOR)

    # Assert
    assert img is None, (
        "OpenCV decoded the malformed JPEG — the AZ-407 fixture no longer "
        "exercises the CVE-2025-53644 truncation path"
    )


def test_provenance_readme_exists() -> None:
    """AC-7: README documents source, license, redistribution."""

    # Arrange
    readme = REPO_ROOT / "e2e" / "fixtures" / "security" / "README.md"

    # Assert
    assert readme.exists()
    content = readme.read_text()
    assert "Provenance" in content
    assert "Re-distribution" in content
    assert "License" in content