using System.Net;
using System.Net.Http.Headers;
using System.Text.Json;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Npgsql;
using Xunit;

namespace Azaion.Missions.E2E.Tests.Security;

/// <summary>
/// NFT-SEC-08 — security-category variant of FT-N-08. Same destructive
/// fixture (DROP TABLE vehicles CASCADE) but emphasises the redaction
/// assertions and the matching log-line presence. Lives in the
/// <c>ErrorEnvelope500</c> collection so xUnit serialises against FT-N-08
/// and the consumer image still uses one round of compose restart for both.
/// Traces: AC-8.6, AC-10.3.
/// </summary>
[Collection("ErrorEnvelope500")]
[Trait("Category", "Sec")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class ErrorRedactionTests : TestBase, IClassFixture<ComposeRestartFixture>
{
    private readonly ComposeRestartFixture _restart;

    public ErrorRedactionTests(ComposeRestartFixture restart) => _restart = restart;

    [SkippableFact]
    [Trait("Traces", "AC-8.6,AC-10.3")]
    [Trait("max_ms", "5000")]
    public async Task NFT_SEC_08_500_body_redacts_internals_and_log_records_exception_type()
    {
        Skip.IfNot(_restart.Enabled,
            "ComposeRestartFixture disabled (COMPOSE_RESTART_ENABLED!=1). " +
            "NFT-SEC-08 drops the vehicles table and needs the full stack restart " +
            "in teardown.");

        // Arrange — DROP TABLE vehicles forces the SUT into the generic
        // catch path on /vehicles/{any}.
        DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
        DropVehiclesTable();
        var requestStart = DateTime.UtcNow;
        var token = await Tokens.MintDefaultAsync();

        try
        {
            // Act
            using var req = new HttpRequestMessage(HttpMethod.Get, $"/vehicles/{Guid.NewGuid()}");
            req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
            using var response = await Missions.SendAsync(req);

            // Assert — wire-shape is EXACTLY { statusCode, message }; no extra
            // keys, no stack-leak keywords anywhere in the JSON DOM.
            var problem = await HttpAssertions.AssertProblemEnvelopeAsync(
                response, HttpStatusCode.InternalServerError);
            Assert.Equal(500, problem.StatusCode);
            Assert.Equal("Internal server error", problem.Message);

            // The unhandled exception MUST still be logged. The log line
            // includes the exception type (Npgsql.PostgresException) so an
            // operator can diagnose without the response leaking it.
            var deadline = DateTime.UtcNow.AddSeconds(2);
            var sawLog = false;
            while (DateTime.UtcNow < deadline)
            {
                if (DockerLogs.Contains("missions-sut", "Unhandled exception", requestStart))
                {
                    sawLog = true;
                    break;
                }
                await Task.Delay(100);
            }
            Assert.True(sawLog,
                "expected 'Unhandled exception' in missions-sut docker logs within 2s of request");
        }
        finally
        {
            _restart.RestartStack();
        }
    }

    private static void DropVehiclesTable()
    {
        using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
        conn.Open();
        using var cmd = conn.CreateCommand();
        cmd.CommandText = "DROP TABLE IF EXISTS vehicles CASCADE;";
        cmd.ExecuteNonQuery();
    }
}