<?php

declare(strict_types=1);

use App\Filament\Resources\ProviderConnectionResource;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Support\Links\RequiredPermissionsLinks;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Verification\VerificationLinkBehavior;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('classifies external remediation links as external deep dives', function (): void {
    $behavior = app(VerificationLinkBehavior::class)->describe(
        label: 'Grant admin consent',
        url: 'https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent',
    );

    expect($behavior)->toMatchArray([
        'label' => 'Grant admin consent',
        'url' => 'https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent',
        'kind' => 'external',
        'opens_in_new_tab' => true,
        'show_new_tab_hint' => true,
    ]);
});

it('classifies required permissions links as internal diagnostic deep dives', function (): void {
    $tenant = Tenant::factory()->create([
        'external_id' => 'tenant-required-permissions-a',
    ]);

    $behavior = app(VerificationLinkBehavior::class)->describe(
        label: 'Open required permissions',
        url: RequiredPermissionsLinks::requiredPermissions($tenant),
    );

    expect($behavior)->toMatchArray([
        'kind' => 'internal-diagnostic',
        'opens_in_new_tab' => true,
        'show_new_tab_hint' => true,
    ]);
});

it('classifies provider connection management routes as internal diagnostic deep dives', function (): void {
    $tenant = Tenant::factory()->create([
        'external_id' => 'tenant-provider-connections-a',
    ]);

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'tenant_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
        'entra_tenant_id' => (string) $tenant->tenant_id,
    ]);

    $behavior = app(VerificationLinkBehavior::class)->describe(
        label: 'Manage Provider Connections',
        url: ProviderConnectionResource::getUrl(
            'edit',
            ['tenant' => $tenant->external_id, 'record' => (int) $connection->getKey()],
            panel: 'admin',
        ),
    );

    expect($behavior)->toMatchArray([
        'kind' => 'internal-diagnostic',
        'opens_in_new_tab' => true,
        'show_new_tab_hint' => true,
    ]);
});

it('leaves inline-safe onboarding links in the current tab', function (): void {
    $behavior = app(VerificationLinkBehavior::class)->describe(
        label: 'Return to onboarding',
        url: '/admin/onboarding',
    );

    expect($behavior)->toMatchArray([
        'kind' => 'internal-inline-safe',
        'opens_in_new_tab' => false,
        'show_new_tab_hint' => false,
    ]);
});

it('routes permission-related verification report checks through the assist when it is available', function (): void {
    $behavior = app(VerificationLinkBehavior::class);

    expect($behavior->shouldRouteThroughAssist([
        'key' => 'provider.connection.preflight',
        'reason_code' => ProviderReasonCodes::ProviderConsentMissing,
    ], true))->toBeTrue()
        ->and($behavior->shouldRouteThroughAssist([
            'key' => 'permissions.admin_consent',
            'reason_code' => 'ok',
        ], true))->toBeTrue()
        ->and($behavior->shouldRouteThroughAssist([
            'key' => 'provider.connection.preflight',
            'reason_code' => ProviderReasonCodes::ProviderConsentMissing,
        ], false))->toBeFalse();
});