<?php

use App\Filament\Resources\EntraGroupSyncRunResource;
use App\Filament\Resources\EntraGroupSyncRunResource\Pages\ListEntraGroupSyncRuns;
use App\Models\EntraGroupSyncRun;
use App\Models\Tenant;
use App\Models\User;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Http;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;

uses(RefreshDatabase::class);

beforeEach(function (): void {
    Http::preventStrayRequests();
});

test('entra group sync runs are listed for the active tenant', function () {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');

    $otherTenant = Tenant::factory()->create();

    EntraGroupSyncRun::query()->create([
        'tenant_id' => $tenant->getKey(),
        'selection_key' => 'groups-v1:all',
        'slot_key' => 'slot-a',
        'status' => EntraGroupSyncRun::STATUS_SUCCEEDED,
    ]);

    EntraGroupSyncRun::query()->create([
        'tenant_id' => $otherTenant->getKey(),
        'selection_key' => 'groups-v1:all',
        'slot_key' => 'slot-b',
        'status' => EntraGroupSyncRun::STATUS_SUCCEEDED,
    ]);

    $this->actingAs($user)
        ->get(EntraGroupSyncRunResource::getUrl('index', tenant: $tenant))
        ->assertOk()
        ->assertSee('slot-a')
        ->assertDontSee('slot-b');
});

test('entra group sync run view is forbidden cross-tenant (403)', function () {
    $tenantA = Tenant::factory()->create();
    $tenantB = Tenant::factory()->create([
        'workspace_id' => $tenantA->workspace_id,
    ]);

    $runB = EntraGroupSyncRun::query()->create([
        'tenant_id' => $tenantB->getKey(),
        'selection_key' => 'groups-v1:all',
        'slot_key' => null,
        'status' => EntraGroupSyncRun::STATUS_SUCCEEDED,
    ]);

    $user = User::factory()->create();
    [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, user: $user, role: 'owner');

    $this->actingAs($user)
        ->get(EntraGroupSyncRunResource::getUrl('view', ['record' => $runB], tenant: $tenantA))
        ->assertForbidden();
});

test('legacy sync runs list is read-only (no sync action)', function () {
    Queue::fake();

    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $this->actingAs($user);

    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $component = Livewire::test(ListEntraGroupSyncRuns::class)->instance();
    $action = $component->getAction([['name' => 'sync_groups']]);

    expect($action)->toBeNull();

    Queue::assertNothingPushed();
});