<?php

declare(strict_types=1);

use App\Jobs\TenantConfiguration\CaptureTenantConfigurationEvidenceJob;
use App\Models\ProviderConnection;
use App\Models\User;
use App\Services\TenantConfiguration\StartTenantConfigurationCapture;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Support\Facades\Queue;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

it('Spec420 allows authorized owners to start selected M365 capture', function (): void {
    Queue::fake();

    [$user, $environment] = createMinimalUserWithTenant(role: 'owner');
    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
    ]);

    $run = app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
        'conditionalAccessPolicy',
    ]);

    expect(data_get($run->context, 'required_capability'))->toBe('evidence.manage')
        ->and(data_get($run->context, 'resource_types'))->toBe(['conditionalAccessPolicy']);

    Queue::assertPushed(CaptureTenantConfigurationEvidenceJob::class);
});

it('Spec420 allows managers with evidence manage capability to start selected M365 capture', function (): void {
    Queue::fake();

    [$user, $environment] = createMinimalUserWithTenant(role: 'manager');
    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
    ]);

    $run = app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
        'conditionalAccessPolicy',
    ]);

    expect(data_get($run->context, 'required_capability'))->toBe('evidence.manage')
        ->and(data_get($run->context, 'resource_types'))->toBe(['conditionalAccessPolicy']);

    Queue::assertPushed(CaptureTenantConfigurationEvidenceJob::class);
});

it('Spec420 returns forbidden for operators without evidence manage capability', function (): void {
    Queue::fake();

    [$user, $environment] = createMinimalUserWithTenant(role: 'operator');
    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
    ]);

    expect(fn () => app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
        'conditionalAccessPolicy',
    ]))->toThrow(AuthorizationException::class);

    Queue::assertNothingPushed();
});

it('Spec420 returns forbidden for readonly users after membership is established', function (): void {
    Queue::fake();

    [$user, $environment] = createMinimalUserWithTenant(role: 'readonly', workspaceRole: 'readonly');
    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
    ]);

    expect(fn () => app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
        'conditionalAccessPolicy',
    ]))->toThrow(AuthorizationException::class);

    Queue::assertNothingPushed();
});

it('Spec420 hides environments from non-members before capture start', function (): void {
    Queue::fake();

    $user = User::factory()->create();
    [, $environment] = createMinimalUserWithTenant(role: 'owner');
    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
    ]);

    expect(fn () => app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
        'conditionalAccessPolicy',
    ]))->toThrow(NotFoundHttpException::class);

    Queue::assertNothingPushed();
});