<?php

declare(strict_types=1);

use App\Models\ManagedEnvironment;
use App\Models\Workspace;
use App\Policies\ProviderConnectionPolicy;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Auth\Access\Response;
use Illuminate\Http\Request;

it('ScopeHardening requires explicit environment_id for ProviderConnectionPolicy::create even if a remembered environment exists', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-env-remembered',
    ]);

    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');

    $this->actingAs($user);
    session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);
    session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
        (string) $environment->workspace_id => (int) $environment->getKey(),
    ]);

    /** @var ProviderConnectionPolicy $policy */
    $policy = app(ProviderConnectionPolicy::class);

    $result = $policy->create($user);

    expect($result)->toBeInstanceOf(Response::class);
    expect($result->denied())->toBeTrue();
});

it('ScopeHardening requires explicit environment_id for ProviderConnectionPolicy::create even if Filament tenant is set', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-env-filament',
    ]);

    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');

    Filament::setTenant($environment, true);

    $this->actingAs($user);
    session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);

    /** @var ProviderConnectionPolicy $policy */
    $policy = app(ProviderConnectionPolicy::class);

    $result = $policy->create($user);

    expect($result)->toBeInstanceOf(Response::class);
    expect($result->denied())->toBeTrue();
});

it('ScopeHardening ignores legacy query aliases for ProviderConnectionPolicy::create authority', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-env-alias',
    ]);

    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');

    $request = Request::create('/admin/provider-connections/create', 'GET', [
        'managed_environment_id' => (int) $environment->getKey(),
    ]);

    $this->app->instance('request', $request);

    $this->actingAs($user);
    session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);
    session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
        (string) $environment->workspace_id => (int) $environment->getKey(),
    ]);

    /** @var ProviderConnectionPolicy $policy */
    $policy = app(ProviderConnectionPolicy::class);

    $result = $policy->create($user);

    expect($result)->toBeInstanceOf(Response::class);
    expect($result->denied())->toBeTrue();
});

it('ScopeHardening denies ProviderConnectionPolicy::create for environment_id that belongs to another workspace', function (): void {
    $environmentA = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-env-a',
    ]);
    [$user, $environmentA] = createUserWithTenant(tenant: $environmentA, role: 'owner');

    $workspaceB = Workspace::factory()->create();
    $environmentB = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspaceB->getKey(),
        'external_id' => 'spec339-scopehardening-env-b',
    ]);

    $request = Request::create('/admin/provider-connections/create', 'GET', [
        'environment_id' => (int) $environmentB->getKey(),
    ]);

    $this->app->instance('request', $request);

    $this->actingAs($user);
    session()->put(WorkspaceContext::SESSION_KEY, (int) $environmentA->workspace_id);

    /** @var ProviderConnectionPolicy $policy */
    $policy = app(ProviderConnectionPolicy::class);

    $result = $policy->create($user);

    expect($result)->toBeInstanceOf(Response::class);
    expect($result->denied())->toBeTrue();
});

it('ScopeHardening returns 403 (not 404) for the create page when environment_id is missing (UI entry behavior)', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-create-page',
    ]);

    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');

    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
        ])
        ->get('/admin/provider-connections/create')
        ->assertForbidden();
});

it('ScopeHardening returns 404 for the create page when environment_id belongs to another workspace (UI entry behavior)', function (): void {
    $environmentA = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-create-page-a',
    ]);
    [$user, $environmentA] = createUserWithTenant(tenant: $environmentA, role: 'owner');

    $workspaceB = Workspace::factory()->create();
    $environmentB = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspaceB->getKey(),
        'external_id' => 'spec339-scopehardening-create-page-b',
    ]);

    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $environmentA->workspace_id,
        ])
        ->get('/admin/provider-connections/create?environment_id='.(int) $environmentB->getKey())
        ->assertNotFound();
});

it('ScopeHardening returns 403 (not 404) for the create page when legacy alias is provided (UI entry behavior)', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-create-page-alias',
    ]);

    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');

    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
        ])
        ->get('/admin/provider-connections/create?managed_environment_id='.(int) $environment->getKey())
        ->assertForbidden();
});

it('ScopeHardening returns 403 (not 404) for the create page even if a remembered environment exists (UI entry behavior)', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-create-page-remembered',
    ]);

    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');

    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
            WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY => [
                (string) $environment->workspace_id => (int) $environment->getKey(),
            ],
        ])
        ->get('/admin/provider-connections/create')
        ->assertForbidden();
});

it('ScopeHardening returns 403 (not 404) for the create page even if Filament tenant is set (UI entry behavior)', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-create-page-filament',
    ]);

    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');

    Filament::setTenant($environment, true);

    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
        ])
        ->get('/admin/provider-connections/create')
        ->assertForbidden();
});