<?php

use App\Contracts\Hardening\WriteGateInterface;
use App\Models\Tenant;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

beforeEach(function () {
    config()->set('tenantpilot.hardening.intune_write_gate.enabled', true);
    config()->set('tenantpilot.hardening.intune_write_gate.freshness_threshold_hours', 24);
});

test('gate passes when rbac_status is ok and timestamp is fresh', function () {
    $tenant = Tenant::factory()->create([
        'rbac_status' => 'ok',
        'rbac_last_checked_at' => now()->subHours(1),
    ]);

    $gate = app(WriteGateInterface::class);

    // Should not throw
    $gate->evaluate($tenant, 'restore.execute');

    expect(true)->toBeTrue(); // Reached here without exception
});

test('wouldBlock returns false when rbac_status is ok and fresh', function () {
    $tenant = Tenant::factory()->create([
        'rbac_status' => 'ok',
        'rbac_last_checked_at' => now()->subMinutes(30),
    ]);

    expect(app(WriteGateInterface::class)->wouldBlock($tenant))->toBeFalse();
});

test('gate passes for configured status with fresh timestamp', function () {
    $tenant = Tenant::factory()->create([
        'rbac_status' => 'configured',
        'rbac_last_checked_at' => now()->subHours(1),
    ]);

    $gate = app(WriteGateInterface::class);

    // Should not throw — 'configured' is not in the blocked list
    $gate->evaluate($tenant, 'restore.execute');

    expect(true)->toBeTrue();
});

test('gate passes for manual_assignment_required with fresh timestamp', function () {
    $tenant = Tenant::factory()->create([
        'rbac_status' => 'manual_assignment_required',
        'rbac_last_checked_at' => now()->subHours(1),
    ]);

    $gate = app(WriteGateInterface::class);

    $gate->evaluate($tenant, 'restore.execute');

    expect(true)->toBeTrue();
});