<?php

declare(strict_types=1);

use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Services\Drift\DriftHasher;
use App\Services\Drift\Normalizers\AssignmentsNormalizer;
use App\Services\Drift\Normalizers\ScopeTagsNormalizer;
use App\Services\Drift\Normalizers\SettingsNormalizer;
use App\Services\Intune\VersionService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\Support\ProtectedSnapshotAssertions;

uses(RefreshDatabase::class);

it('redacts secrets before persisting snapshots and keeps secret-only changes distinct', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $policy = Policy::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'policy_type' => 'settingsCatalogPolicy',
        'platform' => 'windows10',
    ]);

    /** @var VersionService $service */
    $service = app(VersionService::class);

    $version1 = $service->captureVersion(
        policy: $policy,
        payload: [
            'wifi' => [
                'ssid' => 'Corp',
                'password' => 'super-secret-1',
            ],
            'settings' => [
                'example' => true,
            ],
        ],
        createdBy: $user->email,
    );

    $version2 = $service->captureVersion(
        policy: $policy,
        payload: [
            'wifi' => [
                'ssid' => 'Corp',
                'password' => 'super-secret-2',
            ],
            'settings' => [
                'example' => true,
            ],
        ],
        createdBy: $user->email,
    );

    $fresh1 = PolicyVersion::query()->findOrFail((int) $version1->getKey());
    $fresh2 = PolicyVersion::query()->findOrFail((int) $version2->getKey());

    ProtectedSnapshotAssertions::assertRedactedPath($fresh1->snapshot, '/wifi/password');
    ProtectedSnapshotAssertions::assertRedactedPath($fresh2->snapshot, '/wifi/password');
    ProtectedSnapshotAssertions::assertFingerprint($fresh1->secret_fingerprints, 'snapshot', '/wifi/password');
    ProtectedSnapshotAssertions::assertFingerprint($fresh2->secret_fingerprints, 'snapshot', '/wifi/password');
    expect($fresh1->snapshot['wifi']['ssid'])->toBe('Corp');
    expect($fresh2->snapshot['wifi']['ssid'])->toBe('Corp');
    expect($fresh1->redaction_version)->toBe(1);
    expect($fresh2->redaction_version)->toBe(1);

    $settingsNormalizer = app(SettingsNormalizer::class);
    $assignmentsNormalizer = app(AssignmentsNormalizer::class);
    $scopeTagsNormalizer = app(ScopeTagsNormalizer::class);
    $hasher = app(DriftHasher::class);

    $hash1 = $hasher->hashNormalized([
        'settings' => $settingsNormalizer->normalizeForDiff(
            snapshot: $fresh1->snapshot,
            policyType: (string) $fresh1->policy_type,
            platform: is_string($fresh1->platform) ? (string) $fresh1->platform : null,
        ),
        'assignments' => $assignmentsNormalizer->normalizeForDiff($fresh1->assignments ?? []),
        'scope_tag_ids' => $scopeTagsNormalizer->normalizeIds($fresh1->scope_tags ?? []),
        'secret_fingerprints' => $fresh1->secret_fingerprints,
        'redaction_version' => $fresh1->redaction_version,
    ]);

    $hash2 = $hasher->hashNormalized([
        'settings' => $settingsNormalizer->normalizeForDiff(
            snapshot: $fresh2->snapshot,
            policyType: (string) $fresh2->policy_type,
            platform: is_string($fresh2->platform) ? (string) $fresh2->platform : null,
        ),
        'assignments' => $assignmentsNormalizer->normalizeForDiff($fresh2->assignments ?? []),
        'scope_tag_ids' => $scopeTagsNormalizer->normalizeIds($fresh2->scope_tags ?? []),
        'secret_fingerprints' => $fresh2->secret_fingerprints,
        'redaction_version' => $fresh2->redaction_version,
    ]);

    expect($hash1)->not->toBe($hash2);
});