<?php

use App\Filament\Resources\ProviderConnectionResource;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\User;

test('owners can manage provider connections in their tenant', function () {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $connection = ProviderConnection::factory()->create([
        'tenant_id' => $tenant->getKey(),
        'display_name' => 'Contoso',
    ]);

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('index', tenant: $tenant))
        ->assertOk()
        ->assertSee(ProviderConnectionResource::getUrl('create', tenant: $tenant));

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('create', tenant: $tenant))
        ->assertOk();

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('edit', ['record' => $connection], tenant: $tenant))
        ->assertOk()
        ->assertSee('Contoso');
});

test('operators can view provider connections but cannot manage them', function () {
    [$user, $tenant] = createUserWithTenant(role: 'operator');

    $connection = ProviderConnection::factory()->create([
        'tenant_id' => $tenant->getKey(),
    ]);

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('index', tenant: $tenant))
        ->assertOk()
        ->assertDontSee(ProviderConnectionResource::getUrl('create', tenant: $tenant));

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('create', tenant: $tenant))
        ->assertForbidden();

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('edit', ['record' => $connection], tenant: $tenant))
        ->assertOk()
        ->assertDontSee('Update credentials')
        ->assertDontSee('Disable connection');
});

test('readonly users can view provider connections but cannot manage them', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $connection = ProviderConnection::factory()->create([
        'tenant_id' => $tenant->getKey(),
    ]);

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('index', tenant: $tenant))
        ->assertOk()
        ->assertDontSee(ProviderConnectionResource::getUrl('create', tenant: $tenant));

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('create', tenant: $tenant))
        ->assertForbidden();

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('edit', ['record' => $connection], tenant: $tenant))
        ->assertOk()
        ->assertDontSee('Update credentials')
        ->assertDontSee('Disable connection');
});

test('provider connection edit is not accessible cross-tenant', function () {
    $tenantA = Tenant::factory()->create();
    $tenantB = Tenant::factory()->create();

    $connectionB = ProviderConnection::factory()->create([
        'tenant_id' => $tenantB->getKey(),
        'display_name' => 'Tenant B Connection',
    ]);

    $user = User::factory()->create();
    $user->tenants()->syncWithoutDetaching([
        $tenantA->getKey() => ['role' => 'owner'],
        $tenantB->getKey() => ['role' => 'owner'],
    ]);

    $this->actingAs($user)
        ->get(ProviderConnectionResource::getUrl('edit', ['record' => $connectionB], tenant: $tenantA))
        ->assertNotFound();
});