<?php

use App\Jobs\CompareBaselineToTenantJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\Tenant;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunType;

it('matches baseline to tenant inventory by policy_type + subject_key (cross-tenant)', function () {
    [$user, $sourceTenant] = createUserWithTenant(role: 'owner');

    $targetTenant = Tenant::factory()->create([
        'workspace_id' => (int) $sourceTenant->workspace_id,
    ]);
    $user->tenants()->syncWithoutDetaching([
        $targetTenant->getKey() => ['role' => 'owner'],
    ]);

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $sourceTenant->workspace_id,
        'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
    ]);

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $sourceTenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'captured_at' => now()->subMinute(),
    ]);

    $displayName = 'Shared Policy';
    $subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
    expect($subjectKey)->not->toBeNull();

    $baselineSubjectExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId(
        policyType: 'deviceConfiguration',
        subjectKey: (string) $subjectKey,
    );

    $snapshotPayload = [
        'settings' => [
            ['displayName' => 'SettingX', 'value' => 1],
        ],
    ];

    $expectedContentHash = expectedPolicyVersionContentHash(
        snapshot: $snapshotPayload,
        policyType: 'deviceConfiguration',
        platform: 'windows',
    );

    BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot->getKey(),
        'subject_type' => 'policy',
        'subject_external_id' => $baselineSubjectExternalId,
        'subject_key' => (string) $subjectKey,
        'policy_type' => 'deviceConfiguration',
        'baseline_hash' => $expectedContentHash,
        'meta_jsonb' => [
            'display_name' => $displayName,
            'evidence' => [
                'fidelity' => 'content',
                'source' => 'policy_version',
                'observed_at' => now()->toIso8601String(),
            ],
        ],
    ]);

    $inventorySyncRun = createInventorySyncOperationRunWithCoverage(
        tenant: $targetTenant,
        statusByType: ['deviceConfiguration' => 'succeeded'],
    );

    $policy = Policy::factory()->create([
        'tenant_id' => (int) $targetTenant->getKey(),
        'policy_type' => 'deviceConfiguration',
        'external_id' => 'tenant-policy-uuid',
        'platform' => 'windows',
        'display_name' => $displayName,
    ]);

    PolicyVersion::factory()->create([
        'tenant_id' => (int) $targetTenant->getKey(),
        'policy_id' => (int) $policy->getKey(),
        'policy_type' => (string) $policy->policy_type,
        'platform' => (string) $policy->platform,
        'captured_at' => now(),
        'snapshot' => $snapshotPayload,
        'assignments' => [],
        'scope_tags' => [],
    ]);

    InventoryItem::factory()->create([
        'tenant_id' => (int) $targetTenant->getKey(),
        'workspace_id' => (int) $targetTenant->workspace_id,
        'external_id' => (string) $policy->external_id,
        'policy_type' => (string) $policy->policy_type,
        'display_name' => $displayName,
        'meta_jsonb' => ['etag' => 'E1'],
        'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
        'last_seen_at' => now(),
    ]);

    $opService = app(OperationRunService::class);
    $run = $opService->ensureRunWithIdentity(
        tenant: $targetTenant,
        type: OperationRunType::BaselineCompare->value,
        identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
        context: [
            'baseline_profile_id' => (int) $profile->getKey(),
            'baseline_snapshot_id' => (int) $snapshot->getKey(),
            'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
        ],
        initiator: $user,
    );

    (new CompareBaselineToTenantJob($run))->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        $opService,
    );

    $run->refresh();
    expect($run->status)->toBe('completed');
    expect(['succeeded', 'partially_succeeded'])->toContain((string) $run->outcome);

    expect(
        Finding::query()
            ->where('tenant_id', (int) $targetTenant->getKey())
            ->where('source', 'baseline.compare')
            ->count(),
    )->toBe(0);
});

it('does not match role definitions across tenants when the role definition id differs', function (): void {
    [$user, $sourceTenant] = createUserWithTenant(role: 'owner');

    $targetTenant = Tenant::factory()->create([
        'workspace_id' => (int) $sourceTenant->workspace_id,
    ]);
    $user->tenants()->syncWithoutDetaching([
        $targetTenant->getKey() => ['role' => 'owner'],
    ]);

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $sourceTenant->workspace_id,
        'scope_jsonb' => [
            'policy_types' => [],
            'foundation_types' => ['intuneRoleDefinition'],
        ],
    ]);

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $sourceTenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'captured_at' => now()->subMinute(),
    ]);

    $displayName = 'Security Reader';
    $sourceExternalId = 'source-role-definition-id';
    $targetExternalId = 'target-role-definition-id';

    $subjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', $displayName, $sourceExternalId);
    $baselineSubjectExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy('intuneRoleDefinition', $displayName, $sourceExternalId);

    expect($subjectKey)->not->toBeNull();
    expect($baselineSubjectExternalId)->not->toBeNull();

    $sourcePolicy = Policy::factory()->create([
        'tenant_id' => (int) $sourceTenant->getKey(),
        'external_id' => $sourceExternalId,
        'policy_type' => 'intuneRoleDefinition',
        'platform' => 'all',
        'display_name' => $displayName,
    ]);

    $sourceVersion = PolicyVersion::factory()->create([
        'tenant_id' => (int) $sourceTenant->getKey(),
        'policy_id' => (int) $sourcePolicy->getKey(),
        'policy_type' => 'intuneRoleDefinition',
        'platform' => 'all',
        'captured_at' => now()->subMinute(),
        'snapshot' => [
            'displayName' => $displayName,
            'description' => 'Source tenant role',
            'isBuiltIn' => false,
            'rolePermissions' => [
                [
                    'resourceActions' => [
                        [
                            'allowedResourceActions' => ['microsoft.intune/devices/read'],
                        ],
                    ],
                ],
            ],
            'roleScopeTagIds' => ['0'],
        ],
        'assignments' => [],
        'scope_tags' => [],
    ]);

    BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot->getKey(),
        'subject_type' => 'policy',
        'subject_external_id' => (string) $baselineSubjectExternalId,
        'subject_key' => (string) $subjectKey,
        'policy_type' => 'intuneRoleDefinition',
        'baseline_hash' => app(\App\Services\Baselines\Evidence\ContentEvidenceProvider::class)
            ->fromPolicyVersion($sourceVersion, (string) $baselineSubjectExternalId)
            ->hash,
        'meta_jsonb' => [
            'display_name' => $displayName,
            'evidence' => [
                'fidelity' => 'content',
                'source' => 'policy_version',
                'observed_at' => $sourceVersion->captured_at?->toIso8601String(),
            ],
            'version_reference' => [
                'policy_version_id' => (int) $sourceVersion->getKey(),
            ],
            'rbac' => [
                'is_built_in' => false,
                'role_permission_count' => 1,
            ],
        ],
    ]);

    $inventorySyncRun = createInventorySyncOperationRunWithCoverage(
        tenant: $targetTenant,
        statusByType: ['intuneRoleDefinition' => 'succeeded'],
        foundationTypes: ['intuneRoleDefinition'],
    );

    $targetPolicy = Policy::factory()->create([
        'tenant_id' => (int) $targetTenant->getKey(),
        'policy_type' => 'intuneRoleDefinition',
        'external_id' => $targetExternalId,
        'platform' => 'all',
        'display_name' => $displayName,
    ]);

    PolicyVersion::factory()->create([
        'tenant_id' => (int) $targetTenant->getKey(),
        'policy_id' => (int) $targetPolicy->getKey(),
        'policy_type' => 'intuneRoleDefinition',
        'platform' => 'all',
        'captured_at' => now(),
        'snapshot' => [
            'displayName' => $displayName,
            'description' => 'Target tenant role',
            'isBuiltIn' => false,
            'rolePermissions' => [
                [
                    'resourceActions' => [
                        [
                            'allowedResourceActions' => ['microsoft.intune/devices/read'],
                        ],
                    ],
                ],
            ],
            'roleScopeTagIds' => ['0'],
        ],
        'assignments' => [],
        'scope_tags' => [],
    ]);

    InventoryItem::factory()->create([
        'tenant_id' => (int) $targetTenant->getKey(),
        'workspace_id' => (int) $targetTenant->workspace_id,
        'external_id' => $targetExternalId,
        'policy_type' => 'intuneRoleDefinition',
        'display_name' => $displayName,
        'meta_jsonb' => [
            'etag' => 'E1',
            'is_built_in' => false,
            'role_permission_count' => 1,
        ],
        'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
        'last_seen_at' => now(),
    ]);

    $opService = app(OperationRunService::class);
    $run = $opService->ensureRunWithIdentity(
        tenant: $targetTenant,
        type: OperationRunType::BaselineCompare->value,
        identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
        context: [
            'baseline_profile_id' => (int) $profile->getKey(),
            'baseline_snapshot_id' => (int) $snapshot->getKey(),
            'effective_scope' => [
                'policy_types' => [],
                'foundation_types' => ['intuneRoleDefinition'],
            ],
        ],
        initiator: $user,
    );

    (new CompareBaselineToTenantJob($run))->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        $opService,
    );

    $run->refresh();
    expect($run->status)->toBe('completed');
    expect(['succeeded', 'partially_succeeded'])->toContain((string) $run->outcome);

    $findings = Finding::query()
        ->where('tenant_id', (int) $targetTenant->getKey())
        ->where('source', 'baseline.compare')
        ->get();

    expect($findings->count())->toBe(2)
        ->and($findings->map(fn (Finding $finding): ?string => data_get($finding->evidence_jsonb, 'change_type'))->sort()->values()->all())->toBe([
            'missing_policy',
            'unexpected_policy',
        ]);
});