<?php

use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\Workspace;
use App\Support\Providers\ProviderReasonCodes;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('stores successful admin consent on provider connection status', function () {
    $tenant = Tenant::factory()->create([
        'tenant_id' => 'tenant-1',
        'name' => 'Contoso',
    ]);

    $response = $this->get(route('admin.consent.callback', [
        'tenant' => $tenant->tenant_id,
        'admin_consent' => 'true',
    ]));

    $response->assertOk();
    $response->assertSee(
        route('filament.admin.resources.tenants.view', ['tenant' => $tenant->external_id, 'record' => $tenant]),
        false,
    );

    $connection = ProviderConnection::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('provider', 'microsoft')
        ->where('entra_tenant_id', $tenant->graphTenantId())
        ->first();

    expect($connection)->not->toBeNull()
        ->and($connection?->status)->toBe('connected')
        ->and($connection?->last_error_reason_code)->toBeNull();

    $this->assertDatabaseHas('audit_logs', [
        'tenant_id' => $tenant->id,
        'action' => 'tenant.consent.callback',
        'status' => 'success',
    ]);
});

it('links back to onboarding when tenant is onboarding', function () {
    $tenant = Tenant::factory()->create([
        'tenant_id' => 'tenant-3',
        'name' => 'Onboarding Tenant',
        'status' => Tenant::STATUS_ONBOARDING,
    ]);

    $response = $this->get(route('admin.consent.callback', [
        'tenant' => $tenant->tenant_id,
        'admin_consent' => 'true',
    ]));

    $response->assertOk();
    $response->assertSee(route('admin.onboarding'), false);
});

it('creates tenant and provider connection when callback tenant does not exist', function () {
    $workspace = Workspace::factory()->create();

    $response = $this->withSession([
        'tenant_onboard_workspace_id' => (int) $workspace->getKey(),
        'tenant_onboard_state' => 'state-456',
    ])->get(route('admin.consent.callback', [
        'tenant' => 'new-tenant',
        'state' => 'state-456',
    ]));

    $response->assertOk();

    $tenant = Tenant::where('tenant_id', 'new-tenant')->first();
    expect($tenant)->not->toBeNull();

    $connection = ProviderConnection::query()
        ->where('tenant_id', (int) $tenant->id)
        ->where('provider', 'microsoft')
        ->where('entra_tenant_id', $tenant->graphTenantId())
        ->first();

    expect($connection)->not->toBeNull()
        ->and($connection?->status)->toBe('needs_consent')
        ->and($connection?->last_error_reason_code)->toBe(ProviderReasonCodes::ProviderConsentMissing);
});

it('records consent callback errors on provider connection state', function () {
    $tenant = Tenant::factory()->create([
        'tenant_id' => 'tenant-2',
        'name' => 'Fabrikam',
    ]);

    $response = $this->get(route('admin.consent.callback', [
        'tenant' => $tenant->tenant_id,
        'error' => 'access_denied',
    ]));

    $response->assertOk();

    $connection = ProviderConnection::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('provider', 'microsoft')
        ->where('entra_tenant_id', $tenant->graphTenantId())
        ->first();

    expect($connection)->not->toBeNull()
        ->and($connection?->status)->toBe('error')
        ->and($connection?->last_error_reason_code)->toBe(ProviderReasonCodes::ProviderAuthFailed)
        ->and($connection?->last_error_message)->toBe('access_denied');

    $this->assertDatabaseHas('audit_logs', [
        'tenant_id' => $tenant->id,
        'action' => 'tenant.consent.callback',
        'status' => 'error',
    ]);
});