package secrets

import (
	"errors"
	"os"
	"path/filepath"
	"testing"
)

func TestFileProvider_ParsesSection(t *testing.T) {
	dir := t.TempDir()
	path := filepath.Join(dir, "secrets.toml")
	if err := os.WriteFile(path, []byte(`
[s3.primary]
access_key_id     = "AK"
secret_access_key = "SK"
`), 0o600); err != nil {
		t.Fatal(err)
	}

	p, err := NewFileProvider(path, S3Credentials{})
	if err != nil {
		t.Fatalf("NewFileProvider: %v", err)
	}
	got, err := p.S3Credentials("primary")
	if err != nil {
		t.Fatalf("S3Credentials: %v", err)
	}
	if got.AccessKeyID != "AK" || got.SecretAccessKey != "SK" {
		t.Errorf("got %+v, want {AK, SK}", got)
	}
}

func TestFileProvider_FallbackWhenSectionMissing(t *testing.T) {
	dir := t.TempDir()
	path := filepath.Join(dir, "secrets.toml")
	// File exists, but doesn't have an [s3.primary] block.
	if err := os.WriteFile(path, []byte(`
[s3.archive]
access_key_id     = "OTHER"
secret_access_key = "OTHER_SK"
`), 0o600); err != nil {
		t.Fatal(err)
	}

	p, err := NewFileProvider(path, S3Credentials{
		AccessKeyID:     "FALLBACK",
		SecretAccessKey: "FALLBACK_SK",
	})
	if err != nil {
		t.Fatal(err)
	}
	got, err := p.S3Credentials("primary")
	if err != nil {
		t.Fatalf("S3Credentials: %v", err)
	}
	if got.AccessKeyID != "FALLBACK" {
		t.Errorf("expected fallback, got %+v", got)
	}
}

func TestFileProvider_MissingFileIsOK(t *testing.T) {
	p, err := NewFileProvider("/no/such/path", S3Credentials{
		AccessKeyID:     "FALLBACK",
		SecretAccessKey: "FALLBACK_SK",
	})
	if err != nil {
		t.Fatalf("NewFileProvider should not error on missing file: %v", err)
	}
	got, err := p.S3Credentials("primary")
	if err != nil {
		t.Fatalf("S3Credentials: %v", err)
	}
	if got.AccessKeyID != "FALLBACK" {
		t.Errorf("expected fallback, got %+v", got)
	}
}

func TestFileProvider_NoCredsAtAll(t *testing.T) {
	p, err := NewFileProvider("/no/such/path", S3Credentials{})
	if err != nil {
		t.Fatal(err)
	}
	if _, err := p.S3Credentials("primary"); err == nil {
		t.Fatal("expected error when no creds in file or fallback")
	}
}

func TestFileProvider_ParseError(t *testing.T) {
	dir := t.TempDir()
	path := filepath.Join(dir, "bad.toml")
	if err := os.WriteFile(path, []byte("not valid toml ===\n"), 0o600); err != nil {
		t.Fatal(err)
	}
	if _, err := NewFileProvider(path, S3Credentials{}); err == nil {
		t.Fatal("expected parse error")
	}
}

func TestStaticProvider(t *testing.T) {
	p := StaticProvider{Creds: S3Credentials{AccessKeyID: "X", SecretAccessKey: "Y"}}
	got, err := p.S3Credentials("any-bucket")
	if err != nil {
		t.Fatal(err)
	}
	if got.AccessKeyID != "X" {
		t.Errorf("got %+v", got)
	}

	empty := StaticProvider{}
	if _, err := empty.S3Credentials("any"); err == nil {
		t.Error("expected error from empty StaticProvider")
	}
}

func TestStaticProvider_ErrorIsExported(t *testing.T) {
	// Sanity: the empty-creds path should be a real error type, not nil.
	_, err := StaticProvider{}.S3Credentials("x")
	if err == nil || !errors.Is(err, err) {
		t.Fatal("expected non-nil error")
	}
}