// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package proxytracker

import (
	"github.com/hashicorp/consul/acl"
	pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1"
	"github.com/hashicorp/consul/proto-public/pbresource"
	"github.com/stretchr/testify/mock"
	"github.com/stretchr/testify/require"
	"strings"
	"testing"
)

func TestProxyState_Authorize(t *testing.T) {
	testIdentity := &pbresource.Reference{
		Type: &pbresource.Type{
			Group:        "mesh",
			GroupVersion: "v1alpha1",
			Kind:         "Identity",
		},
		Tenancy: &pbresource.Tenancy{
			Partition: "default",
			Namespace: "default",
			PeerName:  "local",
		},
		Name: "test-identity",
	}

	type testCase struct {
		description          string
		proxyState           *ProxyState
		configureAuthorizer  func(authorizer *acl.MockAuthorizer)
		expectedErrorMessage string
	}
	testsCases := []testCase{
		{
			description: "ProxyState - if identity write is allowed for the workload then allow.",
			proxyState: &ProxyState{
				ProxyState: &pbmesh.ProxyState{
					Identity: testIdentity,
				},
			},
			expectedErrorMessage: "",
			configureAuthorizer: func(authz *acl.MockAuthorizer) {
				authz.On("IdentityWrite", testIdentity.Name, mock.Anything).Return(acl.Allow)
			},
		},
		{
			description: "ProxyState - if identity write is not allowed for the workload then deny.",
			proxyState: &ProxyState{
				ProxyState: &pbmesh.ProxyState{
					Identity: testIdentity,
				},
			},
			expectedErrorMessage: "Permission denied: token with AccessorID '' lacks permission 'identity:write' on \"test-identity\"",
			configureAuthorizer: func(authz *acl.MockAuthorizer) {
				authz.On("IdentityWrite", testIdentity.Name, mock.Anything).Return(acl.Deny)
			},
		},
	}
	for _, tc := range testsCases {
		t.Run(tc.description, func(t *testing.T) {
			authz := &acl.MockAuthorizer{}
			authz.On("ToAllow").Return(acl.AllowAuthorizer{Authorizer: authz})
			tc.configureAuthorizer(authz)
			err := tc.proxyState.Authorize(authz)
			errMsg := ""
			if err != nil {
				errMsg = err.Error()
			}
			// using contains because Enterprise tests append the parition and namespace
			// information to the message.
			require.True(t, strings.Contains(errMsg, tc.expectedErrorMessage))
		})
	}
}