// AI generated tests and not yet reviewed.
package application

import (
	"context"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"net/url"
	"slices"
	"strings"
	"testing"

	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/application/v1alpha1"
	operatorfake "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/fake"
	operatorinformers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions"
	authentikapi "goauthentik.io/api/v3"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/client-go/kubernetes/fake"
	"k8s.io/client-go/tools/cache"
)

func TestController_syncHandler_create(t *testing.T) {
	const wantPK = "42"

	server := newAuthentikTestServer(t, authentikTestHandlers{
		applicationCreate: func(w http.ResponseWriter, _ *http.Request) {
			writeJSON(t, w, http.StatusCreated, map[string]any{"pk": wantPK})
		},
	})
	t.Cleanup(server.Close)

	ctrl, ctx, cancel := newTestController(t, testApplication(), server.URL)
	t.Cleanup(cancel)

	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "test-app"})
	if err != nil {
		t.Fatalf("syncHandler() error = %v", err)
	}

	got := getApplication(t, ctrl, "default", "test-app")
	if got.Status.PK != wantPK {
		t.Fatalf("status.pk = %q, want %q", got.Status.PK, wantPK)
	}
}

func TestController_syncHandler_ensureFinalizers(t *testing.T) {
	app := testApplication()
	app.Status.PK = "42"

	server := newAuthentikTestServer(t, authentikTestHandlers{})
	t.Cleanup(server.Close)

	ctrl, ctx, cancel := newTestController(t, app, server.URL)
	t.Cleanup(cancel)

	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: app.Namespace, Name: app.Name})
	if err != nil {
		t.Fatalf("syncHandler() error = %v", err)
	}

	got := getApplication(t, ctrl, app.Namespace, app.Name)
	if !slices.Contains(got.Finalizers, DeleteAuthentikApplicationFinalizer) {
		t.Fatalf("finalizers = %v, want %q", got.Finalizers, DeleteAuthentikApplicationFinalizer)
	}
}

func TestController_syncHandler_update(t *testing.T) {
	app := testApplication()
	app.Status.PK = "42"
	app.Finalizers = []string{DeleteAuthentikApplicationFinalizer}

	server := newAuthentikTestServer(t, authentikTestHandlers{
		applicationRetrieve: func(w http.ResponseWriter, _ *http.Request) {
			writeJSON(t, w, http.StatusOK, map[string]any{"pk": "42"})
		},
		applicationPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
			writeJSON(t, w, http.StatusOK, map[string]any{"pk": "42"})
		},
	})
	t.Cleanup(server.Close)

	ctrl, ctx, cancel := newTestController(t, app, server.URL)
	t.Cleanup(cancel)

	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: app.Namespace, Name: app.Name})
	if err != nil {
		t.Fatalf("syncHandler() error = %v", err)
	}

	got := getApplication(t, ctrl, app.Namespace, app.Name)
	if got.Status.PK != "42" {
		t.Fatalf("status.pk = %q, want 42", got.Status.PK)
	}
}

func TestController_syncHandler_update_applicationNotFound(t *testing.T) {
	app := testApplication()
	app.Status.PK = "42"
	app.Finalizers = []string{DeleteAuthentikApplicationFinalizer}

	server := newAuthentikTestServer(t, authentikTestHandlers{
		applicationRetrieve: func(w http.ResponseWriter, _ *http.Request) {
			http.NotFound(w, nil)
		},
	})
	t.Cleanup(server.Close)

	ctrl, ctx, cancel := newTestController(t, app, server.URL)
	t.Cleanup(cancel)

	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: app.Namespace, Name: app.Name})
	if err != nil {
		t.Fatalf("syncHandler() error = %v", err)
	}

	got := getApplication(t, ctrl, app.Namespace, app.Name)
	if got.Status.PK != "" {
		t.Fatalf("status.pk = %q, want empty after application not found", got.Status.PK)
	}
}

func TestController_syncHandler_delete(t *testing.T) {
	now := metav1.Now()
	app := testApplication()
	app.Status.PK = "42"
	app.DeletionTimestamp = &now
	app.Finalizers = []string{DeleteAuthentikApplicationFinalizer}

	var destroyCalled bool
	server := newAuthentikTestServer(t, authentikTestHandlers{
		proxyDestroy: func(w http.ResponseWriter, r *http.Request) {
			destroyCalled = true
			if r.Method != http.MethodDelete {
				t.Errorf("destroy method = %s, want DELETE", r.Method)
			}
			w.WriteHeader(http.StatusNoContent)
		},
	})
	t.Cleanup(server.Close)

	ctrl, ctx, cancel := newTestController(t, app, server.URL)
	t.Cleanup(cancel)

	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: app.Namespace, Name: app.Name})
	if err != nil {
		t.Fatalf("syncHandler() error = %v", err)
	}
	if !destroyCalled {
		t.Fatal("expected Authentik destroy call")
	}

	got := getApplication(t, ctrl, app.Namespace, app.Name)
	if slices.Contains(got.Finalizers, DeleteAuthentikApplicationFinalizer) {
		t.Fatalf("finalizers = %v, want finalizer removed", got.Finalizers)
	}
}

func TestController_syncHandler_delete_providerAlreadyGone(t *testing.T) {
	now := metav1.Now()
	app := testApplication()
	app.Status.PK = "42"
	app.DeletionTimestamp = &now
	app.Finalizers = []string{DeleteAuthentikApplicationFinalizer}

	server := newAuthentikTestServer(t, authentikTestHandlers{
		proxyDestroy: func(w http.ResponseWriter, _ *http.Request) {
			http.NotFound(w, nil)
		},
	})
	t.Cleanup(server.Close)

	ctrl, ctx, cancel := newTestController(t, app, server.URL)
	t.Cleanup(cancel)

	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: app.Namespace, Name: app.Name})
	if err != nil {
		t.Fatalf("syncHandler() error = %v", err)
	}

	got := getApplication(t, ctrl, app.Namespace, app.Name)
	if slices.Contains(got.Finalizers, DeleteAuthentikApplicationFinalizer) {
		t.Fatalf("finalizers = %v, want finalizer removed after 404", got.Finalizers)
	}
}

func TestController_syncHandler_notFound(t *testing.T) {
	server := newAuthentikTestServer(t, authentikTestHandlers{})
	t.Cleanup(server.Close)

	ctrl, ctx, cancel := newTestController(t, nil, server.URL)
	t.Cleanup(cancel)

	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "missing"})
	if err != nil {
		t.Fatalf("syncHandler() error = %v, want nil for missing object", err)
	}
}

func TestController_syncHandler_invalidPK(t *testing.T) {
	now := metav1.Now()
	app := testApplication()
	app.Status.PK = "not-a-number"
	app.DeletionTimestamp = &now
	app.Finalizers = []string{DeleteAuthentikApplicationFinalizer}

	server := newAuthentikTestServer(t, authentikTestHandlers{})
	t.Cleanup(server.Close)

	ctrl, ctx, cancel := newTestController(t, app, server.URL)
	t.Cleanup(cancel)

	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: app.Namespace, Name: app.Name})
	if err == nil {
		t.Fatal("syncHandler() error = nil, want parse error")
	}
	if !strings.Contains(err.Error(), "error parsing PK") {
		t.Fatalf("syncHandler() error = %v, want PK parse error", err)
	}
}

func TestController_enqueueApplication(t *testing.T) {
	server := newAuthentikTestServer(t, authentikTestHandlers{})
	t.Cleanup(server.Close)

	ctrl, _, cancel := newTestController(t, testApplication(), server.URL)
	t.Cleanup(cancel)

	ctrl.enqueueApplication(testApplication())

	if ctrl.workqueue.Len() != 1 {
		t.Fatalf("workqueue length = %d, want 1", ctrl.workqueue.Len())
	}
}

// --- test helpers ---

func testApplication() *v1alpha1.Application {
	return &v1alpha1.Application{
		TypeMeta: metav1.TypeMeta{
			APIVersion: v1alpha1.SchemeGroupVersion.String(),
			Kind:       "Application",
		},
		ObjectMeta: metav1.ObjectMeta{
			Name:      "test-app",
			Namespace: "default",
		},
		Spec: v1alpha1.ApplicationSpec{
			Name:     "My Application",
			Slug:     "my-app",
			Provider: 7,
		},
	}
}

func newTestController(t *testing.T, app *v1alpha1.Application, authentikURL string) (*Controller, context.Context, context.CancelFunc) {
	t.Helper()
	ctx, cancel := context.WithCancel(context.Background())
	ctrl, _, stop := newTestControllerWithContext(t, ctx, app, authentikURL)
	return ctrl, ctx, func() {
		cancel()
		stop()
	}
}

func newTestControllerWithContext(t *testing.T, ctx context.Context, app *v1alpha1.Application, authentikURL string) (*Controller, context.Context, func()) {
	t.Helper()

	authentikClient := newAuthentikAPIClientForTest(t, authentikURL)

	var objects []runtime.Object
	if app != nil {
		objects = append(objects, app)
	}
	applicationClient := operatorfake.NewSimpleClientset(objects...)

	informerFactory := operatorinformers.NewSharedInformerFactory(applicationClient, 0)
	applicationInformer := informerFactory.Application().V1alpha1().Applications()

	ctrl := NewController(ctx, fake.NewClientset(), applicationClient, authentikClient, applicationInformer)

	informerFactory.Start(ctx.Done())
	for informerType, synced := range informerFactory.WaitForCacheSync(ctx.Done()) {
		if !synced {
			t.Fatalf("informer %v failed to sync", informerType)
		}
	}

	return ctrl, ctx, func() {}
}

func newAuthentikAPIClientForTest(t *testing.T, serverURL string) *authentikapi.APIClient {
	t.Helper()

	u, err := url.Parse(serverURL)
	if err != nil {
		t.Fatalf("parse server URL: %v", err)
	}

	cfg := authentikapi.NewConfiguration()
	cfg.Scheme = u.Scheme
	cfg.Host = u.Host

	return authentikapi.NewAPIClient(cfg)
}

type authentikTestHandlers struct {
	applicationCreate        http.HandlerFunc
	applicationRetrieve      http.HandlerFunc
	applicationPartialUpdate http.HandlerFunc
	proxyDestroy             http.HandlerFunc
}

func newAuthentikTestServer(t *testing.T, handlers authentikTestHandlers) *httptest.Server {
	t.Helper()

	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		path := r.URL.Path

		switch {
		case path == "/api/v3/core/applications/" && r.Method == http.MethodPost:
			if handlers.applicationCreate != nil {
				handlers.applicationCreate(w, r)
				return
			}
			http.NotFound(w, r)

		case strings.HasPrefix(path, "/api/v3/core/applications/") && strings.HasSuffix(path, "/"):
			slugPath := strings.TrimPrefix(path, "/api/v3/core/applications/")
			if slugPath == "" {
				http.NotFound(w, r)
				return
			}
			switch r.Method {
			case http.MethodGet:
				if handlers.applicationRetrieve != nil {
					handlers.applicationRetrieve(w, r)
					return
				}
				http.NotFound(w, r)
			case http.MethodPatch:
				if handlers.applicationPartialUpdate != nil {
					handlers.applicationPartialUpdate(w, r)
					return
				}
				http.NotFound(w, r)
			default:
				http.Error(w, "unexpected method on application instance", http.StatusMethodNotAllowed)
			}

		case strings.HasPrefix(path, "/api/v3/providers/proxy/") && strings.HasSuffix(path, "/"):
			idPath := strings.TrimPrefix(path, "/api/v3/providers/proxy/")
			if idPath == "" {
				http.NotFound(w, r)
				return
			}
			if r.Method == http.MethodDelete {
				if handlers.proxyDestroy != nil {
					handlers.proxyDestroy(w, r)
					return
				}
				http.NotFound(w, r)
				return
			}
			http.Error(w, "unexpected method on proxy instance", http.StatusMethodNotAllowed)

		default:
			http.NotFound(w, r)
		}
	})

	return httptest.NewServer(handler)
}

func writeJSON(t *testing.T, w http.ResponseWriter, status int, body any) {
	t.Helper()
	w.Header().Set("Content-Type", "application/json")
	w.WriteHeader(status)
	if err := json.NewEncoder(w).Encode(body); err != nil {
		t.Fatalf("write JSON response: %v", err)
	}
}

func getApplication(t *testing.T, ctrl *Controller, namespace, name string) *v1alpha1.Application {
	t.Helper()

	got, err := ctrl.applicationClientset.ApplicationV1alpha1().Applications(namespace).Get(
		context.Background(), name, metav1.GetOptions{},
	)
	if err != nil {
		t.Fatalf("get Application: %v", err)
	}
	return got
}