// Version Support Integration Tests
//
// Comprehensive integration tests for version functionality:
//
// - TestVersionIntegrationWorkflow: End-to-end workflow testing
//   - Creating initial version with proper metadata
//   - Creating multiple versions with timestamp updates
//   - Retrieving specific versions by name
//   - Promoting old versions to current
//   - Testing version serial number limits (999/day)
//   - Error cases and edge conditions
//
// - TestVersionConcurrency: Tests concurrent read operations
//
// - TestVersionCompatibility: Tests handling of legacy non-versioned secrets
//
// Test Environment:
// - Uses in-memory filesystem (afero.MemMapFs)
// - Consistent test mnemonic for reproducible keys
// - Proper cleanup and isolation between tests

package vault

import (
	"fmt"
	"path/filepath"
	"testing"
	"time"

	"git.eeqj.de/sneak/secret/internal/secret"
	"git.eeqj.de/sneak/secret/pkg/agehd"
	"github.com/spf13/afero"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

// TestVersionIntegrationWorkflow tests the complete version workflow
func TestVersionIntegrationWorkflow(t *testing.T) {
	fs := afero.NewMemMapFs()
	stateDir := "/test/state"

	// Set mnemonic for testing
	t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")

	// Create vault
	vault, err := CreateVault(fs, stateDir, "test")
	require.NoError(t, err)

	// Derive and store long-term key from mnemonic
	mnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
	ltIdentity, err := agehd.DeriveIdentity(mnemonic, 0)
	require.NoError(t, err)

	// Store long-term public key in vault
	vaultDir, _ := vault.GetDirectory()
	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0600)
	require.NoError(t, err)

	// Unlock the vault
	vault.Unlock(ltIdentity)

	secretName := "integration/test"

	// Step 1: Create initial version
	t.Run("create_initial_version", func(t *testing.T) {
		err := vault.AddSecret(secretName, []byte("version-1-data"), false)
		require.NoError(t, err)

		// Verify secret can be retrieved
		value, err := vault.GetSecret(secretName)
		require.NoError(t, err)
		assert.Equal(t, []byte("version-1-data"), value)

		// Verify version directory structure
		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
		versions, err := secret.ListVersions(fs, secretDir)
		require.NoError(t, err)
		assert.Len(t, versions, 1)

		// Verify current symlink exists
		currentVersion, err := secret.GetCurrentVersion(fs, secretDir)
		require.NoError(t, err)
		assert.Equal(t, versions[0], currentVersion)

		// Verify metadata
		version := secret.NewSecretVersion(vault, secretName, versions[0])
		err = version.LoadMetadata(ltIdentity)
		require.NoError(t, err)
		assert.NotNil(t, version.Metadata.CreatedAt)
		assert.NotNil(t, version.Metadata.NotBefore)
		assert.Equal(t, int64(1), version.Metadata.NotBefore.Unix()) // epoch + 1
		assert.Nil(t, version.Metadata.NotAfter)                     // should be nil for current version
	})

	// Step 2: Create second version
	var firstVersionName string
	t.Run("create_second_version", func(t *testing.T) {
		// Small delay to ensure different timestamps
		time.Sleep(10 * time.Millisecond)

		// Get first version name before creating second
		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
		versions, err := secret.ListVersions(fs, secretDir)
		require.NoError(t, err)
		firstVersionName = versions[0]

		// Create second version
		err = vault.AddSecret(secretName, []byte("version-2-data"), true)
		require.NoError(t, err)

		// Verify new value is current
		value, err := vault.GetSecret(secretName)
		require.NoError(t, err)
		assert.Equal(t, []byte("version-2-data"), value)

		// Verify we now have two versions
		versions, err = secret.ListVersions(fs, secretDir)
		require.NoError(t, err)
		assert.Len(t, versions, 2)

		// Verify first version metadata was updated with notAfter
		firstVersion := secret.NewSecretVersion(vault, secretName, firstVersionName)
		err = firstVersion.LoadMetadata(ltIdentity)
		require.NoError(t, err)
		assert.NotNil(t, firstVersion.Metadata.NotAfter)

		// Verify second version metadata
		secondVersion := secret.NewSecretVersion(vault, secretName, versions[0])
		err = secondVersion.LoadMetadata(ltIdentity)
		require.NoError(t, err)
		assert.NotNil(t, secondVersion.Metadata.NotBefore)
		assert.Nil(t, secondVersion.Metadata.NotAfter)

		// NotBefore of second should equal NotAfter of first
		assert.Equal(t, firstVersion.Metadata.NotAfter.Unix(), secondVersion.Metadata.NotBefore.Unix())
	})

	// Step 3: Create third version
	t.Run("create_third_version", func(t *testing.T) {
		time.Sleep(10 * time.Millisecond)

		err := vault.AddSecret(secretName, []byte("version-3-data"), true)
		require.NoError(t, err)

		// Verify we now have three versions
		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
		versions, err := secret.ListVersions(fs, secretDir)
		require.NoError(t, err)
		assert.Len(t, versions, 3)

		// Current should be version-3
		value, err := vault.GetSecret(secretName)
		require.NoError(t, err)
		assert.Equal(t, []byte("version-3-data"), value)
	})

	// Step 4: Retrieve specific versions
	t.Run("retrieve_specific_versions", func(t *testing.T) {
		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
		versions, err := secret.ListVersions(fs, secretDir)
		require.NoError(t, err)
		require.Len(t, versions, 3)

		// Get each version by its name
		value1, err := vault.GetSecretVersion(secretName, versions[2]) // oldest
		require.NoError(t, err)
		assert.Equal(t, []byte("version-1-data"), value1)

		value2, err := vault.GetSecretVersion(secretName, versions[1]) // middle
		require.NoError(t, err)
		assert.Equal(t, []byte("version-2-data"), value2)

		value3, err := vault.GetSecretVersion(secretName, versions[0]) // newest
		require.NoError(t, err)
		assert.Equal(t, []byte("version-3-data"), value3)

		// Empty version should return current
		valueCurrent, err := vault.GetSecretVersion(secretName, "")
		require.NoError(t, err)
		assert.Equal(t, []byte("version-3-data"), valueCurrent)
	})

	// Step 5: Promote old version to current
	t.Run("promote_old_version", func(t *testing.T) {
		secretDir := filepath.Join(vaultDir, "secrets.d", "integration%test")
		versions, err := secret.ListVersions(fs, secretDir)
		require.NoError(t, err)

		// Promote the first version (oldest) to current
		oldestVersion := versions[2]
		err = secret.SetCurrentVersion(fs, secretDir, oldestVersion)
		require.NoError(t, err)

		// Verify current now returns the old version's value
		value, err := vault.GetSecret(secretName)
		require.NoError(t, err)
		assert.Equal(t, []byte("version-1-data"), value)

		// Verify the version metadata hasn't changed
		// (promoting shouldn't modify timestamps)
		version := secret.NewSecretVersion(vault, secretName, oldestVersion)
		err = version.LoadMetadata(ltIdentity)
		require.NoError(t, err)
		assert.NotNil(t, version.Metadata.NotAfter) // should still have its old notAfter
	})

	// Step 6: Test version limits
	t.Run("version_serial_limits", func(t *testing.T) {
		// Create a new secret for this test
		limitSecretName := "limit/test"
		secretDir := filepath.Join(vaultDir, "secrets.d", "limit%test", "versions")

		// Create 998 versions (we already have one from the first AddSecret)
		err := vault.AddSecret(limitSecretName, []byte("initial"), false)
		require.NoError(t, err)

		// Get today's date for consistent version names
		today := time.Now().Format("20060102")

		// Manually create many versions with same date
		for i := 2; i <= 998; i++ {
			versionName := fmt.Sprintf("%s.%03d", today, i)
			versionDir := filepath.Join(secretDir, versionName)
			err := fs.MkdirAll(versionDir, 0755)
			require.NoError(t, err)
		}

		// Should be able to create one more (999)
		versionName, err := secret.GenerateVersionName(fs, filepath.Dir(secretDir))
		require.NoError(t, err)
		assert.Equal(t, fmt.Sprintf("%s.999", today), versionName)

		// Create the 999th version directory
		err = fs.MkdirAll(filepath.Join(secretDir, versionName), 0755)
		require.NoError(t, err)

		// Should fail to create 1000th version
		_, err = secret.GenerateVersionName(fs, filepath.Dir(secretDir))
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "exceeded maximum versions per day")
	})

	// Step 7: Test error cases
	t.Run("error_cases", func(t *testing.T) {
		// Try to get non-existent version
		_, err := vault.GetSecretVersion(secretName, "99991231.999")
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "not found")

		// Try to get version of non-existent secret
		_, err = vault.GetSecretVersion("nonexistent/secret", "")
		assert.Error(t, err)

		// Try to add secret without force when it exists
		err = vault.AddSecret(secretName, []byte("should-fail"), false)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "already exists")
	})
}

// TestVersionConcurrency tests concurrent version operations
func TestVersionConcurrency(t *testing.T) {
	fs := afero.NewMemMapFs()
	stateDir := "/test/state"

	// Set up vault
	vault := createTestVaultWithKey(t, fs, stateDir, "test")

	secretName := "concurrent/test"

	// Create initial version
	err := vault.AddSecret(secretName, []byte("initial"), false)
	require.NoError(t, err)

	// Test concurrent reads
	t.Run("concurrent_reads", func(t *testing.T) {
		done := make(chan bool, 10)
		errors := make(chan error, 10)

		for i := 0; i < 10; i++ {
			go func() {
				value, err := vault.GetSecret(secretName)
				if err != nil {
					errors <- err
				} else if string(value) != "initial" {
					errors <- fmt.Errorf("unexpected value: %s", value)
				}
				done <- true
			}()
		}

		// Wait for all goroutines
		for i := 0; i < 10; i++ {
			<-done
		}

		// Check for errors
		select {
		case err := <-errors:
			t.Fatalf("concurrent read failed: %v", err)
		default:
			// No errors
		}
	})
}

// TestVersionCompatibility tests that old secrets without versions still work
func TestVersionCompatibility(t *testing.T) {
	fs := afero.NewMemMapFs()
	stateDir := "/test/state"

	// Set up vault
	vault := createTestVaultWithKey(t, fs, stateDir, "test")
	ltIdentity, err := vault.GetOrDeriveLongTermKey()
	require.NoError(t, err)

	// Manually create an old-style secret (no versions)
	secretName := "legacy/secret"
	vaultDir, _ := vault.GetDirectory()
	secretDir := filepath.Join(vaultDir, "secrets.d", "legacy%secret")
	err = fs.MkdirAll(secretDir, 0755)
	require.NoError(t, err)

	// Create old-style encrypted value directly in secret directory
	testValue := []byte("legacy-value")
	ltRecipient := ltIdentity.Recipient()
	encrypted, err := secret.EncryptToRecipient(testValue, ltRecipient)
	require.NoError(t, err)

	valuePath := filepath.Join(secretDir, "value.age")
	err = afero.WriteFile(fs, valuePath, encrypted, 0600)
	require.NoError(t, err)

	// Should fail to get with version-aware methods
	_, err = vault.GetSecret(secretName)
	assert.Error(t, err)

	// List versions should return empty
	versions, err := secret.ListVersions(fs, secretDir)
	require.NoError(t, err)
	assert.Empty(t, versions)
}