package ssh_test

import (
	"strings"
	"testing"

	"git.eeqj.de/sneak/upaas/internal/ssh"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestGenerateKeyPair(t *testing.T) {
	t.Parallel()

	t.Run("generates valid key pair", func(t *testing.T) {
		t.Parallel()

		keyPair, err := ssh.GenerateKeyPair()
		require.NoError(t, err)
		require.NotNil(t, keyPair)

		// Private key should be PEM encoded
		assert.Contains(t, keyPair.PrivateKey, "-----BEGIN OPENSSH PRIVATE KEY-----")
		assert.Contains(t, keyPair.PrivateKey, "-----END OPENSSH PRIVATE KEY-----")

		// Public key should be in authorized_keys format
		assert.True(t, strings.HasPrefix(keyPair.PublicKey, "ssh-ed25519 "))
	})

	t.Run("generates unique keys each time", func(t *testing.T) {
		t.Parallel()

		keyPair1, err := ssh.GenerateKeyPair()
		require.NoError(t, err)

		keyPair2, err := ssh.GenerateKeyPair()
		require.NoError(t, err)

		assert.NotEqual(t, keyPair1.PrivateKey, keyPair2.PrivateKey)
		assert.NotEqual(t, keyPair1.PublicKey, keyPair2.PublicKey)
	})
}

func TestValidatePrivateKey(t *testing.T) {
	t.Parallel()

	t.Run("validates generated key", func(t *testing.T) {
		t.Parallel()

		keyPair, err := ssh.GenerateKeyPair()
		require.NoError(t, err)

		err = ssh.ValidatePrivateKey(keyPair.PrivateKey)
		assert.NoError(t, err)
	})

	t.Run("rejects invalid key", func(t *testing.T) {
		t.Parallel()

		err := ssh.ValidatePrivateKey("not a valid key")
		assert.Error(t, err)
	})

	t.Run("rejects empty key", func(t *testing.T) {
		t.Parallel()

		err := ssh.ValidatePrivateKey("")
		assert.Error(t, err)
	})
}