package vaultik_test

import (
	"bytes"
	"context"
	"crypto/sha256"
	"encoding/hex"
	"io"
	"strings"
	"testing"

	"filippo.io/age"
	"git.eeqj.de/sneak/vaultik/internal/blobgen"
	"git.eeqj.de/sneak/vaultik/internal/vaultik"
)

// TestFetchAndDecryptBlobVerifiesHash verifies that FetchAndDecryptBlob checks
// the double-SHA-256 hash of the decrypted plaintext against the expected blob hash.
func TestFetchAndDecryptBlobVerifiesHash(t *testing.T) {
	identity, err := age.GenerateX25519Identity()
	if err != nil {
		t.Fatalf("generating identity: %v", err)
	}

	// Create test data and encrypt it using blobgen.Writer
	plaintext := []byte("hello world test data for blob hash verification")
	var encBuf bytes.Buffer
	writer, err := blobgen.NewWriter(&encBuf, 1, []string{identity.Recipient().String()})
	if err != nil {
		t.Fatalf("creating blobgen writer: %v", err)
	}
	if _, err := writer.Write(plaintext); err != nil {
		t.Fatalf("writing plaintext: %v", err)
	}
	if err := writer.Close(); err != nil {
		t.Fatalf("closing writer: %v", err)
	}
	encryptedData := encBuf.Bytes()

	// Compute correct double-SHA-256 hash of the plaintext (matches blobgen.Writer.Sum256)
	firstHash := sha256.Sum256(plaintext)
	secondHash := sha256.Sum256(firstHash[:])
	correctHash := hex.EncodeToString(secondHash[:])

	// Verify our hash matches what blobgen.Writer produces
	writerHash := hex.EncodeToString(writer.Sum256())
	if correctHash != writerHash {
		t.Fatalf("hash computation mismatch: manual=%s, writer=%s", correctHash, writerHash)
	}

	// Set up mock storage with the blob at the correct path
	mockStorage := NewMockStorer()
	blobPath := "blobs/" + correctHash[:2] + "/" + correctHash[2:4] + "/" + correctHash
	mockStorage.mu.Lock()
	mockStorage.data[blobPath] = encryptedData
	mockStorage.mu.Unlock()

	tv := vaultik.NewForTesting(mockStorage)
	ctx := context.Background()

	t.Run("correct hash succeeds", func(t *testing.T) {
		rc, err := tv.FetchAndDecryptBlob(ctx, correctHash, int64(len(encryptedData)), identity)
		if err != nil {
			t.Fatalf("expected success, got error: %v", err)
		}
		data, err := io.ReadAll(rc)
		if err != nil {
			t.Fatalf("reading stream: %v", err)
		}
		if err := rc.Close(); err != nil {
			t.Fatalf("close (hash verification) failed: %v", err)
		}
		if !bytes.Equal(data, plaintext) {
			t.Fatalf("decrypted data mismatch: got %q, want %q", data, plaintext)
		}
	})

	t.Run("wrong hash fails", func(t *testing.T) {
		// Use a fake hash that doesn't match the actual plaintext
		fakeHash := strings.Repeat("ab", 32) // 64 hex chars
		fakePath := "blobs/" + fakeHash[:2] + "/" + fakeHash[2:4] + "/" + fakeHash
		mockStorage.mu.Lock()
		mockStorage.data[fakePath] = encryptedData
		mockStorage.mu.Unlock()

		rc, err := tv.FetchAndDecryptBlob(ctx, fakeHash, int64(len(encryptedData)), identity)
		if err != nil {
			t.Fatalf("unexpected error opening stream: %v", err)
		}
		// Read all data — hash is verified on Close
		_, _ = io.ReadAll(rc)
		err = rc.Close()
		if err == nil {
			t.Fatal("expected error for mismatched hash, got nil")
		}
		if !strings.Contains(err.Error(), "hash mismatch") {
			t.Fatalf("expected hash mismatch error, got: %v", err)
		}
	})
}