from __future__ import annotations

import os
from pathlib import Path

from enroll.ignore import IgnorePolicy


def test_ignore_policy_denies_common_backup_files():
    pol = IgnorePolicy()
    assert pol.deny_reason("/etc/shadow-") == "backup_file"
    assert pol.deny_reason("/etc/passwd-") == "backup_file"
    assert pol.deny_reason("/etc/group-") == "backup_file"
    assert pol.deny_reason("/etc/something~") == "backup_file"
    assert pol.deny_reason("/foobar") == "unreadable"


def test_deny_reason_dir_with_denied_path():
    pol = IgnorePolicy()
    assert pol.deny_reason_dir("/etc/ssl/private/key") == "denied_path"
    assert pol.deny_reason_dir("/etc/ssh/ssh_host_key") == "denied_path"
    assert pol.deny_reason_dir("/etc/ssh") is None


def test_deny_reason_dir_unreadable(tmp_path: Path):
    pol = IgnorePolicy()
    nonexistent = tmp_path / "nonexistent"
    assert pol.deny_reason_dir(str(nonexistent)) == "unreadable"


def test_deny_reason_dir_symlink(tmp_path: Path):
    pol = IgnorePolicy()
    real_dir = tmp_path / "real"
    real_dir.mkdir()
    link = tmp_path / "link"
    os.symlink(str(real_dir), str(link))
    assert pol.deny_reason_dir(str(link)) == "symlink"


def test_deny_reason_dir_not_directory(tmp_path: Path):
    pol = IgnorePolicy()
    regular_file = tmp_path / "file.txt"
    regular_file.write_text("content", encoding="utf-8")
    assert pol.deny_reason_dir(str(regular_file)) == "not_directory"


def test_deny_reason_dir_dangerous_mode(tmp_path: Path):
    pol = IgnorePolicy(dangerous=True)
    real_dir = tmp_path / "private"
    real_dir.mkdir()
    assert pol.deny_reason_dir(str(real_dir)) is None


def test_deny_reason_link_basic(tmp_path: Path):
    pol = IgnorePolicy()
    real_file = tmp_path / "real"
    real_file.write_text("content", encoding="utf-8")
    link = tmp_path / "link"
    os.symlink(str(real_file), str(link))
    assert pol.deny_reason_link(str(link)) is None


def test_deny_reason_link_denied_path():
    pol = IgnorePolicy()
    assert pol.deny_reason_link("/etc/ssh/ssh_host_rsa_key") == "denied_path"


def test_deny_reason_link_unreadable(tmp_path: Path):
    pol = IgnorePolicy()
    # Create a symlink in a directory that doesn't exist
    # This simulates an unreadable path
    broken_link = tmp_path / "broken_link"
    os.symlink("/nonexistent/target", str(broken_link))
    # Broken symlinks are still readable (we can readlink them)
    # So they return None (allowed) unless they match deny globs
    result = pol.deny_reason_link(str(broken_link))
    # Broken symlinks are allowed - we can still read the link target
    assert result is None


def test_deny_reason_link_not_symlink(tmp_path: Path):
    pol = IgnorePolicy()
    regular_file = tmp_path / "file.txt"
    regular_file.write_text("content", encoding="utf-8")
    assert pol.deny_reason_link(str(regular_file)) == "not_symlink"


def test_deny_reason_link_log_file():
    pol = IgnorePolicy()
    assert pol.deny_reason_link("/var/log/something.log") == "log_file"


def test_deny_reason_link_backup_file():
    pol = IgnorePolicy()
    assert pol.deny_reason_link("/etc/passwd-") == "backup_file"
    assert pol.deny_reason_link("/etc/something~") == "backup_file"


def test_deny_reason_link_dangerous_mode(tmp_path: Path):
    pol = IgnorePolicy(dangerous=True)
    real_file = tmp_path / "real"
    real_file.write_text("content", encoding="utf-8")
    link = tmp_path / "link"
    os.symlink(str(real_file), str(link))
    assert pol.deny_reason_link(str(link)) is None


def test_iter_effective_lines_with_comments():
    pol = IgnorePolicy()
    content = b"""
# This is a comment
; This is also a comment
* continuation
def main():
    pass
"""
    lines = list(pol.iter_effective_lines(content))
    assert b"def main():" in lines
    assert b"# This is a comment" not in lines


def test_iter_effective_lines_with_block_comments():
    pol = IgnorePolicy()
    content = b"""
/* This is a block comment
   spanning multiple lines */
int x = 5;
"""
    lines = list(pol.iter_effective_lines(content))
    assert b"int x = 5;" in lines
    assert b"/*" not in lines


def test_iter_effective_lines_empty():
    pol = IgnorePolicy()
    content = b""
    lines = list(pol.iter_effective_lines(content))
    assert lines == []


def test_deny_reason_binary_not_allowed(tmp_path: Path):
    pol = IgnorePolicy()
    binary = tmp_path / "random.bin"
    binary.write_bytes(b"\x00\x01\x02\x03")
    reason = pol.deny_reason(str(binary))
    assert reason == "binary_like"


def test_deny_reason_sensitive_content(tmp_path: Path):
    pol = IgnorePolicy()
    config = tmp_path / "config.txt"
    config.write_text("password=secret123", encoding="utf-8")
    reason = pol.deny_reason(str(config))
    assert reason == "sensitive_content"


def test_deny_reason_sensitive_api_key(tmp_path: Path):
    pol = IgnorePolicy()
    config = tmp_path / "config.txt"
    config.write_text("api_key=abc123", encoding="utf-8")
    reason = pol.deny_reason(str(config))
    assert reason == "sensitive_content"


def test_deny_reason_private_key(tmp_path: Path):
    pol = IgnorePolicy()
    key = tmp_path / "key.pem"
    key.write_text(
        "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA...", encoding="utf-8"
    )
    reason = pol.deny_reason(str(key))
    assert reason == "sensitive_content"


def test_deny_reason_too_large(tmp_path: Path):
    pol = IgnorePolicy(max_file_bytes=100)
    large = tmp_path / "large.txt"
    large.write_bytes(b"x" * 200)
    reason = pol.deny_reason(str(large))
    assert reason == "too_large"


def test_deny_reason_unreadable(tmp_path: Path):
    pol = IgnorePolicy()
    nonexistent = tmp_path / "nonexistent"
    reason = pol.deny_reason(str(nonexistent))
    assert reason == "unreadable"


def test_deny_reason_not_regular_file(tmp_path: Path):
    pol = IgnorePolicy()
    directory = tmp_path / "dir"
    directory.mkdir()
    reason = pol.deny_reason(str(directory))
    assert reason == "not_regular_file"


def test_deny_reason_symlink_file(tmp_path: Path):
    pol = IgnorePolicy()
    real_file = tmp_path / "real"
    real_file.write_text("content", encoding="utf-8")
    link = tmp_path / "link"
    os.symlink(str(real_file), str(link))
    reason = pol.deny_reason(str(link))
    assert reason == "not_regular_file"


def test_deny_reason_logs(tmp_path: Path):
    pol = IgnorePolicy()
    log = tmp_path / "test.log"
    log.write_text("log content", encoding="utf-8")
    assert pol.deny_reason(str(log)) == "log_file"


def test_deny_reason_backup_file(tmp_path: Path):
    pol = IgnorePolicy()
    backup = tmp_path / "file~"
    backup.write_text("backup", encoding="utf-8")
    assert pol.deny_reason(str(backup)) == "backup_file"


def test_deny_reason_shadow_file():
    pol = IgnorePolicy()
    assert pol.deny_reason("/etc/shadow") == "denied_path"
    assert pol.deny_reason("/etc/gshadow") == "denied_path"


def test_deny_reason_ssl_private():
    pol = IgnorePolicy()
    assert pol.deny_reason("/etc/ssl/private/key.pem") == "denied_path"


def test_deny_reason_ssh_host_keys():
    pol = IgnorePolicy()
    assert pol.deny_reason("/etc/ssh/ssh_host_rsa_key") == "denied_path"
    assert pol.deny_reason("/etc/ssh/ssh_host_ed25519_key") == "denied_path"


def test_deny_reason_letsencrypt():
    pol = IgnorePolicy()
    assert (
        pol.deny_reason("/etc/letsencrypt/live/example.com/fullchain.pem")
        == "denied_path"
    )


def test_deny_reason_shadow_backup():
    pol = IgnorePolicy()
    assert pol.deny_reason("/etc/shadow-") == "backup_file"
    assert pol.deny_reason("/etc/passwd-") == "backup_file"