using BuildingBlock.Identity.Contracts.Requests;
using Thalos.Domain.Contracts;
using Thalos.Domain.Decisions;

namespace Thalos.Domain.UnitTests;

public class IdentityPolicyDecisionServiceTests
{
    [Fact]
    public void Evaluate_WhenPermissionMatchedAndContextSatisfied_ReturnsAllowed()
    {
        var service = new IdentityPolicyDecisionService();
        var request = new EvaluateIdentityPolicyRequest("user-1", "tenant-1", "identity.token.issue");
        var context = new IdentityPolicyContextData(
            request.SubjectId,
            request.PermissionCode,
            true,
            ["identity.token.issue", "identity.policy.evaluate"]);

        var response = service.Evaluate(request, context);

        Assert.True(response.IsAllowed);
    }

    [Fact]
    public void Evaluate_WhenPermissionMissing_ReturnsDenied()
    {
        var service = new IdentityPolicyDecisionService();
        var request = new EvaluateIdentityPolicyRequest("user-1", "tenant-1", "identity.token.issue");
        var context = new IdentityPolicyContextData(request.SubjectId, request.PermissionCode, true, ["identity.read"]);

        var response = service.Evaluate(request, context);

        Assert.False(response.IsAllowed);
    }
}