using Microsoft.Extensions.Configuration;
using Thalos.Service.Application.Secrets;

namespace Thalos.Service.Application.UnitTests;

public class ConfigurationIdentitySecretMaterialProviderTests
{
    [Fact]
    public void TryGetSecret_WhenScopedSecretConfigured_ReturnsScopedValue()
    {
        var provider = CreateProvider(new Dictionary<string, string?>
        {
            ["ThalosIdentity:Secrets:SessionSigning"] = "scoped-secret",
            ["ThalosIdentity:Secrets:Default"] = "default-secret"
        });

        var ok = provider.TryGetSecret("SessionSigning", out var secretValue);

        Assert.True(ok);
        Assert.Equal("scoped-secret", secretValue);
    }

    [Fact]
    public void TryGetSecret_WhenScopedSecretMissing_UsesDefaultSecret()
    {
        var provider = CreateProvider(new Dictionary<string, string?>
        {
            ["ThalosIdentity:Secrets:Default"] = "default-secret"
        });

        var ok = provider.TryGetSecret("MissingSecret", out var secretValue);

        Assert.True(ok);
        Assert.Equal("default-secret", secretValue);
    }

    [Fact]
    public void GetSecret_WhenSecretMissing_ThrowsExplicitRuntimeError()
    {
        var provider = CreateProvider(new Dictionary<string, string?>());

        var error = Assert.Throws<InvalidOperationException>(() => provider.GetSecret("SessionSigning"));

        Assert.Contains("SessionSigning", error.Message, StringComparison.Ordinal);
    }

    private static ConfigurationIdentitySecretMaterialProvider CreateProvider(
        IReadOnlyDictionary<string, string?> configurationValues)
    {
        var configuration = new ConfigurationBuilder()
            .AddInMemoryCollection(configurationValues)
            .Build();

        return new ConfigurationIdentitySecretMaterialProvider(configuration);
    }
}