using StellaOps.Scanner.BuildProvenance.Analyzers;
using StellaOps.Scanner.BuildProvenance.Models;
using StellaOps.Scanner.BuildProvenance.Policy;
using StellaOps.TestKit;
using Xunit;

namespace StellaOps.Scanner.BuildProvenance.Tests;

public sealed class BuildConfigVerifierTests
{
    [Trait("Category", TestCategories.Unit)]
    [Fact]
    public void Verify_FlagsDigestMismatch()
    {
        var tempPath = Path.GetTempFileName();
        File.WriteAllText(tempPath, "build-config");

        var buildInfo = TestSbomFactory.CreateBuildInfo(builder =>
        {
            builder.WithConfig(tempPath, "sha256:deadbeef");
        });

        var sbom = TestSbomFactory.CreateSbom(buildInfo);
        var chainBuilder = new BuildProvenanceChainBuilder();
        var chain = chainBuilder.Build(sbom);

        var policy = BuildProvenancePolicyDefaults.Default with
        {
            BuildRequirements = BuildProvenancePolicyDefaults.Default.BuildRequirements with
            {
                RequireConfigDigest = true
            }
        };

        var verifier = new BuildConfigVerifier();
        var findings = verifier.Verify(sbom, chain, policy).ToList();

        Assert.Contains(findings, f => f.Type == BuildProvenanceFindingType.OutputMismatch);
    }

    [Trait("Category", TestCategories.Unit)]
    [Fact]
    public void Verify_FlagsSensitiveEnvironmentVariables()
    {
        var buildInfo = TestSbomFactory.CreateBuildInfo(builder =>
        {
            builder.WithEnvironment("API_TOKEN", "secret");
        });

        var sbom = TestSbomFactory.CreateSbom(buildInfo);
        var chain = new BuildProvenanceChainBuilder().Build(sbom);
        var policy = BuildProvenancePolicyDefaults.Default;

        var verifier = new BuildConfigVerifier();
        var findings = verifier.Verify(sbom, chain, policy).ToList();

        Assert.Contains(findings, f => f.Type == BuildProvenanceFindingType.EnvironmentVariableLeak);
    }
}