using System.Text;
using StellaOps.Cryptography.Kms;
using StellaOps.TestKit;
using Xunit;

namespace StellaOps.Cryptography.Kms.Tests;

public sealed partial class FileKmsClientTests
{
    [Trait("Category", TestCategories.Unit)]
    [Fact]
    public async Task RevokePreventsSigningAsync()
    {
        using var workspace = new TestWorkspace(nameof(RevokePreventsSigningAsync));
        using var client = workspace.CreateClient();
        var keyId = "kms-revoke";

        await client.RotateAsync(keyId);
        await client.RevokeAsync(keyId);

        var metadata = await client.GetMetadataAsync(keyId);
        Assert.Equal(KmsKeyState.Revoked, metadata.State);
        Assert.All(metadata.Versions, v => Assert.Equal(KmsKeyState.Revoked, v.State));

        var data = Encoding.UTF8.GetBytes("kms-revoke-data");
        await Assert.ThrowsAsync<InvalidOperationException>(() => client.SignAsync(keyId, null, data));
    }
}