"""Integration tests for HTTPS enforcement middleware."""

import tempfile
from pathlib import Path

import pytest
from fastapi.testclient import TestClient


@pytest.fixture
def test_app(monkeypatch):
    """Create test FastAPI app with test configuration."""
    # Set up test environment
    with tempfile.TemporaryDirectory() as tmpdir:
        db_path = Path(tmpdir) / "test.db"

        # Set required environment variables
        monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
        monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
        monkeypatch.setenv("GONDULF_DATABASE_URL", f"sqlite:///{db_path}")
        monkeypatch.setenv("GONDULF_DEBUG", "true")

        # Import app AFTER setting env vars
        from gondulf.main import app

        yield app


@pytest.fixture
def client(test_app):
    """FastAPI test client."""
    return TestClient(test_app)


class TestHTTPSEnforcement:
    """Test HTTPS enforcement middleware."""

    def test_https_allowed_in_production(self, client, monkeypatch):
        """Test HTTPS requests are allowed in production mode."""
        # Simulate production mode
        from gondulf.config import Config

        monkeypatch.setattr(Config, "DEBUG", False)

        # HTTPS request should succeed
        # Note: TestClient uses http by default, so this test is illustrative
        # In real production, requests come from a reverse proxy (nginx) with HTTPS
        # Use root endpoint instead of health as it doesn't require database
        response = client.get("/")
        assert response.status_code == 200

    def test_http_localhost_allowed_in_debug(self, client, monkeypatch):
        """Test HTTP to localhost is allowed in debug mode."""
        from gondulf.config import Config

        monkeypatch.setattr(Config, "DEBUG", True)

        # HTTP to localhost should succeed in debug mode
        # Use root endpoint instead of health as it doesn't require database
        response = client.get("http://localhost:8000/")
        assert response.status_code == 200

    def test_https_always_allowed(self, client):
        """Test HTTPS requests are always allowed regardless of mode."""
        # HTTPS should work in both debug and production
        # Use root endpoint instead of health as it doesn't require database
        response = client.get("/")
        # TestClient doesn't enforce HTTPS, but middleware should allow it
        assert response.status_code == 200