"""Tests for metadata endpoint."""
import json

import pytest
from fastapi.testclient import TestClient


class TestMetadataEndpoint:
    """Tests for OAuth 2.0 Authorization Server Metadata endpoint."""

    @pytest.fixture
    def client(self, monkeypatch):
        """Create test client with valid configuration."""
        monkeypatch.setenv("GONDULF_SECRET_KEY", "test-secret-key-must-be-at-least-32-chars-long")
        monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")

        # Import app AFTER setting env vars
        from gondulf.main import app

        return TestClient(app)

    def test_metadata_endpoint_returns_200(self, client):
        """Test metadata endpoint returns 200 OK."""
        response = client.get("/.well-known/oauth-authorization-server")
        assert response.status_code == 200

    def test_metadata_content_type_json(self, client):
        """Test metadata endpoint returns JSON content type."""
        response = client.get("/.well-known/oauth-authorization-server")
        assert response.headers["content-type"] == "application/json"

    def test_metadata_cache_control_header(self, client):
        """Test metadata endpoint sets Cache-Control header."""
        response = client.get("/.well-known/oauth-authorization-server")
        assert "cache-control" in response.headers
        assert "public" in response.headers["cache-control"]
        assert "max-age=86400" in response.headers["cache-control"]

    def test_metadata_all_required_fields_present(self, client):
        """Test metadata response contains all required fields."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        required_fields = [
            "issuer",
            "authorization_endpoint",
            "token_endpoint",
            "response_types_supported",
            "grant_types_supported",
            "code_challenge_methods_supported",
            "token_endpoint_auth_methods_supported",
            "revocation_endpoint_auth_methods_supported",
            "scopes_supported"
        ]

        for field in required_fields:
            assert field in data, f"Missing required field: {field}"

    def test_metadata_issuer_matches_base_url(self, client):
        """Test issuer field matches BASE_URL configuration."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["issuer"] == "https://auth.example.com"

    def test_metadata_authorization_endpoint_correct(self, client):
        """Test authorization_endpoint field is correct."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["authorization_endpoint"] == "https://auth.example.com/authorize"

    def test_metadata_token_endpoint_correct(self, client):
        """Test token_endpoint field is correct."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["token_endpoint"] == "https://auth.example.com/token"

    def test_metadata_response_types_supported(self, client):
        """Test response_types_supported contains both 'code' and 'id'."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["response_types_supported"] == ["code", "id"]

    def test_metadata_grant_types_supported(self, client):
        """Test grant_types_supported contains only 'authorization_code'."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["grant_types_supported"] == ["authorization_code"]

    def test_metadata_code_challenge_methods_supported(self, client):
        """Test code_challenge_methods_supported contains S256."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["code_challenge_methods_supported"] == ["S256"]

    def test_metadata_token_endpoint_auth_methods(self, client):
        """Test token_endpoint_auth_methods_supported contains 'none'."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["token_endpoint_auth_methods_supported"] == ["none"]

    def test_metadata_revocation_endpoint_auth_methods(self, client):
        """Test revocation_endpoint_auth_methods_supported contains 'none'."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["revocation_endpoint_auth_methods_supported"] == ["none"]

    def test_metadata_scopes_supported_empty(self, client):
        """Test scopes_supported is empty array."""
        response = client.get("/.well-known/oauth-authorization-server")
        data = response.json()

        assert data["scopes_supported"] == []

    def test_metadata_response_valid_json(self, client):
        """Test metadata response can be parsed as valid JSON."""
        response = client.get("/.well-known/oauth-authorization-server")

        # Should not raise exception
        data = json.loads(response.content)
        assert isinstance(data, dict)

    def test_metadata_endpoint_no_authentication_required(self, client):
        """Test metadata endpoint is accessible without authentication."""
        # No authentication headers
        response = client.get("/.well-known/oauth-authorization-server")
        assert response.status_code == 200