import asyncio
import pytest
from fastapi import HTTPException

from app.auth import permissions
from app.domain.models.role import UserRole
from tests.conftest import make_user


def test_require_role_allows_higher_privilege_user():
    checker = permissions.require_role(UserRole.OPERATOR)

    result = asyncio.run(checker(current_user=make_user(role=UserRole.ADMIN)))

    assert result.role == UserRole.ADMIN


def test_require_role_rejects_insufficient_role():
    checker = permissions.require_role(UserRole.ADMIN)

    with pytest.raises(HTTPException) as exc_info:
        asyncio.run(checker(current_user=make_user(role=UserRole.USER)))

    assert exc_info.value.status_code == 403
    assert "Required role: ADMIN" in exc_info.value.detail


def test_check_resource_owner_allows_admin():
    assert permissions.check_resource_owner(
        99,
        make_user(id=1, role=UserRole.ADMIN),
    ) is True


def test_check_resource_owner_allows_owner():
    assert permissions.check_resource_owner(
        7,
        make_user(id=7, role=UserRole.USER),
    ) is True


def test_check_resource_owner_rejects_other_user():
    assert permissions.check_resource_owner(
        7,
        make_user(id=8, role=UserRole.USER),
    ) is False


def test_require_owner_or_admin_rejects_other_user():
    checker = permissions.require_owner_or_admin(7)

    with pytest.raises(HTTPException) as exc_info:
        asyncio.run(checker(current_user=make_user(id=8, role=UserRole.USER)))

    assert exc_info.value.status_code == 403
    assert exc_info.value.detail == "You don't have permission to access this resource"