package bannerctl

import (
	"fmt"
	"testing"

	bannerAPI "edge-infra.dev/pkg/edge/apis/banner/v1alpha1"
	"edge-infra.dev/pkg/edge/gcpinfra"
	"edge-infra.dev/pkg/k8s/konfigkonnector/apis/meta"
	"edge-infra.dev/pkg/lib/gcp/iam/roles"
	gcpProject "edge-infra.dev/pkg/lib/gcp/project"
	edgeUUID "edge-infra.dev/pkg/lib/uuid"

	iamAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/iam/v1beta1"
	resourceAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/resourcemanager/v1beta1"
	storageAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/storage/v1beta1"
	"github.com/google/uuid"
	"github.com/stretchr/testify/assert"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func TestCreateKCCIAMSA(t *testing.T) {
	r := &BannerReconciler{}
	b := getTestBanner()
	hash := edgeUUID.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
	kccResourceName := fmt.Sprintf("kcc-%s", hash)

	infraIAMSA := r.createKCCIAMSA(b, kccResourceName)
	assert.True(t, isOwnedByBanner(infraIAMSA, b.Name))
	assert.Equal(t, meta.DeletionPolicyAbandon, infraIAMSA.Annotations[meta.DeletionPolicyAnnotation])
	assert.Equal(t, kccResourceName, infraIAMSA.Name)
	assert.Equal(t, b.Name, infraIAMSA.Namespace)
	displayName := fmt.Sprintf("k8s cfg connector for project %s", b.Spec.DisplayName)
	assert.Equal(t, displayName, *infraIAMSA.Spec.DisplayName)
}

func TestCreateKCCIAMMembers(t *testing.T) {
	r := &BannerReconciler{ForemanProjectID: "rest-test-foreman0"}
	b := getTestBanner()
	hash := edgeUUID.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
	kccResourceName := fmt.Sprintf("kcc-%s", hash)

	infraIAMPolicies := r.createKCCIAMMembers(b, kccResourceName, TestProjectNumber)
	assert.Len(t, infraIAMPolicies, 5)

	projectOwner := infraIAMPolicies[0]
	assert.True(t, isOwnedByBanner(projectOwner, b.Name))
	assert.Equal(t, meta.DeletionPolicyAbandon, projectOwner.Annotations[meta.DeletionPolicyAnnotation])
	assert.Equal(t, fmt.Sprintf("%s-owner", kccResourceName), projectOwner.Name)
	assert.Equal(t, b.Name, projectOwner.Namespace)
	sa := fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", kccResourceName, b.Spec.GCP.ProjectID)
	assert.Equal(t, sa, *projectOwner.Spec.Member)
	assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), projectOwner.Spec.ResourceRef.APIVersion)
	assert.Equal(t, resourceAPI.ProjectGVK.Kind, projectOwner.Spec.ResourceRef.Kind)
	assert.Equal(t, b.Spec.GCP.ProjectID, projectOwner.Spec.ResourceRef.External)
	assert.Equal(t, roles.Owner, projectOwner.Spec.Role)

	logWriterPolicy := infraIAMPolicies[1]
	assert.True(t, isOwnedByBanner(logWriterPolicy, b.Name))
	assert.Equal(t, meta.DeletionPolicyAbandon, logWriterPolicy.Annotations[meta.DeletionPolicyAnnotation])
	policyName := fmt.Sprintf("%s-logging-logwriter", kccResourceName)
	assert.Equal(t, policyName, logWriterPolicy.Name)
	assert.Equal(t, b.Name, logWriterPolicy.Namespace)
	assert.Equal(t, sa, *logWriterPolicy.Spec.Member)
	assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), logWriterPolicy.Spec.ResourceRef.APIVersion)
	assert.Equal(t, resourceAPI.ProjectGVK.Kind, logWriterPolicy.Spec.ResourceRef.Kind)
	assert.Equal(t, r.ForemanProjectID, logWriterPolicy.Spec.ResourceRef.External)
	assert.Equal(t, roles.ProjectAdmin, logWriterPolicy.Spec.Role)
	assert.Equal(t, "kcc_delegated_foreman_roles", logWriterPolicy.Spec.Condition.Title)
	assert.Equal(t, "KCC delegated roles on foreman", *logWriterPolicy.Spec.Condition.Description)
	assert.Equal(t, KccDelegatedRolesExpression, logWriterPolicy.Spec.Condition.Expression)

	pubSubAdminPolicy := infraIAMPolicies[2]
	assert.True(t, isOwnedByBanner(pubSubAdminPolicy, b.Name))
	assert.Equal(t, meta.DeletionPolicyAbandon, pubSubAdminPolicy.Annotations[meta.DeletionPolicyAnnotation])
	policyName = fmt.Sprintf("%s-pubsub-admin", kccResourceName)
	assert.Equal(t, policyName, pubSubAdminPolicy.Name)
	assert.Equal(t, b.Name, pubSubAdminPolicy.Namespace)
	assert.Equal(t, sa, *pubSubAdminPolicy.Spec.Member)
	assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), pubSubAdminPolicy.Spec.ResourceRef.APIVersion)
	assert.Equal(t, resourceAPI.ProjectGVK.Kind, pubSubAdminPolicy.Spec.ResourceRef.Kind)
	assert.Equal(t, r.ForemanProjectID, pubSubAdminPolicy.Spec.ResourceRef.External)
	assert.Equal(t, roles.PubsubAdmin, pubSubAdminPolicy.Spec.Role)
	assert.Nil(t, pubSubAdminPolicy.Spec.Condition)

	wiMember := infraIAMPolicies[3]
	assert.True(t, isOwnedByBanner(wiMember, b.Name))
	assert.Equal(t, meta.DeletionPolicyAbandon, wiMember.Annotations[meta.DeletionPolicyAnnotation])
	assert.Equal(t, fmt.Sprintf("%s-workload-id", kccResourceName), wiMember.Name)
	assert.Equal(t, b.Name, wiMember.Namespace)
	sa = fmt.Sprintf("serviceAccount:%s.svc.id.goog[cnrm-system/cnrm-controller-manager]", b.Spec.GCP.ProjectID)
	assert.Equal(t, sa, *wiMember.Spec.Member)
	assert.Equal(t, iamAPI.SchemeGroupVersion.String(), wiMember.Spec.ResourceRef.APIVersion)
	assert.Equal(t, iamAPI.IAMServiceAccountGVK.Kind, wiMember.Spec.ResourceRef.Kind)
	assert.Equal(t, kccResourceName, wiMember.Spec.ResourceRef.Name)
	assert.Equal(t, roles.WorkloadIdentityUser, wiMember.Spec.Role)

	siemPolicy := infraIAMPolicies[4]
	assert.True(t, isOwnedByBanner(siemPolicy, b.Name))
	assert.Equal(t, fmt.Sprintf("serviceAccount:service-%s@gcp-sa-logging.iam.gserviceaccount.com", TestProjectNumber), *siemPolicy.Spec.Member)
	assert.Equal(t, storageAPI.SchemeGroupVersion.String(), siemPolicy.Spec.ResourceRef.APIVersion)
	assert.Equal(t, storageAPI.StorageBucketGVK.Kind, siemPolicy.Spec.ResourceRef.Kind)
	assert.Equal(t, fmt.Sprintf("%s-siem", r.ForemanProjectID), siemPolicy.Spec.ResourceRef.External)
	assert.Equal(t, roles.StorageObjectCreator, siemPolicy.Spec.Role)
}

func TestCreateClusterInfraKCCResources(t *testing.T) {
	r := &BannerReconciler{}
	b := getTestBanner()
	hash := edgeUUID.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
	kccResourceName := fmt.Sprintf("kcc-%s", hash)

	objs := r.createClusterInfraKCCResources(b, kccResourceName, TestProjectNumber)
	assert.Len(t, objs, 6)
}

func getTestBanner() *bannerAPI.Banner {
	bannerGUID := uuid.New().String()
	generatedProjID := fmt.Sprintf("%s-%s", gcpinfra.ProjectIDPrefix, gcpProject.RandAN(29-(len(gcpinfra.ProjectIDPrefix))))
	return &bannerAPI.Banner{
		ObjectMeta: metav1.ObjectMeta{
			Name: bannerGUID,
		},
		Spec: bannerAPI.BannerSpec{
			DisplayName: "Test Banner",
			GCP: bannerAPI.GCPConfig{
				ProjectID: generatedProjID,
			},
		},
	}
}