// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package k8s_test

import (
	"reflect"
	"testing"

	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/k8s"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func TestGetSecretVersionsFromAnnotations(t *testing.T) {
	tests := []struct {
		name                   string
		resource               *k8s.Resource
		expectedSecretVersions map[string]string
	}{
		{
			name: "secret versions exist in the annotation",
			resource: &k8s.Resource{
				ObjectMeta: metav1.ObjectMeta{
					Annotations: map[string]string{
						"cnrm.cloud.google.com/observed-secret-versions": "{\"secret-1\":\"2\"}",
					},
				},
			},
			expectedSecretVersions: map[string]string{
				"secret-1": "2",
			},
		},
		{
			name: "no secret versions in the annotation",
			resource: &k8s.Resource{
				ObjectMeta: metav1.ObjectMeta{
					Annotations: map[string]string{},
				},
			},
			expectedSecretVersions: nil,
		},
	}

	for _, tc := range tests {
		tc := tc
		t.Run(tc.name, func(t *testing.T) {
			t.Parallel()
			secretVersions, err := k8s.GetSecretVersionsFromAnnotations(tc.resource)
			if err != nil {
				t.Fatalf("error getting observed secret versions from annotation: %v", err)
			}
			if got, want := secretVersions, tc.expectedSecretVersions; !reflect.DeepEqual(got, want) {
				t.Fatalf("got: %v, want: %v", got, want)
			}
		})
	}
}

func TestUpdateObservedSecretVersionsAnnotation(t *testing.T) {
	tests := []struct {
		name                  string
		resource              *k8s.Resource
		updatedSecretVersions map[string]string
		hasSensitiveFields    bool
	}{
		{
			name: "update secret versions exist in the annotation successfully",
			resource: &k8s.Resource{
				ObjectMeta: metav1.ObjectMeta{
					Annotations: map[string]string{
						"cnrm.cloud.google.com/observed-secret-versions": "{\"secret-1\":\"2\"}",
					},
				},
			},
			updatedSecretVersions: map[string]string{
				"secret-1": "5",
			},
			hasSensitiveFields: true,
		},
		{
			name: "secret versions removed when hasSensitiveField is false",
			resource: &k8s.Resource{
				ObjectMeta: metav1.ObjectMeta{
					Annotations: map[string]string{
						"cnrm.cloud.google.com/observed-secret-versions": "{\"secret-1\":\"2\"}",
					},
				},
			},
			updatedSecretVersions: map[string]string{
				"secret-1": "5",
			},
			hasSensitiveFields: false,
		},
	}

	for _, tc := range tests {
		tc := tc
		t.Run(tc.name, func(t *testing.T) {
			t.Parallel()
			err := k8s.UpdateOrRemoveObservedSecretVersionsAnnotation(tc.resource, tc.updatedSecretVersions, tc.hasSensitiveFields)
			if err != nil {
				t.Fatalf("error updating observed secret versions from annotation: %v", err)
			}

			retrievedSecretVersions, err := k8s.GetSecretVersionsFromAnnotations(tc.resource)
			if err != nil {
				t.Fatalf("error getting observed secret versions from annotation for verification: %v", err)
			}
			if !tc.hasSensitiveFields {
				if retrievedSecretVersions != nil {
					t.Fatalf("secret versions in the annotation should be nil, but got %v", retrievedSecretVersions)
				}
				return
			}
			if got, want := retrievedSecretVersions, tc.updatedSecretVersions; !reflect.DeepEqual(got, want) {
				t.Fatalf("got: %v, want: %v", got, want)
			}
		})
	}
}