mcias/internal/db/policy_test.go

package db

import (
	"errors"
	"testing"

	"git.wntrmute.dev/kyle/mcias/internal/model"
)

func TestCreateAndGetPolicyRule(t *testing.T) {
	db := openTestDB(t)

	ruleJSON := `{"actions":["pgcreds:read"],"resource_type":"pgcreds","effect":"allow"}`
	rec, err := db.CreatePolicyRule("test rule", 50, ruleJSON, nil)
	if err != nil {
		t.Fatalf("CreatePolicyRule: %v", err)
	}
	if rec.ID == 0 {
		t.Error("expected non-zero ID after create")
	}
	if rec.Priority != 50 {
		t.Errorf("expected priority 50, got %d", rec.Priority)
	}
	if !rec.Enabled {
		t.Error("new rule should be enabled by default")
	}

	got, err := db.GetPolicyRule(rec.ID)
	if err != nil {
		t.Fatalf("GetPolicyRule: %v", err)
	}
	if got.Description != "test rule" {
		t.Errorf("expected description %q, got %q", "test rule", got.Description)
	}
	if got.RuleJSON != ruleJSON {
		t.Errorf("rule_json mismatch: got %q", got.RuleJSON)
	}
}

func TestGetPolicyRule_NotFound(t *testing.T) {
	db := openTestDB(t)

	_, err := db.GetPolicyRule(99999)
	if !errors.Is(err, ErrNotFound) {
		t.Errorf("expected ErrNotFound, got %v", err)
	}
}

func TestListPolicyRules(t *testing.T) {
	db := openTestDB(t)

	_, _ = db.CreatePolicyRule("rule A", 100, `{"effect":"allow"}`, nil)
	_, _ = db.CreatePolicyRule("rule B", 50, `{"effect":"deny"}`, nil)
	_, _ = db.CreatePolicyRule("rule C", 200, `{"effect":"allow"}`, nil)

	rules, err := db.ListPolicyRules(false)
	if err != nil {
		t.Fatalf("ListPolicyRules: %v", err)
	}
	if len(rules) != 3 {
		t.Fatalf("expected 3 rules, got %d", len(rules))
	}
	// Should be ordered by priority ascending.
	if rules[0].Priority > rules[1].Priority || rules[1].Priority > rules[2].Priority {
		t.Errorf("rules not sorted by priority: %v %v %v",
			rules[0].Priority, rules[1].Priority, rules[2].Priority)
	}
}

func TestListPolicyRules_EnabledOnly(t *testing.T) {
	db := openTestDB(t)

	r1, _ := db.CreatePolicyRule("enabled rule", 100, `{"effect":"allow"}`, nil)
	r2, _ := db.CreatePolicyRule("disabled rule", 100, `{"effect":"deny"}`, nil)

	if err := db.SetPolicyRuleEnabled(r2.ID, false); err != nil {
		t.Fatalf("SetPolicyRuleEnabled: %v", err)
	}

	all, err := db.ListPolicyRules(false)
	if err != nil {
		t.Fatalf("ListPolicyRules(all): %v", err)
	}
	if len(all) != 2 {
		t.Errorf("expected 2 total rules, got %d", len(all))
	}

	enabled, err := db.ListPolicyRules(true)
	if err != nil {
		t.Fatalf("ListPolicyRules(enabledOnly): %v", err)
	}
	if len(enabled) != 1 {
		t.Fatalf("expected 1 enabled rule, got %d", len(enabled))
	}
	if enabled[0].ID != r1.ID {
		t.Errorf("wrong rule returned: got ID %d, want %d", enabled[0].ID, r1.ID)
	}
}

func TestUpdatePolicyRule(t *testing.T) {
	db := openTestDB(t)

	rec, _ := db.CreatePolicyRule("original", 100, `{"effect":"allow"}`, nil)

	newDesc := "updated description"
	newPriority := 25
	if err := db.UpdatePolicyRule(rec.ID, &newDesc, &newPriority, nil); err != nil {
		t.Fatalf("UpdatePolicyRule: %v", err)
	}

	got, err := db.GetPolicyRule(rec.ID)
	if err != nil {
		t.Fatalf("GetPolicyRule after update: %v", err)
	}
	if got.Description != newDesc {
		t.Errorf("expected description %q, got %q", newDesc, got.Description)
	}
	if got.Priority != newPriority {
		t.Errorf("expected priority %d, got %d", newPriority, got.Priority)
	}
	// RuleJSON should be unchanged.
	if got.RuleJSON != `{"effect":"allow"}` {
		t.Errorf("rule_json should not change when not provided: %q", got.RuleJSON)
	}
}

func TestUpdatePolicyRule_RuleJSON(t *testing.T) {
	db := openTestDB(t)

	rec, _ := db.CreatePolicyRule("rule", 100, `{"effect":"allow"}`, nil)

	newJSON := `{"effect":"deny","roles":["auditor"]}`
	if err := db.UpdatePolicyRule(rec.ID, nil, nil, &newJSON); err != nil {
		t.Fatalf("UpdatePolicyRule (json only): %v", err)
	}

	got, err := db.GetPolicyRule(rec.ID)
	if err != nil {
		t.Fatalf("GetPolicyRule: %v", err)
	}
	if got.RuleJSON != newJSON {
		t.Errorf("expected updated rule_json, got %q", got.RuleJSON)
	}
	// Description and priority unchanged.
	if got.Description != "rule" {
		t.Errorf("description should be unchanged, got %q", got.Description)
	}
}

func TestSetPolicyRuleEnabled(t *testing.T) {
	db := openTestDB(t)

	rec, _ := db.CreatePolicyRule("toggle rule", 100, `{"effect":"allow"}`, nil)
	if !rec.Enabled {
		t.Fatal("new rule should be enabled")
	}

	if err := db.SetPolicyRuleEnabled(rec.ID, false); err != nil {
		t.Fatalf("SetPolicyRuleEnabled(false): %v", err)
	}
	got, _ := db.GetPolicyRule(rec.ID)
	if got.Enabled {
		t.Error("rule should be disabled after SetPolicyRuleEnabled(false)")
	}

	if err := db.SetPolicyRuleEnabled(rec.ID, true); err != nil {
		t.Fatalf("SetPolicyRuleEnabled(true): %v", err)
	}
	got, _ = db.GetPolicyRule(rec.ID)
	if !got.Enabled {
		t.Error("rule should be enabled after SetPolicyRuleEnabled(true)")
	}
}

func TestDeletePolicyRule(t *testing.T) {
	db := openTestDB(t)

	rec, _ := db.CreatePolicyRule("to delete", 100, `{"effect":"allow"}`, nil)

	if err := db.DeletePolicyRule(rec.ID); err != nil {
		t.Fatalf("DeletePolicyRule: %v", err)
	}

	_, err := db.GetPolicyRule(rec.ID)
	if !errors.Is(err, ErrNotFound) {
		t.Errorf("expected ErrNotFound after delete, got %v", err)
	}
}

func TestDeletePolicyRule_NonExistent(t *testing.T) {
	db := openTestDB(t)

	// Deleting a non-existent rule should be a no-op, not an error.
	if err := db.DeletePolicyRule(99999); err != nil {
		t.Errorf("DeletePolicyRule on nonexistent ID should not error: %v", err)
	}
}

func TestCreatePolicyRule_WithCreatedBy(t *testing.T) {
	db := openTestDB(t)

	acct, _ := db.CreateAccount("policy-creator", model.AccountTypeHuman, "hash")
	rec, err := db.CreatePolicyRule("by user", 100, `{"effect":"allow"}`, &acct.ID)
	if err != nil {
		t.Fatalf("CreatePolicyRule with createdBy: %v", err)
	}

	got, _ := db.GetPolicyRule(rec.ID)
	if got.CreatedBy == nil || *got.CreatedBy != acct.ID {
		t.Errorf("expected CreatedBy=%d, got %v", acct.ID, got.CreatedBy)
	}
}