import { describe, it, expect } from 'vitest';
import { db } from '../../src/db';
import { checkPermission } from '../../src/lib/auth/permission';
import { eq } from 'drizzle-orm';
import { users, groups, roles, permissions, userGroups, groupRoles, rolePermissions, userRoles, resources, aclRules } from '../../src/db/schema/auth';
import { resources as resourceSchema, aclRules as aclRulesSchema } from '../../src/db/schema/resource';

describe('Permission Engine Integration Tests', () => {
  // 注意：这些测试依赖于 Seed 脚本注入的数据
  // 管理员: admin@ekb.com
  // 测试用户: tester@ekb.com (已被禁止访问 /projects/secret)

  const ADMIN_EMAIL = 'admin@ekb.com';
  const TESTER_EMAIL = 'tester@ekb.com';

  it('should allow admin to access any resource via RBAC', async () => {
    // 获取管理员 ID
    const [admin] = await db.select().from(users).where(eq(users.email, ADMIN_EMAIL));

    // 模拟管理员上下文 (假设他属于一个拥有 editor 角色的组)
    // 在 Seed 中，admin 被赋予了 editor 角色
    const [engGroup] = await db.select().from(groups).where(eq(groups.name, 'Engineering Department'));

    const result = await checkPermission(
      { userId: admin.id, groupIds: [engGroup.id] },
      '/any/path',
      'read',
      'document'
    );

    expect(result.granted).toBe(true);
  });

  it('should deny tester access to secret folder due to explicit ACL deny rule', async () => {
    // 获取测试用户 ID
    const [tester] = await db.select().from(users).where(eq(users.email, TESTER_EMAIL));

    const result = await checkPermission(
      { userId: tester.id, groupIds: [] },
      '/projects/secret',
      'read',
      'document'
    );

    expect(result.granted).toBe(false);
    expect(result.reason).toBe('Explicitly denied by ACL rule');
  });

  it('should allow tester access to public folder (no deny rule)', async () => {
    const [tester] = await db.select().from(users).where(eq(users.email, TESTER_EMAIL));

    const result = await checkPermission(
      { userId: tester.id, groupIds: [] },
      '/public',
      'read',
      'document'
    );

    // 注意：由于 tester 本身没有 RBAC 权限，这里应该返回 false (Default Deny)
    expect(result.granted).toBe(false);
  });

  it('should respect path inheritance for ACL rules', async () => {
    const [tester] = await db.select().from(users).where(eq(users.email, TESTER_EMAIL));

    // 测试访问子路径 /projects/secret/sub-file，应该同样被拒绝
    const result = await checkPermission(
      { userId: tester.id, groupIds: [] },
      '/projects/secret/sub-file',
      'read',
      'document'
    );

    expect(result.granted).toBe(false);
    expect(result.reason).toBe('Explicitly denied by ACL rule');
  });
});