package infra

import "testing"

func makeRoles() []Role {
	return []Role{
		{
			Name: "admin",
			Permissions: []Permission{
				{Resource: "users", Action: "read"},
				{Resource: "users", Action: "write"},
				{Resource: "users", Action: "delete"},
			},
		},
		{
			Name: "viewer",
			Permissions: []Permission{
				{Resource: "users", Action: "read"},
			},
		},
	}
}

func TestRBACCheck_Granted(t *testing.T) {
	roles := makeRoles()
	if !RBACCheck(roles, "admin", Permission{Resource: "users", Action: "delete"}) {
		t.Fatal("admin deberia tener users/delete")
	}
	if !RBACCheck(roles, "viewer", Permission{Resource: "users", Action: "read"}) {
		t.Fatal("viewer deberia tener users/read")
	}
}

func TestRBACCheck_Denied(t *testing.T) {
	roles := makeRoles()
	if RBACCheck(roles, "viewer", Permission{Resource: "users", Action: "delete"}) {
		t.Fatal("viewer NO deberia tener users/delete")
	}
}

func TestRBACCheck_UnknownRole(t *testing.T) {
	roles := makeRoles()
	if RBACCheck(roles, "ghost", Permission{Resource: "users", Action: "read"}) {
		t.Fatal("rol inexistente no deberia tener permisos")
	}
}

func TestRBACCheck_ExactMatch(t *testing.T) {
	roles := makeRoles()
	// Resource distinto
	if RBACCheck(roles, "admin", Permission{Resource: "billing", Action: "read"}) {
		t.Fatal("admin no tiene billing/read")
	}
	// Action distinta
	if RBACCheck(roles, "viewer", Permission{Resource: "users", Action: "write"}) {
		t.Fatal("viewer no tiene users/write")
	}
}