package membership

import (
	"bytes"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"testing"
)

// TestRequireEncryptedRoomsRejectsCleartext is the control-plane half of the
// audit H4 minimum defense: with RequireEncryptedRooms on (the public posture),
// creating a cleartext (ModeNATS) room is refused 403, while an encrypted room is
// created normally. This is what guarantees no message ever rides the un-ACL'd
// NATS subject in the clear on a public deployment.
func TestRequireEncryptedRoomsRejectsCleartext(t *testing.T) {
	srv := dosServer(t, AuthOff)
	srv.RequireEncryptedRooms = true

	create := func(encrypt bool) int {
		body, _ := json.Marshal(createRoomReq{
			Subject:       "payroll.subject",
			Policy:        policyJSON{Encrypt: encrypt, Persist: encrypt, SignMsgs: encrypt},
			Owner:         endpointJSON{Endpoint: "owner-ep", SignPub: []byte("sp"), KexPub: []byte("kp")},
			SealedKeySelf: []byte("sealed"),
		})
		rec := httptest.NewRecorder()
		srv.ServeHTTP(rec, httptest.NewRequest(http.MethodPost, "/rooms", bytes.NewReader(body)))
		return rec.Code
	}

	// Error path: a cleartext room is refused.
	if code := create(false); code != http.StatusForbidden {
		t.Fatalf("cleartext room under RequireEncryptedRooms should be 403, got %d", code)
	}
	// Golden: an encrypted room is created.
	if code := create(true); code != http.StatusCreated {
		t.Fatalf("encrypted room should be 201, got %d", code)
	}

	// Edge: with the flag OFF (loopback/dev), cleartext rooms are allowed again.
	srv.RequireEncryptedRooms = false
	if code := create(false); code != http.StatusCreated {
		t.Fatalf("cleartext room with the flag off should be 201, got %d", code)
	}
}