import pytest
from fastapi.testclient import TestClient
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker
from sqlalchemy.pool import StaticPool

from app.core.database import Base, get_db
from app.main import app
from app.modules.auth.models import User
from app.modules.auth.service import hash_password


@pytest.fixture(autouse=True)
def override_db():
    engine = create_engine(
        "sqlite:///:memory:",
        connect_args={"check_same_thread": False},
        poolclass=StaticPool,
    )
    Base.metadata.create_all(bind=engine)
    Session = sessionmaker(bind=engine)
    session = Session()
    app.dependency_overrides[get_db] = lambda: session
    yield session
    app.dependency_overrides.clear()
    session.close()
    Base.metadata.drop_all(bind=engine)


@pytest.fixture
def client():
    return TestClient(app, follow_redirects=False)


@pytest.fixture
def alice(override_db):
    user = User(username="alice", full_name="Alice Smith", pw_hash=hash_password("secret123"))
    override_db.add(user)
    override_db.commit()
    return user


def test_get_login_page(client):
    response = client.get("/auth/login")
    assert response.status_code == 200
    assert "text/html" in response.headers["content-type"]
    assert "Anmelden" in response.text


def test_login_correct_credentials_redirects(client, alice):
    response = client.post("/auth/login", data={"username": "alice", "password": "secret123"})
    assert response.status_code in (302, 303, 307)
    assert "access_token" in response.cookies


def test_login_wrong_password_shows_error(client, alice):
    response = client.post("/auth/login", data={"username": "alice", "password": "wrong"})
    assert response.status_code == 200
    assert "Ungültige" in response.text


def test_login_unknown_user_shows_error(client):
    response = client.post("/auth/login", data={"username": "ghost", "password": "any"})
    assert response.status_code == 200
    assert "Ungültige" in response.text


def test_logout_clears_cookie_and_redirects_to_landing(client, alice):
    client.post("/auth/login", data={"username": "alice", "password": "secret123"})
    response = client.get("/auth/logout")
    assert response.status_code in (302, 303, 307)
    assert response.headers["location"] == "/"
    assert response.cookies.get("access_token", "") == ""


from unittest.mock import patch as mock_patch


def test_ldap_login_sets_cookie_and_redirects(client, override_db):
    """LDAP login via mocked ldap_authenticate: cookie is set, redirects to /."""
    ldap_attrs = {
        "username": "ldapuser",
        "full_name": "LDAP User",
        "department": "EFI",
        "role": "ST",
        "account_expires": None,
    }
    with mock_patch("app.modules.auth.ldap.ldap_authenticate", return_value=ldap_attrs), \
         mock_patch("app.modules.auth.ldap.sync_all_users"), \
         mock_patch("app.modules.auth.router.settings") as mock_settings:
        mock_settings.LDAP_ENABLED = True
        mock_settings.LDAP_SERVER = "test"
        mock_settings.LDAP_DOMAIN = "ADS1"
        mock_settings.LDAP_SEARCH_BASE = "OU=test"
        mock_settings.LDAP_SYNC_MIN_INTERVAL_HOURS = 12
        mock_settings.LDAP_SYNC_LETTER_DELAY_SECONDS = 0.0
        response = client.post("/auth/login", data={"username": "ldapuser", "password": "any"})
    assert response.status_code in (302, 303, 307)
    assert "access_token" in response.cookies