package application

import (
	"testing"

	"github.com/stretchr/testify/assert"
	"goauthentik.io/api/v3"
	"goauthentik.io/internal/config"
)

func TestEndpointDefault(t *testing.T) {
	pc := api.ProxyOutpostConfig{
		OidcConfiguration: api.OpenIDConnectConfiguration{
			AuthorizationEndpoint: "https://test.goauthentik.io/application/o/authorize/",
			EndSessionEndpoint:    "https://test.goauthentik.io/application/o/test-app/end-session/",
			IntrospectionEndpoint: "https://test.goauthentik.io/application/o/introspect/",
			Issuer:                "https://test.goauthentik.io/application/o/test-app/",
			JwksUri:               "https://test.goauthentik.io/application/o/test-app/jwks/",
			TokenEndpoint:         "https://test.goauthentik.io/application/o/token/",
		},
	}

	ep := GetOIDCEndpoint(pc, "https://authentik-host.test.goauthentik.io", false)
	// Standard outpost, non embedded
	// All URLs should use the host that they get from the config
	assert.Equal(t, "https://test.goauthentik.io/application/o/authorize/", ep.AuthURL)
	assert.Equal(t, "https://test.goauthentik.io/application/o/token/", ep.TokenURL)
	assert.Equal(t, "https://test.goauthentik.io/application/o/test-app/", ep.Issuer)
	assert.Equal(t, "https://test.goauthentik.io/application/o/test-app/jwks/", ep.JwksUri)
	assert.Equal(t, "https://test.goauthentik.io/application/o/test-app/end-session/", ep.EndSessionEndpoint)
	assert.Equal(t, "https://test.goauthentik.io/application/o/introspect/", ep.TokenIntrospection)
}

func TestEndpointAuthentikHostBrowser(t *testing.T) {
	c := config.Get()
	c.AuthentikHostBrowser = "https://browser.test.goauthentik.io"
	defer func() {
		c.AuthentikHostBrowser = ""
	}()
	pc := api.ProxyOutpostConfig{
		OidcConfiguration: api.OpenIDConnectConfiguration{
			AuthorizationEndpoint: "https://test.goauthentik.io/application/o/authorize/",
			EndSessionEndpoint:    "https://test.goauthentik.io/application/o/test-app/end-session/",
			IntrospectionEndpoint: "https://test.goauthentik.io/application/o/introspect/",
			Issuer:                "https://test.goauthentik.io/application/o/test-app/",
			JwksUri:               "https://test.goauthentik.io/application/o/test-app/jwks/",
			TokenEndpoint:         "https://test.goauthentik.io/application/o/token/",
			UserinfoEndpoint:      "https://test.goauthentik.io/application/o/userinfo/",
		},
	}

	ep := GetOIDCEndpoint(pc, "https://authentik-host.test.goauthentik.io", false)
	// Standard outpost, with AUTHENTIK_HOST_BROWSER set
	// Only the authorize/end session URLs should be changed
	assert.Equal(t, "https://browser.test.goauthentik.io/application/o/authorize/", ep.AuthURL)
	assert.Equal(t, "https://browser.test.goauthentik.io/application/o/test-app/end-session/", ep.EndSessionEndpoint)
	assert.Equal(t, "https://test.goauthentik.io/application/o/token/", ep.TokenURL)
	assert.Equal(t, "https://test.goauthentik.io/application/o/test-app/", ep.Issuer)
	assert.Equal(t, "https://test.goauthentik.io/application/o/test-app/jwks/", ep.JwksUri)
	assert.Equal(t, "https://test.goauthentik.io/application/o/introspect/", ep.TokenIntrospection)
}

func TestEndpointEmbedded(t *testing.T) {
	pc := api.ProxyOutpostConfig{
		OidcConfiguration: api.OpenIDConnectConfiguration{
			AuthorizationEndpoint: "https://test.goauthentik.io/application/o/authorize/",
			EndSessionEndpoint:    "https://test.goauthentik.io/application/o/test-app/end-session/",
			IntrospectionEndpoint: "https://test.goauthentik.io/application/o/introspect/",
			Issuer:                "https://test.goauthentik.io/application/o/test-app/",
			JwksUri:               "https://test.goauthentik.io/application/o/test-app/jwks/",
			TokenEndpoint:         "https://test.goauthentik.io/application/o/token/",
			UserinfoEndpoint:      "https://test.goauthentik.io/application/o/userinfo/",
		},
	}

	ep := GetOIDCEndpoint(pc, "https://authentik-host.test.goauthentik.io", true)
	// Embedded outpost
	// Browser URLs should use the config of "authentik_host", everything else can use what's
	// received from the API endpoint
	// Token URL is an exception since it's sent via a special HTTP transport that overrides the
	// HTTP Host header, to make sure it's the same value as the issuer
	assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/authorize/", ep.AuthURL)
	assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/", ep.Issuer)
	assert.Equal(t, "https://test.goauthentik.io/application/o/token/", ep.TokenURL)
	assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/jwks/", ep.JwksUri)
	assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/end-session/", ep.EndSessionEndpoint)
	assert.Equal(t, "https://test.goauthentik.io/application/o/introspect/", ep.TokenIntrospection)
}