"""Tests for security test endpoints (V2 API).

Covers the test CRUD and basic workflow via the REST API.
For full workflow logic tests see ``test_workflow.py`` and
``test_integration_v2.py``.
"""

import pytest


@pytest.fixture
def technique(client, auth_headers):
    """Create a technique for test association."""
    response = client.post(
        "/api/v1/techniques",
        json={"mitre_id": "T1059", "name": "Test Technique"},
        headers=auth_headers,
    )
    return response.json()


def test_create_test_requires_auth(client):
    """POST /tests without token returns 401 or 403."""
    response = client.post(
        "/api/v1/tests",
        json={
            "technique_id": "00000000-0000-0000-0000-000000000000",
            "name": "Test Name",
        },
    )
    assert response.status_code in (401, 403)


def test_create_test_success(client, auth_headers, technique):
    """Admin can create a test via POST /tests."""
    response = client.post(
        "/api/v1/tests",
        json={
            "technique_id": technique["id"],
            "name": "My Security Test",
            "description": "Test description",
            "platform": "windows",
        },
        headers=auth_headers,
    )
    assert response.status_code == 201
    data = response.json()
    assert data["name"] == "My Security Test"
    assert data["state"] == "draft"
    assert data["technique_id"] == technique["id"]


def test_create_test_nonexistent_technique(client, auth_headers):
    """Creating a test with non-existent technique fails."""
    response = client.post(
        "/api/v1/tests",
        json={
            "technique_id": "00000000-0000-0000-0000-000000000000",
            "name": "Test",
        },
        headers=auth_headers,
    )
    assert response.status_code == 404


def test_get_test_by_id(client, auth_headers, technique):
    """GET /tests/{id} returns the test."""
    create_response = client.post(
        "/api/v1/tests",
        json={"technique_id": technique["id"], "name": "Test"},
        headers=auth_headers,
    )
    test_id = create_response.json()["id"]

    response = client.get(f"/api/v1/tests/{test_id}", headers=auth_headers)
    assert response.status_code == 200
    assert response.json()["id"] == test_id


def test_start_execution_twice_returns_invalid_transition(
    client, auth_headers, technique, red_tech_user
):
    """Invalid workflow transition surfaces domain error JSON (FASE 0.4).

    HttpOnly login cookies take precedence over the Authorization header.
    Clear cookies before each phase so Bearer tokens match the intended user.
    """
    client.cookies.clear()
    create_response = client.post(
        "/api/v1/tests",
        json={"technique_id": technique["id"], "name": "Workflow dup start"},
        headers=auth_headers,
    )
    assert create_response.status_code == 201
    test_id = create_response.json()["id"]

    rl = client.post(
        "/api/v1/auth/login",
        data={"username": "redtech", "password": "redtech123"},
    )
    assert rl.status_code == 200
    red_headers = {"Authorization": f"Bearer {rl.json()['access_token']}"}
    client.cookies.clear()

    first = client.post(
        f"/api/v1/tests/{test_id}/start-execution",
        headers=red_headers,
    )
    assert first.status_code == 200

    client.cookies.clear()
    second = client.post(
        f"/api/v1/tests/{test_id}/start-execution",
        headers=red_headers,
    )
    assert second.status_code == 400
    body = second.json()
    assert body.get("code") == "INVALID_TRANSITION"
    assert "detail" in body