using Bit.Core.AdminConsole.OrganizationAuth;
using Bit.Core.AdminConsole.OrganizationAuth.Models;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Models.Api.Request.AuthRequest;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Auth.Services;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Settings;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute;
using Xunit;

namespace Bit.Core.Test.AdminConsole.OrganizationAuth;

[SutProviderCustomize]
public class UpdateOrganizationAuthRequestCommandTests
{
    [Theory]
    [BitAutoData]
    public async Task UpdateOrgAuthRequest_Approved_SendEmail_Success(
        DateTime responseDate, string email, DeviceType deviceType, string deviceIdentifier,
        string requestIpAddress, Guid requestId, Guid userId, bool requestApproved,
        string encryptedUserKey, SutProvider<UpdateOrganizationAuthRequestCommand> sutProvider)
    {
        var expectedDeviceTypeAndIdentifier = $"{deviceType} - {deviceIdentifier}";

        sutProvider.GetDependency<IAuthRequestService>()
            .UpdateAuthRequestAsync(requestId, userId,
                Arg.Is<AuthRequestUpdateRequestModel>(x =>
                    x.RequestApproved == requestApproved && x.Key == encryptedUserKey))
            .Returns(new AuthRequest()
            {
                UserId = userId,
                Approved = true,
                ResponseDate = responseDate,
                RequestDeviceType = deviceType,
                RequestDeviceIdentifier = deviceIdentifier,
                RequestIpAddress = requestIpAddress,
            });

        sutProvider.GetDependency<IUserRepository>()
            .GetByIdAsync(userId)
            .Returns(new User()
            {
                Email = email
            });

        await sutProvider.Sut.UpdateAsync(requestId, userId, requestApproved, encryptedUserKey);

        await sutProvider.GetDependency<IUserRepository>().Received(1).GetByIdAsync(userId);
        await sutProvider.GetDependency<IMailService>().Received(1)
            .SendTrustedDeviceAdminApprovalEmailAsync(email, responseDate, requestIpAddress, expectedDeviceTypeAndIdentifier);
    }

    [Theory]
    [BitAutoData]
    public async Task UpdateOrgAuthRequest_Denied_NonExecutes(
        SutProvider<UpdateOrganizationAuthRequestCommand> sutProvider, Guid requestId, Guid userId,
        bool requestApproved, string encryptedUserKey)
    {
        sutProvider.GetDependency<IAuthRequestService>()
            .UpdateAuthRequestAsync(requestId, userId,
                Arg.Is<AuthRequestUpdateRequestModel>(x =>
                    x.RequestApproved == requestApproved && x.Key == encryptedUserKey))
            .Returns(new AuthRequest() { Approved = false });

        await sutProvider.Sut.UpdateAsync(requestId, userId, requestApproved, encryptedUserKey);

        await sutProvider.GetDependency<IUserRepository>().DidNotReceive().GetByIdAsync(userId);
        await sutProvider.GetDependency<IMailService>().DidNotReceive()
            .SendTrustedDeviceAdminApprovalEmailAsync(Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<string>(),
                Arg.Any<string>());
    }

    [Theory]
    [BitAutoData]
    public async Task UpdateAsync_BatchUpdate_AuthRequestForOrganizationNotFound_DoesNotExecute(
        SutProvider<UpdateOrganizationAuthRequestCommand> sutProvider,
        List<OrganizationAuthRequestUpdate> updates,
        AuthRequestUpdateProcessorConfiguration configuration)
    {
        sutProvider.GetDependency<IAuthRequestRepository>().GetManyAdminApprovalRequestsByManyIdsAsync(
            configuration.OrganizationId,
            updates.Select(ar => ar.Id)
        ).ReturnsForAnyArgs((ICollection<OrganizationAdminAuthRequest>)null);

        await sutProvider.Sut.UpdateAsync(configuration.OrganizationId, updates);
        await sutProvider.GetDependency<IAuthRequestRepository>().DidNotReceiveWithAnyArgs().UpdateManyAsync(Arg.Any<IEnumerable<OrganizationAdminAuthRequest>>());
        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushAuthRequestResponseAsync(Arg.Any<AuthRequest>());
        await sutProvider.GetDependency<IMailService>().DidNotReceiveWithAnyArgs().SendTrustedDeviceAdminApprovalEmailAsync(
            Arg.Any<string>(),
            Arg.Any<DateTime>(),
            Arg.Any<string>(),
            Arg.Any<string>()
        );
        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogOrganizationUserEventsAsync(
            Arg.Any<IEnumerable<(OrganizationUser, EventType, DateTime?)>>()
        );
    }

    [Theory]
    [BitAutoData]
    public async Task UpdateAsync_BatchUpdate_ValidRequest_SavesAndFiresAllEvents(
        SutProvider<UpdateOrganizationAuthRequestCommand> sutProvider,
        List<OrganizationAuthRequestUpdate> updates,
        List<OrganizationAdminAuthRequest> unprocessedAuthRequests,
        AuthRequestUpdateProcessorConfiguration configuration,
        List<OrganizationUser> organizationUsers,
        List<User> users
    )
    {
        // For this command to work we need the following from external
        // classes:
        // 1. A configured expiration timespan for organization auth requests
        // 2. Some unresponded to auth requests that match the ids provided
        // 3. A valid user to send emails to
        // 4. A valid organization user to log events for

        for (int i = 0; i < updates.Count(); i++)
        {
            unprocessedAuthRequests[i] = UnrespondAndEnsureValid(unprocessedAuthRequests[i], configuration.OrganizationId);
            updates[i].Approved = true;
            updates[i].Key = "key";
            unprocessedAuthRequests[i].Id = updates[i].Id;
            unprocessedAuthRequests[i].RequestDeviceType = DeviceType.iOS;
            unprocessedAuthRequests[i].OrganizationUserId = organizationUsers[i].Id;
            organizationUsers[i].OrganizationId = configuration.OrganizationId;
            users[i].Id = unprocessedAuthRequests[i].UserId;
            organizationUsers[i].UserId = unprocessedAuthRequests[i].UserId;

            sutProvider.GetDependency<IUserRepository>().GetByIdAsync(Arg.Is(users[i].Id)).Returns(users[i]);
        };

        sutProvider.GetDependency<IGlobalSettings>().PasswordlessAuth.AdminRequestExpiration.Returns(TimeSpan.FromDays(7));

        sutProvider.GetDependency<IAuthRequestRepository>().GetManyAdminApprovalRequestsByManyIdsAsync(
            configuration.OrganizationId,
            updates.Select(ar => ar.Id)
        ).ReturnsForAnyArgs(unprocessedAuthRequests);

        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(Arg.Is<IEnumerable<Guid>>(
            list => list.All(x => organizationUsers.Select(y => y.Id).Contains(x)))).Returns(organizationUsers);

        // Call the SUT
        await sutProvider.Sut.UpdateAsync(configuration.OrganizationId, updates);

        // Assert that because we passed in good data we call a save
        // operation and raise all events
        await sutProvider.GetDependency<IAuthRequestRepository>()
            .Received()
            .UpdateManyAsync(
                Arg.Is<IEnumerable<OrganizationAdminAuthRequest>>(list =>
                    list.Any() &&
                    list.All(x =>
                        x.Approved.Value &&
                        x.Key == "key" &&
                        x.ResponseDate != null &&
                        unprocessedAuthRequests.Select(y => y.Id).Contains(x.Id))));

        foreach (var authRequest in unprocessedAuthRequests)
        {
            await sutProvider.GetDependency<IPushNotificationService>().Received()
                .PushAuthRequestResponseAsync(Arg.Is<OrganizationAdminAuthRequest>
                        (ar => ar.Id == authRequest.Id && ar.Approved == true && ar.Key == "key"));

            await sutProvider.GetDependency<IMailService>().Received().SendTrustedDeviceAdminApprovalEmailAsync(
                users.FirstOrDefault(x => x.Id == authRequest.UserId).Email,
                Arg.Any<DateTime>(),
                authRequest.RequestIpAddress,
                $"iOS - {authRequest.RequestDeviceIdentifier}"
            );
        }

        await sutProvider.GetDependency<IEventService>().Received().LogOrganizationUserEventsAsync(
            Arg.Is<IEnumerable<(OrganizationUser o, EventType e, DateTime? d)>>(list =>
                list.Any() && list.All(x => organizationUsers.Any(y => y.Id == x.o.Id) && x.e == EventType.OrganizationUser_ApprovedAuthRequest)
        ));
    }

    [Theory]
    [BitAutoData]
    public async Task UpdateAsync_BatchUpdate_AuthRequestIsDenied_DoesNotLeakRejection(
        SutProvider<UpdateOrganizationAuthRequestCommand> sutProvider,
        List<OrganizationAuthRequestUpdate> updates,
        OrganizationAdminAuthRequest unprocessedAuthRequest,
        AuthRequestUpdateProcessorConfiguration configuration,
        User user
    )
    {
        // For this command to work we need the following from external
        // classes:
        // 1. A configured expiration timespan for organization auth requests
        // 2. Some unresponded to auth requests that match the ids provided
        // 3. A valid user to send emails to

        var unprocessedAuthRequests = new List<OrganizationAdminAuthRequest>();
        unprocessedAuthRequest = UnrespondAndEnsureValid(unprocessedAuthRequest, configuration.OrganizationId);
        foreach (var update in updates)
        {
            update.Approved = false;
            unprocessedAuthRequest.Id = update.Id;
            unprocessedAuthRequests.Add(unprocessedAuthRequest);
        };

        sutProvider.GetDependency<IGlobalSettings>().PasswordlessAuth.AdminRequestExpiration.Returns(TimeSpan.FromDays(7));

        sutProvider.GetDependency<IAuthRequestRepository>().GetManyAdminApprovalRequestsByManyIdsAsync(
            configuration.OrganizationId,
            updates.Select(ar => ar.Id)
        ).ReturnsForAnyArgs(unprocessedAuthRequests);

        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(Arg.Any<Guid>()).Returns(user);

        // Call the SUT
        await sutProvider.Sut.UpdateAsync(configuration.OrganizationId, updates);

        // Assert that because we passed in good data we call a save
        // operation and raise all events
        await sutProvider.GetDependency<IAuthRequestRepository>().ReceivedWithAnyArgs().UpdateManyAsync(Arg.Any<IEnumerable<OrganizationAdminAuthRequest>>());
        await sutProvider.GetDependency<IPushNotificationService>().DidNotReceiveWithAnyArgs().PushAuthRequestResponseAsync(Arg.Any<AuthRequest>());
        await sutProvider.GetDependency<IMailService>().DidNotReceiveWithAnyArgs().SendTrustedDeviceAdminApprovalEmailAsync(
            Arg.Any<string>(),
            Arg.Any<DateTime>(),
            Arg.Any<string>(),
            Arg.Any<string>()
        );
        await sutProvider.GetDependency<IEventService>().ReceivedWithAnyArgs().LogOrganizationUserEventsAsync(
            Arg.Any<IEnumerable<(OrganizationUser, EventType, DateTime?)>>()
        );
    }

    private T UnrespondAndEnsureValid<T>(T authRequest, Guid organizationId) where T : AuthRequest
    {
        authRequest.OrganizationId = organizationId;
        authRequest.Key = null;
        authRequest.Approved = null;
        authRequest.ResponseDate = null;
        authRequest.AuthenticationDate = null;
        authRequest.CreationDate = DateTime.UtcNow.AddMinutes(-10);
        return authRequest;
    }
}