<?php

namespace Tests\Feature;

use App\Models\Permission;
use App\Models\Role;
use App\Models\User;
use Database\Seeders\RbacSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;

class AdminRoleControllerTest extends TestCase
{
    use RefreshDatabase;

    private User $adminUser;

    protected function setUp(): void
    {
        parent::setUp();

        $this->adminUser = User::factory()->create(['role' => Role::ADMIN]);
        $this->seed(RbacSeeder::class);
        $this->adminUser->refresh();
    }

    public function test_admin_can_open_roles_index(): void
    {
        $this->actingAs($this->adminUser)
            ->get(route('admin.roles.index'))
            ->assertOk()
            ->assertSee('Роли и права');
    }

    public function test_admin_role_update_keeps_all_permissions_allowed(): void
    {
        $adminRole = Role::query()->where('slug', Role::ADMIN)->firstOrFail();
        $permission = Permission::query()->where('slug', 'catalog.delete')->firstOrFail();

        $this->actingAs($this->adminUser)
            ->put(route('admin.roles.update', $adminRole), [
                'slug' => Role::ADMIN,
                'name' => 'Админ',
                'is_active' => '0',
                'permission_effects' => [
                    $permission->id => 'deny',
                ],
            ])
            ->assertRedirect(route('admin.roles.edit', $adminRole));

        $this->assertDatabaseHas('roles', [
            'id' => $adminRole->id,
            'is_active' => true,
        ]);
        $this->assertDatabaseHas('role_permissions', [
            'role_id' => $adminRole->id,
            'permission_id' => $permission->id,
            'effect' => 'allow',
        ]);
    }

    public function test_role_cannot_be_deleted_while_any_user_references_it(): void
    {
        $role = Role::query()->where('slug', Role::MANAGER)->firstOrFail();
        User::factory()->create([
            'role' => Role::MANAGER,
            'role_id' => $role->id,
            'deleted_at' => now(),
        ]);

        $this->actingAs($this->adminUser)
            ->delete(route('admin.roles.destroy', $role))
            ->assertRedirect(route('admin.roles.edit', $role));

        $this->assertDatabaseHas('roles', ['id' => $role->id]);
    }

    public function test_role_can_be_created_from_user_effective_permissions(): void
    {
        $managerRole = Role::query()->where('slug', Role::MANAGER)->firstOrFail();
        $user = User::factory()->create([
            'role' => Role::MANAGER,
            'role_id' => $managerRole->id,
        ]);
        $permission = Permission::query()->where('slug', 'catalog.view')->firstOrFail();

        $user->permissions()->syncWithoutDetaching([
            $permission->id => ['effect' => 'deny'],
        ]);

        $this->actingAs($this->adminUser)
            ->post(route('admin.roles.store-from-user', $user), [
                'name' => 'Тестовая роль',
                'slug' => 'test_custom_role',
            ])
            ->assertRedirect();

        $role = Role::query()->where('slug', 'test_custom_role')->firstOrFail();
        $this->assertDatabaseHas('role_permissions', [
            'role_id' => $role->id,
            'permission_id' => $permission->id,
            'effect' => 'deny',
        ]);
    }

    public function test_user_permission_override_can_deny_role_permission(): void
    {
        $managerRole = Role::query()->where('slug', Role::MANAGER)->firstOrFail();
        $user = User::factory()->create([
            'role' => Role::MANAGER,
            'role_id' => $managerRole->id,
        ]);
        $permission = Permission::query()->where('slug', 'catalog.view')->firstOrFail();

        $this->actingAs($this->adminUser)
            ->post(route('user.store'), [
                'id' => $user->id,
                'email' => $user->email,
                'name' => $user->name,
                'role_id' => $managerRole->id,
                'permission_effects' => [
                    $permission->id => 'deny',
                ],
            ])
            ->assertRedirect(route('user.index'));

        $this->assertDatabaseHas('user_permissions', [
            'user_id' => $user->id,
            'permission_id' => $permission->id,
            'effect' => 'deny',
        ]);
        $this->assertFalse($user->refresh()->hasPermission('catalog.view'));
    }

    public function test_custom_role_can_pass_legacy_role_middleware_by_route_permission(): void
    {
        $permission = Permission::query()->where('slug', 'admin.roles')->firstOrFail();
        $role = Role::query()->create([
            'slug' => 'permissions_operator',
            'name' => 'Оператор прав',
            'is_system' => false,
            'is_active' => true,
        ]);
        $role->permissions()->sync([
            $permission->id => ['effect' => 'allow'],
        ]);
        $user = User::factory()->create([
            'role' => $role->slug,
            'role_id' => $role->id,
        ]);

        $this->actingAs($user)
            ->get(route('admin.roles.index'))
            ->assertOk()
            ->assertSee('Роли и права');
    }

    public function test_role_can_be_copied_with_permissions(): void
    {
        $managerRole = Role::query()->where('slug', Role::MANAGER)->firstOrFail();
        $permission = Permission::query()->where('slug', 'catalog.view')->firstOrFail();

        $this->actingAs($this->adminUser)
            ->post(route('admin.roles.copy', $managerRole))
            ->assertRedirect();

        $copy = Role::query()
            ->where('slug', 'manager_copy')
            ->firstOrFail();

        $this->assertFalse($copy->is_system);
        $this->assertDatabaseHas('role_permissions', [
            'role_id' => $copy->id,
            'permission_id' => $permission->id,
            'effect' => 'allow',
        ]);
    }
}