# -*- coding: utf-8; -*-

from unittest import TestCase
from unittest.mock import MagicMock

from pyramid import testing

from wuttjamaican.conf import WuttaConfig
from wuttaweb import auth as mod
from tests.util import WebTestCase


class TestLoginUser(TestCase):

    def test_basic(self):
        config = WuttaConfig()
        app = config.get_app()
        model = app.model
        request = testing.DummyRequest(wutta_config=config)
        user = model.User(username='barney')
        headers = mod.login_user(request, user)
        self.assertEqual(headers, [])

class TestLogoutUser(TestCase):

    def test_basic(self):
        config = WuttaConfig()
        request = testing.DummyRequest(wutta_config=config)
        request.session.delete = MagicMock()
        headers = mod.logout_user(request)
        request.session.delete.assert_called_once_with()
        self.assertEqual(headers, [])


class TestWuttaSecurityPolicy(TestCase):

    def setUp(self):
        self.config = WuttaConfig(defaults={
            'wutta.db.default.url': 'sqlite://',
        })

        self.request = testing.DummyRequest()
        self.pyramid_config = testing.setUp(request=self.request, settings={
            'wutta_config': self.config,
        })

        self.app = self.config.get_app()
        model = self.app.model
        model.Base.metadata.create_all(bind=self.config.appdb_engine)
        self.session = self.app.make_session()
        self.user = model.User(username='barney')
        self.session.add(self.user)
        self.session.commit()

        self.policy = self.make_policy()

    def tearDown(self):
        testing.tearDown()

    def make_policy(self):
        return mod.WuttaSecurityPolicy(db_session=self.session)

    def test_remember(self):
        uuid = self.user.uuid
        self.assertIsNotNone(uuid)
        self.assertIsNone(self.policy.session_helper.authenticated_userid(self.request))
        self.policy.remember(self.request, uuid)
        self.assertEqual(self.policy.session_helper.authenticated_userid(self.request), uuid)

    def test_forget(self):
        uuid = self.user.uuid
        self.policy.remember(self.request, uuid)
        self.assertEqual(self.policy.session_helper.authenticated_userid(self.request), uuid)
        self.policy.forget(self.request)
        self.assertIsNone(self.policy.session_helper.authenticated_userid(self.request))

    def test_identity(self):

        # no identity
        user = self.policy.identity(self.request)
        self.assertIsNone(user)

        # identity is remembered (must use new policy to bust cache)
        self.policy = self.make_policy()
        uuid = self.user.uuid
        self.assertIsNotNone(uuid)
        self.policy.remember(self.request, uuid)
        user = self.policy.identity(self.request)
        self.assertIs(user, self.user)

        # invalid identity yields no user
        self.policy = self.make_policy()
        self.policy.remember(self.request, 'bogus-user-uuid')
        user = self.policy.identity(self.request)
        self.assertIsNone(user)

    def test_authenticated_userid(self):

        # no identity
        uuid = self.policy.authenticated_userid(self.request)
        self.assertIsNone(uuid)

        # identity is remembered (must use new policy to bust cache)
        self.policy = self.make_policy()
        self.policy.remember(self.request, self.user.uuid)
        uuid = self.policy.authenticated_userid(self.request)
        self.assertEqual(uuid, self.user.uuid)

    def test_permits(self):
        auth = self.app.get_auth_handler()
        model = self.app.model

        # anon has no perms
        self.assertFalse(self.policy.permits(self.request, None, 'foo.bar'))

        # but we can grant it
        anons = auth.get_role_anonymous(self.session)
        self.user.roles.append(anons)
        auth.grant_permission(anons, 'foo.bar')
        self.session.commit()

        # and then perm check is satisfied
        self.assertTrue(self.policy.permits(self.request, None, 'foo.bar'))

        # now, create a separate role and grant another perm
        # (but user does not yet belong to this role)
        role = model.Role(name='whatever')
        self.session.add(role)
        auth.grant_permission(role, 'baz.edit')
        self.session.commit()

        # so far then, user does not have the permission
        self.policy = self.make_policy()
        self.policy.remember(self.request, self.user.uuid)
        self.assertFalse(self.policy.permits(self.request, None, 'baz.edit'))

        # but if we assign user to role, perm check should pass
        self.user.roles.append(role)
        self.session.commit()
        self.assertTrue(self.policy.permits(self.request, None, 'baz.edit'))

        # now let's try another perm - we won't grant it, but will
        # confirm user is denied access unless they become root
        self.assertFalse(self.policy.permits(self.request, None, 'some-root-perm'))
        self.request.is_root = True
        self.assertTrue(self.policy.permits(self.request, None, 'some-root-perm'))


class TestAddPermissionGroup(WebTestCase):

    def test_basic(self):
        permissions = self.pyramid_config.get_settings().get('wutta_permissions', {})
        self.assertNotIn('widgets', permissions)
        self.pyramid_config.add_wutta_permission_group('widgets')
        permissions = self.pyramid_config.get_settings().get('wutta_permissions', {})
        self.assertIn('widgets', permissions)
        self.assertEqual(permissions['widgets']['label'], "Widgets")


class TestAddPermission(WebTestCase):

    def test_basic(self):
        permissions = self.pyramid_config.get_settings().get('wutta_permissions', {})
        self.assertNotIn('widgets', permissions)
        self.pyramid_config.add_wutta_permission('widgets', 'widgets.polish')
        permissions = self.pyramid_config.get_settings().get('wutta_permissions', {})
        self.assertIn('widgets', permissions)
        self.assertEqual(permissions['widgets']['label'], "Widgets")
        self.assertIn('widgets.polish', permissions['widgets']['perms'])