package tests

import (
	"strings"
	"testing"
)

// TestSQLInjection 测试 SQL 注入防护
func TestSQLInjection(t *testing.T) {
	ensureUsers(t)

	// 测试用户名中的 SQL 注入
	t.Run("SQL Injection in username", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/auth/register", map[string]string{
			"username": "admin' OR '1'='1",
			"password": "password123",
			"email":    "sql@test.com",
		}, "")
		// 应该正常处理，不应该崩溃或返回异常
		if resp.Code == 500 {
			t.Errorf("SQL injection caused server error: %s", resp.Body.String())
		}
	})

	// 测试组织代码中的 SQL 注入
	t.Run("SQL Injection in org code", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/orgs", map[string]string{
			"code": "test' OR '1'='1",
			"name": "SQL Test Org",
		}, User1Token)
		// 应该正常处理或返回业务错误，而不是 SQL 错误
		if resp.Code == 500 {
			t.Errorf("SQL injection in org code caused server error: %s", resp.Body.String())
		}
	})

	// 测试搜索中的 SQL 注入
	t.Run("SQL Injection in search", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/auth/users?keyword=admin' OR '1'='1", nil, AdminToken)
		// 应该正常处理
		if resp.Code == 500 {
			t.Errorf("SQL injection in search caused server error: %s", resp.Body.String())
		}
	})
}

// TestXSSPrevention 测试 XSS 防护
func TestXSSPrevention(t *testing.T) {
	ensureUsers(t)

	xssPayload := "<script>alert('xss')</script>"

	// 测试昵称中的 XSS
	t.Run("XSS in nickname", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/auth/me", map[string]string{
			"nickname": xssPayload,
		}, User1Token)

		if resp.Code == 200 {
			// 检查返回的数据是否被转义
			if strings.Contains(resp.Body.String(), "<script>") {
				t.Logf("Warning: XSS payload not escaped in response: %s", resp.Body.String())
			}
		}
	})

	// 测试组织名称中的 XSS
	t.Run("XSS in org name", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/orgs", map[string]string{
			"code": "xss_test_org",
			"name": xssPayload,
		}, User1Token)

		if resp.Code == 200 {
			if strings.Contains(resp.Body.String(), "<script>") {
				t.Logf("Warning: XSS payload not escaped in org response: %s", resp.Body.String())
			}
		}
	})
}

// TestInputValidation 测试输入验证
func TestInputValidation(t *testing.T) {
	ensureUsers(t)

	// 测试空用户名
	t.Run("Empty username", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/auth/register", map[string]string{
			"username": "",
			"password": "password123",
			"email":    "empty@test.com",
		}, "")
		if resp.Code == 200 {
			t.Errorf("Empty username should be rejected, got 200")
		}
	})

	// 测试空密码
	t.Run("Empty password", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/auth/register", map[string]string{
			"username": "testuser_empty_pass",
			"password": "",
			"email":    "emptypass@test.com",
		}, "")
		if resp.Code == 200 {
			t.Errorf("Empty password should be rejected, got 200")
		}
	})

	// 测试超长输入
	t.Run("Overlong username", func(t *testing.T) {
		longUsername := strings.Repeat("a", 300)
		resp := doRequest(t, "POST", "/api/auth/register", map[string]string{
			"username": longUsername,
			"password": "password123",
			"email":    "long@test.com",
		}, "")
		if resp.Code == 200 {
			t.Logf("Warning: Overlong username was accepted")
		}
	})

	// 测试无效邮箱格式
	t.Run("Invalid email format", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/auth/register", map[string]string{
			"username": "testuser_invalid_email",
			"password": "password123",
			"email":    "not-an-email",
		}, "")
		if resp.Code == 200 {
			t.Logf("Warning: Invalid email format was accepted")
		}
	})
}

// TestIDOR 测试不安全的直接对象引用 (IDOR)
func TestIDOR(t *testing.T) {
	ensureUsers(t)

	// 测试：User1 尝试访问 User2 的敏感信息
	t.Run("User1 tries to access User2's data", func(t *testing.T) {
		// 尝试通过 /api/users/{id} 访问其他用户信息
		resp := doRequest(t, "GET", "/api/users/"+User2ID, nil, User1Token)
		if resp.Code == 200 {
			// 检查是否返回了敏感信息
			t.Logf("Warning: User1 can access User2's data: %s", resp.Body.String())
		}
	})

	// 测试：User1 尝试修改 User2 的信息
	t.Run("User1 tries to modify User2's data", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/users/"+User2ID, map[string]string{
			"nickname": "Hacked by User1",
		}, User1Token)
		if resp.Code == 200 {
			t.Errorf("User1 should not be able to modify User2's data, got 200")
		}
	})
}

// TestAuthorizationBypass 测试授权绕过
func TestAuthorizationBypass(t *testing.T) {
	ensureUsers(t)

	// 测试：尝试访问需要认证但没有提供 token 的端点
	t.Run("Access protected endpoint without token", func(t *testing.T) {
		endpoints := []struct {
			method string
			path   string
		}{
			{"GET", "/api/users"},
			{"GET", "/api/orgs"},
			{"GET", "/api/roles"},
			{"GET", "/api/auth/me"},
		}

		for _, ep := range endpoints {
			resp := doRequest(t, ep.method, ep.path, nil, "")
			if resp.Code == 200 {
				t.Errorf("%s %s should require authentication, got 200", ep.method, ep.path)
			}
		}
	})

	// 测试：使用无效 token
	t.Run("Access with invalid token", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/auth/me", nil, "invalid_token_here")
		if resp.Code == 200 {
			t.Errorf("Invalid token should be rejected, got 200")
		}
	})

	// 测试：使用过期 token（如果有办法生成）
	t.Run("Access with malformed token", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/auth/me", nil, "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.invalid")
		if resp.Code == 200 {
			t.Errorf("Malformed token should be rejected, got 200")
		}
	})
}

// TestPrivilegeEscalation 测试权限提升
func TestPrivilegeEscalation(t *testing.T) {
	ensureUsers(t)

	// 测试：普通用户尝试赋予自己 admin 角色
	t.Run("User tries to assign admin role to self", func(t *testing.T) {
		resp := doRequest(t, "PUT", "/api/users/"+User1ID+"/roles", map[string]any{
			"role_ids": []string{"admin"},
		}, User1Token)
		if resp.Code == 200 {
			t.Errorf("User should not be able to assign admin role to self, got 200")
		}
	})

	// 测试：普通用户尝试修改自己的权限
	t.Run("User tries to modify own permissions", func(t *testing.T) {
		resp := doRequest(t, "PUT", "/api/users/"+User1ID+"/permissions", map[string]any{
			"permission_ids": []string{"*:*"},
		}, User1Token)
		if resp.Code == 200 {
			t.Errorf("User should not be able to modify own permissions, got 200")
		}
	})

	// 测试：普通用户尝试创建系统角色
	t.Run("User tries to create system role", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/roles", map[string]string{
			"code":        "super_admin",
			"name":        "Super Admin",
			"description": "Trying to escalate privileges",
		}, User1Token)
		if resp.Code == 200 {
			t.Errorf("User should not be able to create roles, got 200")
		}
	})
}

// TestRateLimiting 测试速率限制（如果实现了）
func TestRateLimiting(t *testing.T) {
	ensureUsers(t)

	// 快速发送多个请求
	t.Run("Rapid requests", func(t *testing.T) {
		for i := 0; i < 10; i++ {
			resp := doRequest(t, "GET", "/api/auth/me", nil, User1Token)
			if resp.Code == 429 {
				t.Logf("Rate limiting detected after %d requests", i+1)
				return
			}
		}
		t.Logf("No rate limiting detected")
	})
}

// TestSpecialCharacters 测试特殊字符处理
func TestSpecialCharacters(t *testing.T) {
	ensureUsers(t)

	specialChars := []string{
		"test\x00null",      // null byte
		"test\nnewline",     // newline
		"test\rcarriage",    // carriage return
		"test\ttab",         // tab
		"test<script>",      // HTML tag
		"test../../etc/passwd", // path traversal
		"test%00",           // URL encoded null
		"test%2e%2e%2f",     // URL encoded path traversal
	}

	for _, char := range specialChars {
		safeChar := strings.ReplaceAll(char, " ", "_")
		if len(safeChar) > 4 {
			safeChar = safeChar[:4]
		}
		codeSuffix := safeChar
		if len(codeSuffix) > 8 {
			codeSuffix = codeSuffix[:8]
		}
		t.Run("Special char: "+safeChar+"...", func(t *testing.T) {
			resp := doRequest(t, "POST", "/api/orgs", map[string]string{
				"code": "test_" + codeSuffix,
				"name": char,
			}, User1Token)

			if resp.Code == 500 {
				t.Errorf("Special character caused server error: %s", resp.Body.String())
			}
		})
	}
}

// TestUUIDManipulation 测试 UUID 操作
func TestUUIDManipulation(t *testing.T) {
	ensureUsers(t)

	// 测试无效 UUID 格式
	t.Run("Invalid UUID format", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/users/invalid-uuid", nil, AdminToken)
		if resp.Code == 200 {
			t.Errorf("Invalid UUID should be rejected, got 200")
		}
	})

	// 测试不存在的 UUID
	t.Run("Non-existent UUID", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/users/12345678-1234-1234-1234-123456789abc", nil, AdminToken)
		if resp.Code == 200 {
			t.Errorf("Non-existent UUID should return 404, got 200")
		}
	})

	// 测试 SQL 注入风格的 UUID
	t.Run("SQL injection in UUID", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/users/' OR '1'='1", nil, AdminToken)
		if resp.Code == 200 {
			t.Errorf("SQL injection in UUID should be rejected, got 200")
		}
	})
}