// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package testutil

import (
	"testing"

	"go.pinniped.dev/internal/oidc/oidcclientvalidator"

	"github.com/stretchr/testify/require"
	"golang.org/x/crypto/bcrypt"
)

func TestBcryptConstants(t *testing.T) {
	t.Parallel()

	// It would be helpful to know if upgrading golang changes these constants some day, so test them here for visibility during upgrades.
	require.Equal(t, 4, bcrypt.MinCost, "golang has changed bcrypt.MinCost: please consider implications to the other tests")
	require.Equal(t, 10, bcrypt.DefaultCost, "golang has changed bcrypt.DefaultCost: please consider implications to the production code and tests")
}

func TestBcryptHashedPassword1TestHelpers(t *testing.T) {
	t.Parallel()

	// Can use this to help generate or regenerate the test helper hash constants.
	// t.Log(generateHash(t, PlaintextPassword1, 12))

	require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1AtGoMinCost), []byte(PlaintextPassword1)))
	require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1JustBelowSupervisorMinCost), []byte(PlaintextPassword1)))
	require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword1AtSupervisorMinCost), []byte(PlaintextPassword1)))

	requireCost(t, bcrypt.MinCost, HashedPassword1AtGoMinCost)
	requireCost(t, oidcclientvalidator.DefaultMinBcryptCost-1, HashedPassword1JustBelowSupervisorMinCost)
	requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword1AtSupervisorMinCost)
}

func TestBcryptHashedPassword2TestHelpers(t *testing.T) {
	t.Parallel()

	// Can use this to help generate or regenerate the test helper hash constants.
	// t.Log(generateHash(t, PlaintextPassword2, 12))

	require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword2AtGoMinCost), []byte(PlaintextPassword2)))
	require.NoError(t, bcrypt.CompareHashAndPassword([]byte(HashedPassword2AtSupervisorMinCost), []byte(PlaintextPassword2)))

	requireCost(t, bcrypt.MinCost, HashedPassword2AtGoMinCost)
	requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword2AtSupervisorMinCost)
}

func generateHash(t *testing.T, password string, cost int) string { //nolint:unused,deadcode // used in comments above
	hash, err := bcrypt.GenerateFromPassword([]byte(password), cost)
	require.NoError(t, err)
	return string(hash)
}

func requireCost(t *testing.T, wantCost int, hash string) {
	cost, err := bcrypt.Cost([]byte(hash))
	require.NoError(t, err)
	require.Equal(t, wantCost, cost)
}