package auth

import (
	"testing"

	"atcr.io/pkg/atproto"
)

func TestCheckReadAccessWithCaptain_PublicHold(t *testing.T) {
	captain := &atproto.CaptainRecord{
		Public: true,
		Owner:  "did:plc:owner123",
	}

	// Public hold - anonymous user should be allowed
	allowed := CheckReadAccessWithCaptain(captain, "")
	if !allowed {
		t.Error("Expected anonymous user to have read access to public hold")
	}

	// Public hold - authenticated user should be allowed
	allowed = CheckReadAccessWithCaptain(captain, "did:plc:user123")
	if !allowed {
		t.Error("Expected authenticated user to have read access to public hold")
	}
}

func TestCheckReadAccessWithCaptain_PrivateHold(t *testing.T) {
	captain := &atproto.CaptainRecord{
		Public: false,
		Owner:  "did:plc:owner123",
	}

	// Private hold - anonymous user should be denied
	allowed := CheckReadAccessWithCaptain(captain, "")
	if allowed {
		t.Error("Expected anonymous user to be denied read access to private hold")
	}

	// Private hold - authenticated user should be allowed
	allowed = CheckReadAccessWithCaptain(captain, "did:plc:user123")
	if !allowed {
		t.Error("Expected authenticated user to have read access to private hold")
	}
}

func TestCheckWriteAccessWithCaptain_Owner(t *testing.T) {
	captain := &atproto.CaptainRecord{
		Public: false,
		Owner:  "did:plc:owner123",
	}

	// Owner should have write access
	allowed := CheckWriteAccessWithCaptain(captain, "did:plc:owner123", false)
	if !allowed {
		t.Error("Expected owner to have write access")
	}
}

func TestCheckWriteAccessWithCaptain_Crew(t *testing.T) {
	captain := &atproto.CaptainRecord{
		Public: false,
		Owner:  "did:plc:owner123",
	}

	// Crew member should have write access
	allowed := CheckWriteAccessWithCaptain(captain, "did:plc:crew123", true)
	if !allowed {
		t.Error("Expected crew member to have write access")
	}

	// Non-crew member should be denied
	allowed = CheckWriteAccessWithCaptain(captain, "did:plc:user123", false)
	if allowed {
		t.Error("Expected non-crew member to be denied write access")
	}
}

func TestCheckWriteAccessWithCaptain_Anonymous(t *testing.T) {
	captain := &atproto.CaptainRecord{
		Public: false,
		Owner:  "did:plc:owner123",
	}

	// Anonymous user should be denied
	allowed := CheckWriteAccessWithCaptain(captain, "", false)
	if allowed {
		t.Error("Expected anonymous user to be denied write access")
	}
}