import { describe, expect, it } from "vitest"

import { hasPermission, normalizeRole, permissionMatrix } from "./rbac"

describe("rbac model", () => {
  it("normalizes valid roles", () => {
    expect(normalizeRole("OWNER")).toBe("owner")
    expect(normalizeRole("support")).toBe("support")
    expect(normalizeRole("ADMIN")).toBe("admin")
    expect(normalizeRole("manager")).toBe("manager")
    expect(normalizeRole("unknown")).toBeNull()
  })

  it("grants admin full access", () => {
    expect(hasPermission("owner", "users:manage_roles", "global")).toBe(true)
    expect(hasPermission("support", "news:publish", "global")).toBe(true)
    expect(hasPermission("admin", "users:manage_roles", "global")).toBe(true)
    expect(hasPermission("admin", "news:publish", "global")).toBe(true)
  })

  it("enforces scope hierarchy", () => {
    expect(hasPermission("editor", "news:write", "team")).toBe(true)
    expect(hasPermission("editor", "news:write", "global")).toBe(false)
    expect(hasPermission("editor", "news:publish", "own")).toBe(true)
  })

  it("keeps matrix explicit for non-admin roles", () => {
    expect(permissionMatrix.editor.length).toBeGreaterThan(0)
    expect(permissionMatrix.manager.length).toBeGreaterThan(0)
  })

  it("prevents privilege escalation for non-admin roles", () => {
    expect(hasPermission("editor", "users:manage_roles", "global")).toBe(false)
    expect(hasPermission("manager", "users:manage_roles", "global")).toBe(false)
    expect(hasPermission("editor", "dashboard:read", "global")).toBe(true)
  })

  it("keeps role policy regressions visible for critical permissions", () => {
    const criticalChecks: Array<{
      role: "owner" | "support" | "admin" | "manager" | "editor"
      permission: Parameters<typeof hasPermission>[1]
      scope: Parameters<typeof hasPermission>[2]
      allowed: boolean
    }> = [
      { role: "owner", permission: "users:manage_roles", scope: "global", allowed: true },
      { role: "support", permission: "users:manage_roles", scope: "global", allowed: true },
      { role: "admin", permission: "banner:write", scope: "global", allowed: true },
      { role: "manager", permission: "users:write", scope: "global", allowed: false },
      { role: "manager", permission: "users:write", scope: "team", allowed: true },
      { role: "editor", permission: "news:publish", scope: "team", allowed: false },
      { role: "editor", permission: "news:publish", scope: "own", allowed: true },
    ]

    for (const check of criticalChecks) {
      expect(hasPermission(check.role, check.permission, check.scope)).toBe(check.allowed)
    }
  })
})