require "spec_helper"

def user_update_json
  {
    "user" => { 
      "uid" => @user_to_update.uid, 
      "name" => "Joshua Marshall", 
      "email" => "user@domain.com", 
      "permissions" => ["signin", "new permission"]
    }
  }.to_json
end

describe Api::UserController, type: :controller do

  before :each do
    @user_to_update = User.create!({ 
        :uid => "a1s2d3#{rand(10000)}", 
        :email => "old@domain.com",
        :name => "Moshua Jarshall", 
        :permissions => ["signin"] }, 
        as: :oauth)
  end

  describe "PUT update" do
    it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
      malicious_user = User.new({ 
          :uid => '2', 
          :name => "User", 
          :permissions =>["signin"] })

      request.env['warden'] = stub("stub warden", :authenticate! => true, authenticated?: true, user: malicious_user)

      request.env['RAW_POST_DATA'] = user_update_json
      put :update, uid: @user_to_update.uid
      
      assert_equal 403, response.status
    end

    it "should create/update the user record in the same way as the OAuth callback" do
      # Test that it authenticates
      request.env['warden'] = mock("mock warden")
      request.env['warden'].expects(:authenticate!).at_least_once.returns(true)
      request.env['warden'].expects(:authenticated?).at_least_once.returns(true)
      request.env['warden'].expects(:user).at_least_once.returns(GDS::SSO::ApiUser.new)

      request.env['RAW_POST_DATA'] = user_update_json
      put :update, uid: @user_to_update.uid

      @user_to_update.reload
      assert_equal "Joshua Marshall", @user_to_update.name
      assert_equal "user@domain.com", @user_to_update.email
      expected_permissions = ["signin", "new permission"]
      assert_equal expected_permissions, @user_to_update.permissions
    end
  end

  describe "POST reauth" do
    it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
      malicious_user = User.new({ 
          :uid => '2', 
          :name => "User", 
          :permissions => ["signin"] })

      request.env['warden'] = stub("stub warden", :authenticate! => true, authenticated?: true, user: malicious_user)

      post :reauth, uid: @user_to_update.uid
      
      assert_equal 403, response.status
    end

    it "should return success if user record doesn't exist" do
      request.env['warden'] = mock("mock warden")
      request.env['warden'].expects(:authenticate!).at_least_once.returns(true)
      request.env['warden'].expects(:authenticated?).at_least_once.returns(true)
      request.env['warden'].expects(:user).at_least_once.returns(GDS::SSO::ApiUser.new)

      post :reauth, uid: "nonexistent-user"

      assert_equal 200, response.status
    end

    it "should set remotely_signed_out to true on the user" do
      # Test that it authenticates
      request.env['warden'] = mock("mock warden")
      request.env['warden'].expects(:authenticate!).at_least_once.returns(true)
      request.env['warden'].expects(:authenticated?).at_least_once.returns(true)
      request.env['warden'].expects(:user).at_least_once.returns(GDS::SSO::ApiUser.new)

      post :reauth, uid: @user_to_update.uid

      @user_to_update.reload
      assert_equal true,  @user_to_update.remotely_signed_out
    end
  end
end