import pytest

from l4d2web.app import create_app
from l4d2web.auth import hash_password
from l4d2web.db import init_db, session_scope
from l4d2web.models import User


@pytest.fixture
def client(tmp_path, monkeypatch):
    db_url = f"sqlite:///{tmp_path/'security.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()
    with session_scope() as session:
        session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))
    return app.test_client()


def test_csrf_required(client) -> None:
    response = client.post("/servers", data={"name": "x"})
    assert response.status_code == 400


def test_login_rate_limit(client) -> None:
    for _ in range(20):
        client.post("/login", data={"username": "x", "password": "y"})

    response = client.post("/login", data={"username": "x", "password": "y"})
    assert response.status_code == 429


def test_login_rate_limit_per_username_across_ips(client) -> None:
    """A distributed brute-force that rotates the source IP must still be
    slowed once the per-username budget for a single account is exhausted."""
    for i in range(20):
        client.post(
            "/login",
            data={"username": "alice", "password": "wrong"},
            environ_overrides={"REMOTE_ADDR": f"10.0.0.{i}"},
        )

    response = client.post(
        "/login",
        data={"username": "alice", "password": "wrong"},
        environ_overrides={"REMOTE_ADDR": "10.99.99.99"},
    )
    assert response.status_code == 429


def test_login_rate_limit_empty_username_does_not_bucket(client) -> None:
    """Anonymous probes with no username must not all share one bucket — that
    would let an attacker DoS legitimate empty-username 401s. We just don't
    track them per-username."""
    for i in range(25):
        client.post(
            "/login",
            data={"username": "", "password": "wrong"},
            environ_overrides={"REMOTE_ADDR": f"10.1.0.{i}"},
        )

    # A real username from a fresh IP must still get through to the
    # 401 path (i.e. not be 429ed by empty-username spillover).
    response = client.post(
        "/login",
        data={"username": "alice", "password": "wrong"},
        environ_overrides={"REMOTE_ADDR": "10.2.0.1"},
    )
    assert response.status_code == 401


def test_security_headers_present(client) -> None:
    response = client.get("/login")
    assert response.headers.get("X-Content-Type-Options") == "nosniff"
    assert response.headers.get("X-Frame-Options") == "DENY"
    assert response.headers.get("Referrer-Policy") == "strict-origin-when-cross-origin"
    csp = response.headers.get("Content-Security-Policy")
    assert csp is not None
    assert "default-src 'self'" in csp
    assert "frame-ancestors 'none'" in csp
    assert "form-action 'self'" in csp
    # Steam avatar CDN must be explicitly allowed; otherwise the browser
    # silently blocks the avatar <img> loads and the live-state grid shows
    # placeholder circles with names but no faces.
    assert "img-src 'self' data: https://*.steamstatic.com" in csp


def test_csp_nonce_matches_inline_script(client) -> None:
    """Pages that emit inline <script> blocks must tag them with the
    per-request CSP nonce, otherwise the browser blocks them."""
    import re

    with client.session_transaction() as sess:
        sess["csrf_token"] = "tok"

    # Log in so we can hit /servers.
    with session_scope() as db:
        from sqlalchemy import select
        alice = db.scalar(select(User).where(User.username == "alice"))
        alice_id = alice.id
        marker = alice.password_changed_at.isoformat()
    with client.session_transaction() as sess:
        sess["user_id"] = alice_id
        sess["pw_changed_at"] = marker
        sess["admin"] = False

    response = client.get("/servers?prefill_blueprint_id=1")
    csp = response.headers.get("Content-Security-Policy", "")
    nonce_match = re.search(r"'nonce-([^']+)'", csp)
    assert nonce_match, f"expected nonce in CSP, got: {csp}"
    nonce = nonce_match.group(1)
    body = response.get_data(as_text=True)
    if "<script>" in body:
        # An un-nonced inline script slipped through.
        pytest.fail("inline <script> without nonce attribute")
    if "prefill_blueprint_id" in body and "showModal" in body:
        assert f'nonce="{nonce}"' in body


def test_404_response_is_generic(client) -> None:
    response = client.get("/this-route-does-not-exist")
    assert response.status_code == 404
    body = response.get_data(as_text=True)
    assert "Traceback" not in body
    assert "werkzeug" not in body.lower()


def test_500_response_does_not_leak_traceback(tmp_path, monkeypatch) -> None:
    from l4d2web.app import create_app
    db_url = f"sqlite:///{tmp_path/'boom.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    boom_app = create_app({
        "TESTING": True,
        "DATABASE_URL": db_url,
        "SECRET_KEY": "test",
        "PROPAGATE_EXCEPTIONS": False,
    })

    @boom_app.route("/__boom__")
    def boom():
        raise RuntimeError("internal detail that must not leak")

    response = boom_app.test_client().get("/__boom__")
    assert response.status_code == 500
    body = response.get_data(as_text=True)
    assert "internal detail" not in body
    assert "Traceback" not in body