# -*- coding: utf-8 -*-
# type: ignore
from __future__ import annotations

import os
from unittest import mock

from keep_it_secret.ext import vault


@mock.patch.dict(
    os.environ,
    {
        'VAULT_URL': 'https://vault.work/',
        'VAULT_ROLE_ID': 'test_role_id',
        'VAULT_SECRET_ID': 'test_secret_id',
    },
)
def test_init():
    # When
    result = vault.AppRoleVaultSecrets()

    # Then
    assert result.client is None


@mock.patch.dict(
    os.environ,
    {
        'VAULT_URL': 'https://vault.work/',
        'VAULT_ROLE_ID': 'test_role_id',
        'VAULT_SECRET_ID': 'test_secret_id',
        'VAULT_CLIENT_CERT_PATH': '/tmp/vault_client_cert.pem',
        'VAULT_CLIENT_KEY_PATH': '/tmp/vault_client_key.pem',
        'VAULT_SERVER_CERT_PATH': '/tmp/vault_server_cert.pem',
    },
)
def test_as_hvac_client_kwargs():
    # Given
    secrets = vault.AppRoleVaultSecrets()

    # When
    result = secrets.as_hvac_client_kwargs()

    # Then
    assert result == {
        'url': 'https://vault.work/',
        'cert': ('/tmp/vault_client_cert.pem', '/tmp/vault_client_key.pem'),
        'verify': '/tmp/vault_server_cert.pem',
    }


@mock.patch.dict(
    os.environ,
    {
        'VAULT_URL': 'https://vault.work/',
        'VAULT_ROLE_ID': 'test_role_id',
        'VAULT_SECRET_ID': 'test_secret_id',
    },
)
def test_as_hvac_client_kwargs_without_optional_fields():
    # Given
    secrets = vault.AppRoleVaultSecrets()

    # When
    result = secrets.as_hvac_client_kwargs()

    # Then
    assert result == {
        'url': 'https://vault.work/',
    }


@mock.patch.dict(
    os.environ,
    {
        'VAULT_URL': 'https://vault.work/',
        'VAULT_ROLE_ID': 'test_role_id',
        'VAULT_SECRET_ID': 'test_secret_id',
    },
)
def test_get_client_cache_miss(mock_hvac_client: mock.Mock,
                               hvac_client: mock.Mock):
    # Given
    mock_hvac_client.return_value = hvac_client

    secrets = vault.AppRoleVaultSecrets()

    # When
    result = secrets.get_client()

    # Then
    assert result == hvac_client

    assert secrets.client == hvac_client

    mock_hvac_client.assert_called_once_with(**secrets.as_hvac_client_kwargs())
    hvac_client.auth.approle.login.assert_called_once_with(
        role_id='test_role_id',
        secret_id='test_secret_id',
    )


@mock.patch.dict(
    os.environ,
    {
        'VAULT_URL': 'https://vault.work/',
        'VAULT_ROLE_ID': 'test_role_id',
        'VAULT_SECRET_ID': 'test_secret_id',
    },
)
def test_get_client_cache_hit(mock_hvac_client: mock.Mock,
                              hvac_client: mock.Mock):
    # Given
    secrets = vault.AppRoleVaultSecrets()
    secrets.client = hvac_client

    # When
    result = secrets.get_client()

    # Then
    assert result == hvac_client

    mock_hvac_client.assert_not_called()