"""Unit tests for authentication module."""

import pytest
from unittest.mock import patch, MagicMock


class TestCreateDefaultAdmin:
    """Tests for the create_default_admin function."""

    def test_create_default_admin_with_env_password(self):
        """Test that ORCHARD_ADMIN_PASSWORD env var sets admin password."""
        from app.auth import create_default_admin, verify_password

        # Create mock settings with custom password
        mock_settings = MagicMock()
        mock_settings.admin_password = "my-custom-password-123"

        # Mock database session
        mock_db = MagicMock()
        mock_db.query.return_value.count.return_value = 0  # No existing users

        # Track the user that gets created
        created_user = None

        def capture_user(user):
            nonlocal created_user
            created_user = user

        mock_db.add.side_effect = capture_user

        with patch("app.auth.get_settings", return_value=mock_settings):
            admin = create_default_admin(mock_db)

        # Verify the user was created
        assert mock_db.add.called
        assert created_user is not None
        assert created_user.username == "admin"
        assert created_user.is_admin is True
        # Password should NOT require change when set via env var
        assert created_user.must_change_password is False
        # Verify password was hashed correctly
        assert verify_password("my-custom-password-123", created_user.password_hash)

    def test_create_default_admin_with_default_password(self):
        """Test that default password 'changeme123' is used when env var not set."""
        from app.auth import create_default_admin, verify_password

        # Create mock settings with empty password (default)
        mock_settings = MagicMock()
        mock_settings.admin_password = ""

        # Mock database session
        mock_db = MagicMock()
        mock_db.query.return_value.count.return_value = 0  # No existing users

        # Track the user that gets created
        created_user = None

        def capture_user(user):
            nonlocal created_user
            created_user = user

        mock_db.add.side_effect = capture_user

        with patch("app.auth.get_settings", return_value=mock_settings):
            admin = create_default_admin(mock_db)

        # Verify the user was created
        assert mock_db.add.called
        assert created_user is not None
        assert created_user.username == "admin"
        assert created_user.is_admin is True
        # Password SHOULD require change when using default
        assert created_user.must_change_password is True
        # Verify default password was used
        assert verify_password("changeme123", created_user.password_hash)

    def test_create_default_admin_skips_when_users_exist(self):
        """Test that no admin is created when users already exist."""
        from app.auth import create_default_admin

        # Create mock settings
        mock_settings = MagicMock()
        mock_settings.admin_password = "some-password"

        # Mock database session with existing users
        mock_db = MagicMock()
        mock_db.query.return_value.count.return_value = 1  # Users exist

        with patch("app.auth.get_settings", return_value=mock_settings):
            result = create_default_admin(mock_db)

        # Should return None and not create any user
        assert result is None
        assert not mock_db.add.called