# edited by glg
import hashlib

import pytest

from pypos.modules.auth.config import auth_config
from pypos.modules.auth.services.auth_service import AuthService
from pypos.modules.auth.services.master_password_service import MasterPasswordService


pytestmark = [pytest.mark.unit]


def test_master_password_hash_empty_when_not_configured(monkeypatch):
    monkeypatch.setattr(auth_config, "read_app_settings", lambda: {})
    # edited by glg
    # Strict mode: hash master password harus selalu dev-only-secret.
    assert auth_config.get_master_password_hash() == hashlib.sha256("dev-only-secret".encode()).hexdigest()


def test_master_password_hash_legacy_when_toggle_enabled(monkeypatch):
    monkeypatch.setattr(
        auth_config,
        "read_app_settings",
        lambda: {"master_password_allow_legacy_default": 1},
    )
    # edited by glg
    # Toggle legacy diabaikan, strict mode tetap dev-only-secret.
    assert auth_config.get_master_password_hash() == hashlib.sha256("dev-only-secret".encode()).hexdigest()


def test_master_password_hash_not_fallback_when_require_configured_off(monkeypatch):
    monkeypatch.setattr(
        auth_config,
        "read_app_settings",
        lambda: {"master_password_require_configured_hash": 0},
    )
    assert auth_config.get_master_password_hash() == hashlib.sha256("dev-only-secret".encode()).hexdigest()


def test_master_password_hash_uses_fallback_seed(monkeypatch):
    monkeypatch.setattr(
        auth_config,
        "read_app_settings",
        lambda: {"master_password_fallback_seed": "seed-kuat-001"},
    )
    # edited by glg
    # Fallback seed diabaikan saat strict mode aktif permanen.
    assert auth_config.get_master_password_hash() == hashlib.sha256("dev-only-secret".encode()).hexdigest()


def test_master_password_service_accepts_dev_only_secret():
    service = MasterPasswordService()
    ok, reason = service.verify_with_reason("dev-only-secret")
    assert ok is True
    assert reason == "ok"


def test_auth_service_accepts_md5_password():
    md5_hash = hashlib.md5("rahasia".encode()).hexdigest()
    ok, upgraded = AuthService.verify_and_upgrade("rahasia", md5_hash)
    assert ok is True
    assert upgraded is None


def test_auth_service_accepts_md5_uppercase_hash():
    md5_hash = hashlib.md5("rahasia".encode()).hexdigest().upper()
    ok, upgraded = AuthService.verify_and_upgrade("rahasia", md5_hash)
    assert ok is True
    assert upgraded is None


def test_auth_service_rejects_non_md5_hash():
    ok, upgraded = AuthService.verify_and_upgrade("rahasia", "not-a-md5-hash")
    assert ok is False
    assert upgraded is None


def test_auth_service_hash_password_returns_md5():
    md5_hash = hashlib.md5("rahasia".encode()).hexdigest()
    assert AuthService.hash_password("rahasia") == md5_hash


def test_master_password_service_reason_not_configured(monkeypatch):
    monkeypatch.setattr(
        "pypos.modules.auth.services.master_password_service.get_master_password_hash",
        lambda: "",
    )
    service = MasterPasswordService()
    ok, reason = service.verify_with_reason("abc")
    assert ok is False
    assert reason == "not_configured"