import { describe, test } from 'node:test';
import assert from 'node:assert';
import { ApiSecurityPolicy } from '../src/security/policy/ApiSecurityPolicy.js';
import { Permit, Session, User } from '../src/security/model/index.js';
import { SECURITY_RIGHTS } from '../src/security/model/rights.js';

describe('ApiSecurityPolicy permit evaluation', () => {
  test('evaluateSync matches permits by principal, not path alone', () => {
    const policy = new ApiSecurityPolicy({});
    policy.cache.user = new User({ id: 'user-1', role_ids: ['role-a'] });
    policy.cache.session = new Session({ jwt_token: 'jwt-test' });

    policy.cache.permits = [
      new Permit({
        principal_type: 'user',
        principal_id: 'other-user',
        resource_path: '/app',
        effect: 'allow',
        rights: SECURITY_RIGHTS.read
      })
    ];

    const denied = policy.evaluateSync('user-1', 'read', '/app');
    assert.strictEqual(denied.allowed, false);

    policy.cache.permits = [
      new Permit({
        principal_type: 'user',
        principal_id: 'user-1',
        resource_path: '/app',
        effect: 'allow',
        rights: SECURITY_RIGHTS.read
      })
    ];

    const allowed = policy.evaluateSync('user-1', 'read', '/app');
    assert.strictEqual(allowed.allowed, true);

    policy.cache.permits = [
      new Permit({
        principal_type: 'role',
        principal_id: 'role-a',
        resource_path: '/app',
        effect: 'allow',
        rights: SECURITY_RIGHTS.read
      })
    ];

    const roleAllowed = policy.evaluateSync('user-1', 'read', '/app');
    assert.strictEqual(roleAllowed.allowed, true);
  });
});