import os

import pytest

from src import auth


def test_dev_bypass_disabled_by_default(monkeypatch):
    monkeypatch.delenv("DEV_AUTH_BYPASS", raising=False)
    assert auth.dev_bypass_enabled() is False


def test_dev_bypass_enabled(monkeypatch):
    monkeypatch.setenv("DEV_AUTH_BYPASS", "true")
    assert auth.dev_bypass_enabled() is True
    monkeypatch.setenv("DEV_AUTH_BYPASS", "1")
    assert auth.dev_bypass_enabled() is True


def test_dev_user_claims_shape():
    claims = auth.dev_user_claims()
    assert claims["_email"] == "dev@oliver.agency"
    assert claims["_name"] == "Dev User"


def test_check_domain_allows_when_no_allow_list(monkeypatch):
    monkeypatch.delenv("AUTH_ALLOWED_DOMAINS", raising=False)
    auth._check_domain("anyone@example.com")  # no raise


def test_check_domain_allows_listed(monkeypatch):
    monkeypatch.setenv("AUTH_ALLOWED_DOMAINS", "oliver.agency,oliver.com")
    auth._check_domain("alice@oliver.agency")
    auth._check_domain("bob@oliver.com")


def test_check_domain_rejects_unlisted(monkeypatch):
    monkeypatch.setenv("AUTH_ALLOWED_DOMAINS", "oliver.agency")
    with pytest.raises(auth.AuthError) as exc:
        auth._check_domain("intruder@evil.com")
    assert exc.value.status_code == 403


def test_validate_bearer_token_rejects_empty(monkeypatch):
    monkeypatch.setenv("AZURE_TENANT_ID", "00000000-0000-0000-0000-000000000000")
    monkeypatch.setenv("AZURE_CLIENT_ID", "11111111-1111-1111-1111-111111111111")
    with pytest.raises(auth.AuthError):
        auth.validate_bearer_token("")