"""task-2370 P2 — anu_confirm_bot signer 검증."""
import sys
from pathlib import Path
sys.path.insert(0, str(Path(__file__).resolve().parents[2]))

import time
from scripts.anu_confirm_bot.signer import sign_callback, verify_callback  # pyright: ignore[reportMissingImports]

SECRET = "test_secret_key"


def test_roundtrip_approve():
    cb = sign_callback("a", 2370, 99, int(time.time()) + 300, SECRET)
    v = verify_callback(cb, SECRET)
    assert v["ok"] is True
    assert v["action"] == "a"
    assert v["task_num"] == 2370
    assert v["pr_num"] == 99


def test_roundtrip_reject():
    cb = sign_callback("r", 2370, 99, int(time.time()) + 300, SECRET)
    v = verify_callback(cb, SECRET)
    assert v["ok"] is True and v["action"] == "r"


def test_roundtrip_diff():
    cb = sign_callback("d", 2370, 99, int(time.time()) + 300, SECRET)
    v = verify_callback(cb, SECRET)
    assert v["ok"] is True and v["action"] == "d"


def test_wrong_secret_rejected():
    cb = sign_callback("a", 2370, 99, int(time.time()) + 300, SECRET)
    v = verify_callback(cb, "wrong_secret")
    assert v["ok"] is False
    assert v["reason"] == "signature"


def test_expired_callback_rejected():
    cb = sign_callback("a", 2370, 99, int(time.time()) - 10, SECRET)
    v = verify_callback(cb, SECRET)
    assert v["ok"] is False
    assert v["reason"] == "expired"


def test_unknown_action_rejected():
    # 직접 위조: action='x'
    payload = "x:2370:99:9999999999"
    import hmac, hashlib, base64
    mac = hmac.new(SECRET.encode(), payload.encode(), hashlib.sha256).digest()
    sig = base64.urlsafe_b64encode(mac).decode("ascii").rstrip("=")[:8]
    forged = f"{payload}:{sig}"
    v = verify_callback(forged, SECRET)
    assert v["ok"] is False
    assert v["reason"] == "unknown_action"


def test_malformed_format_rejected():
    v = verify_callback("not:valid:data", SECRET)
    assert v["ok"] is False
    assert v["reason"] == "format"


def test_tampered_payload_rejected():
    # 정상 서명 후 task_num만 변조 (대표적 replay 시나리오)
    cb = sign_callback("a", 2370, 99, int(time.time()) + 300, SECRET)
    parts = cb.split(":")
    parts[1] = "9999"  # task_num 변조
    tampered = ":".join(parts)
    v = verify_callback(tampered, SECRET)
    assert v["ok"] is False
    assert v["reason"] == "signature"