package security

import (
	"path/filepath"
	"testing"
	"time"
)

func TestGuardWhitelistSupportsIPAndCIDR(t *testing.T) {
	g := NewGuard()
	if err := g.Reload(Config{IPWhitelist: "203.0.113.10,10.0.0.0/8", AdminIPWhitelist: "192.168.1.0/24"}); err != nil {
		t.Fatalf("Reload returned error: %v", err)
	}
	if !g.IsWhitelisted("203.0.113.10") || !g.IsWhitelisted("10.2.3.4") {
		t.Fatal("expected IP and CIDR entries to match")
	}
	if !g.IsAdminWhitelisted("192.168.1.5") {
		t.Fatal("expected admin CIDR whitelist match")
	}
}

func TestGuardBanPersistenceAcrossRestart(t *testing.T) {
	dir := filepath.Join(t.TempDir(), "bans.badger")
	g1 := NewGuard()
	if err := g1.EnableBanPersistence(dir); err != nil {
		t.Fatalf("EnableBanPersistence returned error: %v", err)
	}
	g1.Ban("198.51.100.4", 3600)
	if err := g1.Close(); err != nil {
		t.Fatalf("Close returned error: %v", err)
	}

	g2 := NewGuard()
	if err := g2.EnableBanPersistence(dir); err != nil {
		t.Fatalf("EnableBanPersistence returned error: %v", err)
	}
	defer g2.Close()
	if !g2.IsBanned("198.51.100.4") {
		t.Fatal("expected ban to persist across guard restart")
	}
}

func TestGuardBanListPrunesExpired(t *testing.T) {
	g := NewGuard()
	g.BanUntil("198.51.100.7", time.Now().UTC().Add(-time.Minute))
	if g.IsBanned("198.51.100.7") {
		t.Fatal("expected expired ban to be treated as inactive")
	}
	if len(g.BanList()) != 0 {
		t.Fatal("expected BanList to prune expired entries")
	}
}