use rpki::data_model::ta::{TrustAnchor, TrustAnchorBindError, TrustAnchorError};
use rpki::data_model::tal::Tal;
use url::Url;

#[test]
fn bind_trust_anchor_with_downloaded_fixtures_succeeds() {
    let cases = [
        (
            "tests/fixtures/tal/afrinic.tal",
            "tests/fixtures/ta/afrinic-ta.cer",
        ),
        (
            "tests/fixtures/tal/apnic-rfc7730-https.tal",
            "tests/fixtures/ta/apnic-ta.cer",
        ),
        (
            "tests/fixtures/tal/arin.tal",
            "tests/fixtures/ta/arin-ta.cer",
        ),
        (
            "tests/fixtures/tal/lacnic.tal",
            "tests/fixtures/ta/lacnic-ta.cer",
        ),
        (
            "tests/fixtures/tal/ripe-ncc.tal",
            "tests/fixtures/ta/ripe-ncc-ta.cer",
        ),
    ];

    for (tal_path, ta_path) in cases {
        let tal_raw = std::fs::read(tal_path).expect("read TAL fixture");
        let tal = Tal::decode_bytes(&tal_raw).expect("decode TAL fixture");
        let ta_der = std::fs::read(ta_path).expect("read TA fixture");

        TrustAnchor::bind_der(tal.clone(), &ta_der, None).expect("bind without resolved uri");

        // Also exercise the resolved-uri-in-TAL check using one URI from the TAL list.
        let resolved = tal
            .ta_uris
            .iter()
            .find(|u| u.scheme() == "https")
            .or_else(|| tal.ta_uris.first())
            .expect("tal has ta uris");
        let resolved = resolved.clone();
        TrustAnchor::bind_der(tal, &ta_der, Some(&resolved)).expect("bind with resolved uri");
    }
}

#[test]
fn bind_rejects_spki_mismatch() {
    let tal_raw = std::fs::read("tests/fixtures/tal/ripe-ncc.tal").expect("read TAL fixture");
    let mut tal = Tal::decode_bytes(&tal_raw).expect("decode TAL fixture");
    let ta_der = std::fs::read("tests/fixtures/ta/ripe-ncc-ta.cer").expect("read TA fixture");

    // Flip a byte in TAL SPKI to force mismatch.
    tal.subject_public_key_info_der[0] ^= 0x01;
    assert!(matches!(
        TrustAnchor::bind_der(tal, &ta_der, None),
        Err(TrustAnchorError::Bind(
            TrustAnchorBindError::TalSpkiMismatch
        ))
    ));
}

#[test]
fn bind_rejects_resolved_uri_not_listed_in_tal() {
    let tal_raw = std::fs::read("tests/fixtures/tal/afrinic.tal").expect("read TAL fixture");
    let tal = Tal::decode_bytes(&tal_raw).expect("decode TAL fixture");
    let ta_der = std::fs::read("tests/fixtures/ta/afrinic-ta.cer").expect("read TA fixture");

    let bad = Url::parse("https://example.invalid/not-in-tal.cer").unwrap();
    assert!(matches!(
        TrustAnchor::bind_der(tal, &ta_der, Some(&bad)),
        Err(TrustAnchorError::Bind(
            TrustAnchorBindError::ResolvedUriNotInTal(_)
        ))
    ));
}