package dehub

import (
	"testing"

	"gopkg.in/src-d/go-git.v4/plumbing"
)

func TestPayloadCredentialVerify(t *testing.T) {
	h := newHarness(t)
	rootSig := h.stageNewAccount("root", false)

	// create a new account and modify the config so that that account is only
	// allowed to add verifications to a single branch
	tootSig := h.stageNewAccount("toot", false)
	tootBranch := plumbing.NewBranchReferenceName("toot_branch")
	h.stageAccessControls(`
- action: allow
  filters:
  - type: branch
    pattern: ` + tootBranch.Short() + `
  - type: signature
    count: 1
    account_ids:
    - root
    - toot

- action: allow
  filters:
  - type: signature
    count: 1
    account_ids:
    - root
`)
	rootGitCommit := h.assertCommitChange(verifyShouldSucceed, "initial commit", rootSig)

	// toot user wants to create a credential commit for the root commit, for
	// whatever reason.
	rootChangeFingerprint := rootGitCommit.Payload.Common.Fingerprint
	credCommitPayUn, err := h.proj.NewPayloadCredential(rootChangeFingerprint)
	if err != nil {
		t.Fatalf("creating credential commit for fingerprint %x: %v", rootChangeFingerprint, err)

	}
	h.tryCommit(verifyShouldFail, credCommitPayUn, tootSig)

	// toot tries again in their own branch, and should be allowed.
	h.checkout(tootBranch)
	h.tryCommit(verifyShouldSucceed, credCommitPayUn, tootSig)
}