package dehub

import (
	"dehub.dev/src/dehub.git/sigcred"
	"testing"

	"gopkg.in/src-d/go-git.v4/plumbing"
	yaml "gopkg.in/yaml.v2"
)

func TestCredentialCommitVerify(t *testing.T) {
	h := newHarness(t)

	// create a new account and modify the config so that that account is only
	// allowed to add verifications to a single branch
	tootSig, tootPubKeyBody := sigcred.SignifierPGPTmp("toot", h.rand)
	h.cfg.Accounts = append(h.cfg.Accounts, Account{
		ID: "toot",
		Signifiers: []sigcred.Signifier{{PGPPublicKey: &sigcred.SignifierPGP{
			Body: string(tootPubKeyBody),
		}}},
	})

	tootBranch := plumbing.NewBranchReferenceName("toot_branch")

	err := yaml.Unmarshal([]byte(`
- action: allow
  filters:
  - type: branch
    pattern: `+tootBranch.Short()+`
  - type: signature
    count: 1
    account_ids:
    - root
    - toot

- action: allow
  filters:
  - type: signature
    count: 1
    account_ids:
    - root

- action: deny
`), &h.cfg.AccessControls)
	if err != nil {
		t.Fatal(err)
	}
	h.stageCfg()
	rootGitCommit := h.changeCommit("initial commit", h.cfg.Accounts[0].ID, h.sig)

	// toot user wants to create a credential commit for the root commit, for
	// whatever reason.
	rootChangeHash := rootGitCommit.Commit.Change.ChangeHash
	credCommit, err := h.repo.NewCommitCredential(rootChangeHash)
	if err != nil {
		t.Fatalf("creating credential commit for hash %x: %v", rootChangeHash, err)

	}
	h.tryCommit(false, credCommit, "toot", tootSig)

	// toot tries again in their own branch, and should be allowed.
	h.checkout(tootBranch)
	h.tryCommit(true, credCommit, "toot", tootSig)
}