package nebula

import (
	"bytes"
	"errors"
	"net"
	"testing"
)

var (
	ip                     net.IP
	ipNet                  *net.IPNet
	caCredsA, caCredsB     CACredentials
	hostCredsA, hostCredsB HostCredentials
)

func init() {
	var err error

	ip, ipNet, err = net.ParseCIDR("192.168.0.1/24")
	if err != nil {
		panic(err)
	}

	caCredsA, err = NewCACredentials("a.example.com", ipNet)
	if err != nil {
		panic(err)
	}

	caCredsB, err = NewCACredentials("b.example.com", ipNet)
	if err != nil {
		panic(err)
	}

	hostCredsA, err = NewHostCredentials(caCredsA, "foo", ip)
	if err != nil {
		panic(err)
	}

	hostCredsB, err = NewHostCredentials(caCredsB, "bar", ip)
	if err != nil {
		panic(err)
	}

}

func TestSignAndWrap(t *testing.T) {

	b := []byte("foo bar baz")
	buf := new(bytes.Buffer)

	if err := SignAndWrap(buf, hostCredsA.SigningPrivateKeyPEM, b); err != nil {
		t.Fatal(err)
	}

	gotB, gotSig, err := Unwrap(buf)
	if err != nil {
		t.Fatal(err)

	} else if !bytes.Equal(b, gotB) {
		t.Fatalf("got %q but expected %q", gotB, b)
	}

	if err := ValidateSignature(hostCredsA.Public.SigningKeyPEM, b, gotSig); err != nil {
		t.Fatal(err)
	}

	if err := ValidateSignature(hostCredsB.Public.SigningKeyPEM, b, gotSig); !errors.Is(err, ErrInvalidSignature) {
		t.Fatalf("expected ErrInvalidSignature but got %v", err)
	}
}