Authorization/services/authorize_test.go

package services

import (
	"authorization/db"
	"authorization/models"
	"errors"
	"testing"
	"time"

	"github.com/DATA-DOG/go-sqlmock"
)

func setupMockDB(t *testing.T) (sqlmock.Sqlmock, func()) {
	mockDB, mock, err := sqlmock.New()
	if err != nil {
		t.Fatalf("Failed to create mock database: %v", err)
	}

	originalDB := db.DB
	db.DB = mockDB

	cleanup := func() {
		db.DB = originalDB
		mockDB.Close()
	}

	return mock, cleanup
}

func TestAuthorize_PermissionNotFound(t *testing.T) {
	mock, cleanup := setupMockDB(t)
	defer cleanup()

	ctx := &models.AuthorizationContext{
		UserID:       "user123",
		Resource:     "nonexistent",
		Action:       "read",
		ResourceData: make(map[string]string),
		Environment:  make(map[string]string),
	}

	// Mock user query
	userRows := sqlmock.NewRows([]string{"user_id", "first_name", "middle_initial", "last_name", "suffix", "email_address",
		"account_type", "emp_id", "reg", "prov", "aProv", "mun", "bgy", "is_logged_in",
		"first_logged_in", "address", "contact_number", "device_id", "role_id",
		"role_dps", "is_deleted", "secret_key", "is_activated", "created_at", "updated_at"}).
		AddRow("user123", "John", "", "Doe", "", "john@example.com",
			"regular", "EMP123", "01", "001", "001", "01", "001", "Y",
			"Y", "123 Street", "09123456789", "device1", 1,
			0, "N", "secret", "Y", time.Now(), time.Now())

	mock.ExpectQuery("SELECT user_id, first_name, middle_initial, last_name, suffix, email_address").
		WithArgs("user123").
		WillReturnRows(userRows)

	// Mock permission query with role check
	mock.ExpectQuery("SELECT p.id, p.permission_name, p.description, p.resource, p.action FROM permissions p INNER JOIN role_permissions rp").
		WithArgs("nonexistent", "read", 1).
		WillReturnError(errors.New("permission not found"))

	result, err := Authorize(ctx)

	if err != nil {
		t.Errorf("Expected no error, got %v", err)
	}
	if result.Allowed {
		t.Error("Expected access denied")
	}
	if result.Message == "" {
		t.Error("Expected error message")
	}
}

func TestAuthorize_Success(t *testing.T) {
	mock, cleanup := setupMockDB(t)
	defer cleanup()

	ctx := &models.AuthorizationContext{
		UserID:       "user123",
		Resource:     "document",
		Action:       "read",
		ResourceData: make(map[string]string),
		Environment:  make(map[string]string),
	}

	// Mock user query
	userRows := sqlmock.NewRows([]string{"user_id", "first_name", "middle_initial", "last_name", "suffix", "email_address",
		"account_type", "emp_id", "reg", "prov", "aProv", "mun", "bgy", "is_logged_in",
		"first_logged_in", "address", "contact_number", "device_id", "role_id",
		"role_dps", "is_deleted", "secret_key", "is_activated", "created_at", "updated_at"}).
		AddRow("user123", "John", "", "Doe", "", "john@example.com",
			"regular", "EMP123", "01", "001", "001", "01", "001", "Y",
			"Y", "123 Street", "09123456789", "device1", 1,
			0, "N", "secret", "Y", time.Now(), time.Now())

	mock.ExpectQuery("SELECT user_id, first_name, middle_initial, last_name, suffix, email_address").
		WithArgs("user123").
		WillReturnRows(userRows)

	// Mock permission query with role check
	permRows := sqlmock.NewRows([]string{"id", "permission_name", "description", "resource", "action"}).
		AddRow(1, "read_document", "Read document permission", "document", "read")

	mock.ExpectQuery("SELECT p.id, p.permission_name, p.description, p.resource, p.action FROM permissions p INNER JOIN role_permissions rp").
		WithArgs("document", "read", 1).
		WillReturnRows(permRows)

	// Mock user attributes query
	attrRows := sqlmock.NewRows([]string{"attribute_name", "attribute_value"}).
		AddRow("department", "engineering")

	mock.ExpectQuery("SELECT attribute_name, attribute_value FROM user_attributes WHERE user_id = \\?").
		WithArgs("user123").
		WillReturnRows(attrRows)

	// Mock policy attributes query (empty for this test)
	policyRows := sqlmock.NewRows([]string{"id", "attribute_name", "attribute_type", "comparison", "attribute_value", "permission_id"})

	mock.ExpectQuery("SELECT id, attribute_name, attribute_type, comparison, attribute_value, permission_id FROM policy_attributes WHERE permission_id = \\?").
		WithArgs(1).
		WillReturnRows(policyRows)

	result, err := Authorize(ctx)

	if err != nil {
		t.Errorf("Expected no error, got %v", err)
	}
	if !result.Allowed {
		t.Error("Expected access granted")
	}
	if result.Message != "Access granted" {
		t.Errorf("Expected 'Access granted', got '%s'", result.Message)
	}
}

func TestAuthorize_UserAttributesError(t *testing.T) {
	mock, cleanup := setupMockDB(t)
	defer cleanup()

	ctx := &models.AuthorizationContext{
		UserID:       "user123",
		Resource:     "document",
		Action:       "read",
		ResourceData: make(map[string]string),
		Environment:  make(map[string]string),
	}

	// Mock user query
	userRows := sqlmock.NewRows([]string{"user_id", "first_name", "middle_initial", "last_name", "suffix", "email_address",
		"account_type", "emp_id", "reg", "prov", "aProv", "mun", "bgy", "is_logged_in",
		"first_logged_in", "address", "contact_number", "device_id", "role_id",
		"role_dps", "is_deleted", "secret_key", "is_activated", "created_at", "updated_at"}).
		AddRow("user123", "John", "", "Doe", "", "john@example.com",
			"regular", "EMP123", "01", "001", "001", "01", "001", "Y",
			"Y", "123 Street", "09123456789", "device1", 1,
			0, "N", "secret", "Y", time.Now(), time.Now())

	mock.ExpectQuery("SELECT user_id, first_name, middle_initial, last_name, suffix, email_address").
		WithArgs("user123").
		WillReturnRows(userRows)

	// Mock permission query with role check
	permRows := sqlmock.NewRows([]string{"id", "permission_name", "description", "resource", "action"}).
		AddRow(1, "read_document", "Read document permission", "document", "read")

	mock.ExpectQuery("SELECT p.id, p.permission_name, p.description, p.resource, p.action FROM permissions p INNER JOIN role_permissions rp").
		WithArgs("document", "read", 1).
		WillReturnRows(permRows)

	// Mock user attributes query with error
	mock.ExpectQuery("SELECT attribute_name, attribute_value FROM user_attributes WHERE user_id = \\?").
		WithArgs("user123").
		WillReturnError(errors.New("database error"))

	result, err := Authorize(ctx)

	if err == nil {
		t.Error("Expected error for user attributes failure")
	}
	if result.Allowed {
		t.Error("Expected access denied")
	}
}

func TestAuthorize_PolicyAttributesError(t *testing.T) {
	mock, cleanup := setupMockDB(t)
	defer cleanup()

	ctx := &models.AuthorizationContext{
		UserID:       "user123",
		Resource:     "document",
		Action:       "read",
		ResourceData: make(map[string]string),
		Environment:  make(map[string]string),
	}

	// Mock user query
	userRows := sqlmock.NewRows([]string{"user_id", "first_name", "middle_initial", "last_name", "suffix", "email_address",
		"account_type", "emp_id", "reg", "prov", "aProv", "mun", "bgy", "is_logged_in",
		"first_logged_in", "address", "contact_number", "device_id", "role_id",
		"role_dps", "is_deleted", "secret_key", "is_activated", "created_at", "updated_at"}).
		AddRow("user123", "John", "", "Doe", "", "john@example.com",
			"regular", "EMP123", "01", "001", "001", "01", "001", "Y",
			"Y", "123 Street", "09123456789", "device1", 1,
			0, "N", "secret", "Y", time.Now(), time.Now())

	mock.ExpectQuery("SELECT user_id, first_name, middle_initial, last_name, suffix, email_address").
		WithArgs("user123").
		WillReturnRows(userRows)

	// Mock permission query with role check
	permRows := sqlmock.NewRows([]string{"id", "permission_name", "description", "resource", "action"}).
		AddRow(1, "read_document", "Read document permission", "document", "read")

	mock.ExpectQuery("SELECT p.id, p.permission_name, p.description, p.resource, p.action FROM permissions p INNER JOIN role_permissions rp").
		WithArgs("document", "read", 1).
		WillReturnRows(permRows)

	// Mock user attributes query
	attrRows := sqlmock.NewRows([]string{"attribute_name", "attribute_value"}).
		AddRow("department", "engineering")

	mock.ExpectQuery("SELECT attribute_name, attribute_value FROM user_attributes WHERE user_id = \\?").
		WithArgs("user123").
		WillReturnRows(attrRows)

	// Mock policy attributes query with error
	mock.ExpectQuery("SELECT id, attribute_name, attribute_type, comparison, attribute_value, permission_id FROM policy_attributes WHERE permission_id = \\?").
		WithArgs(1).
		WillReturnError(errors.New("database error"))

	result, err := Authorize(ctx)

	if err == nil {
		t.Error("Expected error for policy attributes failure")
	}
	if result.Allowed {
		t.Error("Expected access denied")
	}
}

func TestCheckPermission_Success(t *testing.T) {
	mock, cleanup := setupMockDB(t)
	defer cleanup()

	// Mock user query
	userRows := sqlmock.NewRows([]string{"user_id", "first_name", "middle_initial", "last_name", "suffix", "email_address",
		"account_type", "emp_id", "reg", "prov", "aProv", "mun", "bgy", "is_logged_in",
		"first_logged_in", "address", "contact_number", "device_id", "role_id",
		"role_dps", "is_deleted", "secret_key", "is_activated", "created_at", "updated_at"}).
		AddRow("user123", "John", "", "Doe", "", "john@example.com",
			"regular", "EMP123", "01", "001", "001", "01", "001", "Y",
			"Y", "123 Street", "09123456789", "device1", 1,
			0, "N", "secret", "Y", time.Now(), time.Now())

	mock.ExpectQuery("SELECT user_id, first_name, middle_initial, last_name, suffix, email_address").
		WithArgs("user123").
		WillReturnRows(userRows)

	// Mock permission query with role check
	permRows := sqlmock.NewRows([]string{"id", "permission_name", "description", "resource", "action"}).
		AddRow(1, "read_document", "Read document permission", "document", "read")

	mock.ExpectQuery("SELECT p.id, p.permission_name, p.description, p.resource, p.action FROM permissions p INNER JOIN role_permissions rp").
		WithArgs("document", "read", 1).
		WillReturnRows(permRows)

	// Mock user attributes query
	attrRows := sqlmock.NewRows([]string{"attribute_name", "attribute_value"}).
		AddRow("department", "engineering")

	mock.ExpectQuery("SELECT attribute_name, attribute_value FROM user_attributes WHERE user_id = \\?").
		WithArgs("user123").
		WillReturnRows(attrRows)

	// Mock policy attributes query
	policyRows := sqlmock.NewRows([]string{"id", "attribute_name", "attribute_type", "comparison", "attribute_value", "permission_id"})

	mock.ExpectQuery("SELECT id, attribute_name, attribute_type, comparison, attribute_value, permission_id FROM policy_attributes WHERE permission_id = \\?").
		WithArgs(1).
		WillReturnRows(policyRows)

	resourceData := map[string]string{"document_id": "123"}
	allowed, message, err := CheckPermission("user123", "document", "read", resourceData)

	if err != nil {
		t.Errorf("Expected no error, got %v", err)
	}
	if !allowed {
		t.Error("Expected access allowed")
	}
	if message != "Access granted" {
		t.Errorf("Expected 'Access granted', got '%s'", message)
	}
}

func TestCheckPermission_Denied(t *testing.T) {
	mock, cleanup := setupMockDB(t)
	defer cleanup()

	// Mock user query
	userRows := sqlmock.NewRows([]string{"user_id", "first_name", "middle_initial", "last_name", "suffix", "email_address",
		"account_type", "emp_id", "reg", "prov", "aProv", "mun", "bgy", "is_logged_in",
		"first_logged_in", "address", "contact_number", "device_id", "role_id",
		"role_dps", "is_deleted", "secret_key", "is_activated", "created_at", "updated_at"}).
		AddRow("user123", "John", "", "Doe", "", "john@example.com",
			"regular", "EMP123", "01", "001", "001", "01", "001", "Y",
			"Y", "123 Street", "09123456789", "device1", 1,
			0, "N", "secret", "Y", time.Now(), time.Now())

	mock.ExpectQuery("SELECT user_id, first_name, middle_initial, last_name, suffix, email_address").
		WithArgs("user123").
		WillReturnRows(userRows)

	// Mock permission query with role check - should fail
	mock.ExpectQuery("SELECT p.id, p.permission_name, p.description, p.resource, p.action FROM permissions p INNER JOIN role_permissions rp").
		WithArgs("document", "read", 1).
		WillReturnError(errors.New("permission not found"))

	resourceData := map[string]string{"document_id": "123"}
	allowed, message, err := CheckPermission("user123", "document", "read", resourceData)

	if err != nil {
		t.Errorf("Expected no error, got %v", err)
	}
	if allowed {
		t.Error("Expected access denied")
	}
	if message == "" {
		t.Error("Expected error message")
	}
}

func TestCheckPermission_NilResourceData(t *testing.T) {
	mock, cleanup := setupMockDB(t)
	defer cleanup()

	// Mock user query
	userRows := sqlmock.NewRows([]string{"user_id", "first_name", "middle_initial", "last_name", "suffix", "email_address",
		"account_type", "emp_id", "reg", "prov", "aProv", "mun", "bgy", "is_logged_in",
		"first_logged_in", "address", "contact_number", "device_id", "role_id",
		"role_dps", "is_deleted", "secret_key", "is_activated", "created_at", "updated_at"}).
		AddRow("user123", "John", "", "Doe", "", "john@example.com",
			"regular", "EMP123", "01", "001", "001", "01", "001", "Y",
			"Y", "123 Street", "09123456789", "device1", 1,
			0, "N", "secret", "Y", time.Now(), time.Now())

	mock.ExpectQuery("SELECT user_id, first_name, middle_initial, last_name, suffix, email_address").
		WithArgs("user123").
		WillReturnRows(userRows)

	// Mock permission query with role check
	permRows := sqlmock.NewRows([]string{"id", "permission_name", "description", "resource", "action"}).
		AddRow(1, "read_document", "Read document permission", "document", "read")

	mock.ExpectQuery("SELECT p.id, p.permission_name, p.description, p.resource, p.action FROM permissions p INNER JOIN role_permissions rp").
		WithArgs("document", "read", 1).
		WillReturnRows(permRows)

	// Mock user attributes query
	attrRows := sqlmock.NewRows([]string{"attribute_name", "attribute_value"})

	mock.ExpectQuery("SELECT attribute_name, attribute_value FROM user_attributes WHERE user_id = \\?").
		WithArgs("user123").
		WillReturnRows(attrRows)

	// Mock policy attributes query
	policyRows := sqlmock.NewRows([]string{"id", "attribute_name", "attribute_type", "comparison", "attribute_value", "permission_id"})

	mock.ExpectQuery("SELECT id, attribute_name, attribute_type, comparison, attribute_value, permission_id FROM policy_attributes WHERE permission_id = \\?").
		WithArgs(1).
		WillReturnRows(policyRows)

	allowed, message, err := CheckPermission("user123", "document", "read", nil)

	if err != nil {
		t.Errorf("Expected no error, got %v", err)
	}
	// Should not panic with nil resourceData
	if !allowed {
		t.Logf("Access denied with message: %s", message)
	}
}