package domain

import "testing"

func TestHydraClient_TrustedRPFlags(t *testing.T) {
	t.Run("inline jwks with private_key_jwt and headless enabled", func(t *testing.T) {
		client := HydraClient{
			TokenEndpointAuthMethod: "private_key_jwt",
			JWKS: map[string]any{
				"keys": []map[string]any{{
					"kty": "RSA",
				}},
			},
			Metadata: map[string]any{
				"headless_login_enabled": true,
			},
		}

		if !client.IsTrustedRP() {
			t.Fatalf("expected trusted rp")
		}
		if !client.IsHeadlessLoginEnabled() {
			t.Fatalf("expected headless login enabled")
		}
	})

	t.Run("jwks uri without private_key_jwt is not trusted", func(t *testing.T) {
		client := HydraClient{
			TokenEndpointAuthMethod: "none",
			JWKSUri:                 "https://rp.example.com/.well-known/jwks.json",
			Metadata: map[string]any{
				"headless_login_enabled": true,
			},
		}

		if client.IsTrustedRP() {
			t.Fatalf("expected untrusted rp")
		}
		if client.IsHeadlessLoginEnabled() {
			t.Fatalf("expected headless login disabled when client is not trusted")
		}
	})

	t.Run("trusted rp without boolean metadata flag is not headless enabled", func(t *testing.T) {
		client := HydraClient{
			TokenEndpointAuthMethod: "private_key_jwt",
			JWKSUri:                 "https://rp.example.com/.well-known/jwks.json",
			Metadata: map[string]any{
				"headless_login_enabled": "true",
			},
		}

		if !client.IsTrustedRP() {
			t.Fatalf("expected trusted rp")
		}
		if client.IsHeadlessLoginEnabled() {
			t.Fatalf("expected headless login disabled for non-bool metadata")
		}
	})
}