package firewall

import (
	"bytes"
	"strings"
	"testing"
)

func renderView(t *testing.T, v View) string {
	t.Helper()
	var buf bytes.Buffer
	if err := tpl.Execute(&buf, v); err != nil {
		t.Fatalf("template execute: %v", err)
	}
	return buf.String()
}

func TestRender_BaselineHasMandatorySections(t *testing.T) {
	out := renderView(t, View{})
	for _, w := range []string{
		"flush ruleset",
		"table inet edgeguard",
		"set peer_ipv4",
		"set peer_ipv6",
		"chain input",
		"type filter hook input priority 0; policy drop;",
		"ct state established,related accept",
		"iif lo accept",
		"tcp dport 22 ct state new limit rate 10/minute accept",
		"tcp dport { 80, 443 } accept",
		"tcp dport 8443 ip  saddr @peer_ipv4 accept",
		"chain forward",
		"chain output",
	} {
		if !strings.Contains(out, w) {
			t.Errorf("missing %q in baseline:\n%s", w, out)
		}
	}
}

func TestRender_PeerIPsPopulateSets(t *testing.T) {
	v := View{
		PeerIPv4: []string{"10.0.0.11", "10.0.0.12"},
		PeerIPv6: []string{"fd00::1"},
	}
	out := renderView(t, v)
	for _, w := range []string{
		"elements = { 10.0.0.11, 10.0.0.12 }",
		"elements = { fd00::1 }",
	} {
		if !strings.Contains(out, w) {
			t.Errorf("missing %q:\n%s", w, out)
		}
	}
}

func TestRender_CustomRulesLandInChain(t *testing.T) {
	v := View{
		CustomRulesInput: []Rule{
			{MatchExpr: "ip saddr 192.168.0.0/16 tcp dport 9090", Action: "accept", Comment: "monitoring"},
		},
		CustomRulesForward: []Rule{
			{MatchExpr: "iif eth0 oif eth1", Action: "accept", Comment: "lan to wan"},
		},
	}
	out := renderView(t, v)
	want := []string{
		"# monitoring",
		"ip saddr 192.168.0.0/16 tcp dport 9090 accept",
		"# lan to wan",
		"iif eth0 oif eth1 accept",
	}
	for _, w := range want {
		if !strings.Contains(out, w) {
			t.Errorf("missing %q:\n%s", w, out)
		}
	}
}