package evaluator

import (
	"testing"

	"github.com/stretchr/testify/assert"
)

// These certificates can be regenerated by running:
//
//	go run ./gen-test-certs.go
//
// (Copy and paste the output here.)
const (
	testCA = `
-----BEGIN CERTIFICATE-----
MIIBZzCCAQ6gAwIBAgICEAAwCgYIKoZIzj0EAwIwGjEYMBYGA1UEAxMPVHJ1c3Rl
ZCBSb290IENBMCAYDzAwMDEwMTAxMDAwMDAwWhcNMzMwNzMxMTUzMzE5WjAaMRgw
FgYDVQQDEw9UcnVzdGVkIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AARGMVCBvgbkVB3OPltnBHAy9s9rtog2rlnzZ4BKzPBbLEM0uPYTOZa0LLxSMtCj
N+Bu3wfGPgHU6/pJ2uEky7/Uo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQUXep6D8FTP6+5ZdR/HjP3pYfmxkwwCgYIKoZIzj0E
AwIDRwAwRAIgSS5J6ii/n0gf2/UAMFb+UVG8n0nb1dcBCG55fSlWlVECIENVK+X3
6SfUhfYSVBvOdS08AzMVvOM7aZbWaY9UirIf
-----END CERTIFICATE-----
`
	testValidCert = `
-----BEGIN CERTIFICATE-----
MIIBYTCCAQigAwIBAgICEAEwCgYIKoZIzj0EAwIwGjEYMBYGA1UEAxMPVHJ1c3Rl
ZCBSb290IENBMCAYDzAwMDEwMTAxMDAwMDAwWhcNMzMwNzMxMTUzMzE5WjAeMRww
GgYDVQQDExN0cnVzdGVkIGNsaWVudCBjZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAEfAYP3ZwiKJgk9zXpR/CMHYlAxjweJaMJihIS2FTA5gb0xBcTEe5AGpNF
CHWPk4YCB25VeHg9GmY9Q1+qDD1hdqM4MDYwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
HwYDVR0jBBgwFoAUXep6D8FTP6+5ZdR/HjP3pYfmxkwwCgYIKoZIzj0EAwIDRwAw
RAIgProROtxpvKS/qjrjonSvacnhdU0JwoXj2DgYvF/qjrUCIAXlHkdEzyXmTLuu
/YxuOibV35vlaIzj21GRj4pYmVR1
-----END CERTIFICATE-----
`
	testUntrustedCert = `
-----BEGIN CERTIFICATE-----
MIIBZzCCAQygAwIBAgICEAEwCgYIKoZIzj0EAwIwHDEaMBgGA1UEAxMRVW50cnVz
dGVkIFJvb3QgQ0EwIBgPMDAwMTAxMDEwMDAwMDBaFw0zMzA3MzExNTMzMTlaMCAx
HjAcBgNVBAMTFXVudHJ1c3RlZCBjbGllbnQgY2VydDBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBG2Qo/l0evcNKjwaJsi04BJJh7ec064lRiKaRMNRUK+UxkKmfbn
0FobVtlioTmzeWCX8OJFPfO7y7/VLMiGVr+jODA2MBMGA1UdJQQMMAoGCCsGAQUF
BwMCMB8GA1UdIwQYMBaAFCd2l26OflZF3LTFUEBB54ZQV3AUMAoGCCqGSM49BAMC
A0kAMEYCIQCYEk3D4nHevIlKFg6f7O2/GdptzKU6F05pz4B3Aa8ahAIhAJcBGUNm
cqQQJNOelJJmMeFOzmmTk7oNFxCGEC00wlGn
-----END CERTIFICATE-----
`
	testRevokedCert = `
-----BEGIN CERTIFICATE-----
MIIBYzCCAQigAwIBAgICEAIwCgYIKoZIzj0EAwIwGjEYMBYGA1UEAxMPVHJ1c3Rl
ZCBSb290IENBMCAYDzAwMDEwMTAxMDAwMDAwWhcNMzMwNzMxMTUzMzE5WjAeMRww
GgYDVQQDExNyZXZva2VkIGNsaWVudCBjZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAEoN/gKhZgyKhTmiC3qLHDQ54TIpgXBTvGKrdIRHO616XMkzj0lFZMHG5u
LGK3qo8wJtyoalOFTkSck0kl3PD/9qM4MDYwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
HwYDVR0jBBgwFoAUXep6D8FTP6+5ZdR/HjP3pYfmxkwwCgYIKoZIzj0EAwIDSQAw
RgIhAK6/oLtzvrK2Vrt1MRZJ6aGU2Cz28X0Y/4TOwFSvCK9AAiEAm4XPQXy6L0PE
vfXoV8RW/RnndDhf8iDALvAaAuS82fU=
-----END CERTIFICATE-----
`
	testCRL = `
-----BEGIN X509 CRL-----
MIHfMIGFAgEBMAoGCCqGSM49BAMCMBoxGDAWBgNVBAMTD1RydXN0ZWQgUm9vdCBD
QRgPMDAwMTAxMDEwMDAwMDBaMBUwEwICEAIXDTIzMDgwMzE1MzMxOVqgMDAuMB8G
A1UdIwQYMBaAFF3qeg/BUz+vuWXUfx4z96WH5sZMMAsGA1UdFAQEAgIgADAKBggq
hkjOPQQDAgNJADBGAiEApMG/hJxlMe9QNF8cCVjOFyTfVVBkfKtrFQDmElO46x4C
IQCX9SYteNaaW+NVmGED6QfHXRWnDqHnXfe/mLxmnPVWzA==
-----END X509 CRL-----
`
)

func Test_isValidClientCertificate(t *testing.T) {
	t.Run("no ca", func(t *testing.T) {
		valid, err := isValidClientCertificate("", "", ClientCertificateInfo{Leaf: "WHATEVER!"})
		assert.NoError(t, err, "should not return an error")
		assert.True(t, valid, "should return true")
	})
	t.Run("no cert", func(t *testing.T) {
		valid, err := isValidClientCertificate(testCA, "", ClientCertificateInfo{})
		assert.NoError(t, err, "should not return an error")
		assert.False(t, valid, "should return false")
	})
	t.Run("valid cert", func(t *testing.T) {
		valid, err := isValidClientCertificate(testCA, "", ClientCertificateInfo{
			Presented: true,
			Leaf:      testValidCert,
		})
		assert.NoError(t, err, "should not return an error")
		assert.True(t, valid, "should return true")
	})
	t.Run("unsigned cert", func(t *testing.T) {
		valid, err := isValidClientCertificate(testCA, "", ClientCertificateInfo{
			Presented: true,
			Leaf:      testUntrustedCert,
		})
		assert.NoError(t, err, "should not return an error")
		assert.False(t, valid, "should return false")
	})
	t.Run("not a cert", func(t *testing.T) {
		valid, err := isValidClientCertificate(testCA, "", ClientCertificateInfo{
			Presented: true,
			Leaf:      "WHATEVER!",
		})
		assert.Error(t, err, "should return an error")
		assert.False(t, valid, "should return false")
	})
	t.Run("revoked cert", func(t *testing.T) {
		revokedCertInfo := ClientCertificateInfo{
			Presented: true,
			Leaf:      testRevokedCert,
		}

		// The "revoked cert" should otherwise be valid (when no CRL is specified).
		valid, err := isValidClientCertificate(testCA, "", revokedCertInfo)
		assert.NoError(t, err, "should not return an error")
		assert.True(t, valid, "should return true")

		valid, err = isValidClientCertificate(testCA, testCRL, revokedCertInfo)
		assert.NoError(t, err, "should not return an error")
		assert.False(t, valid, "should return false")

		// Specifying a CRL containing the revoked cert should not affect other certs.
		valid, err = isValidClientCertificate(testCA, testCRL, ClientCertificateInfo{
			Presented: true,
			Leaf:      testValidCert,
		})
		assert.NoError(t, err, "should not return an error")
		assert.True(t, valid, "should return true")
	})
}