<?php

use App\Models\AuditLog;
use App\Models\AdminUser;
use App\Models\Player;
use App\Models\PlayerWallet;
use App\Models\AdminRole;
use App\Services\AuditLogger;
use Illuminate\Support\Facades\Hash;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

function playerManageAdminToken(): string
{
    $admin = AdminUser::query()->create([
        'username' => 'player_manage_admin',
        'name' => 'Player Manage Admin',
        'email' => null,
        'password' => Hash::make('secret-strong'),
        'status' => 0,
    ]);
    grantSuperAdminRole($admin);

    return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
}

function playerPermissionAdminToken(string $username, array $permissionSlugs): string
{
    $admin = AdminUser::query()->create([
        'username' => $username,
        'name' => 'Player Permission Admin',
        'email' => null,
        'password' => Hash::make('secret-strong'),
        'status' => 0,
    ]);

    $role = AdminRole::query()->create([
        'slug' => 'role_'.$username,
        'name' => 'Role '.$username,
    ]);
    $role->syncLegacyPermissionSlugs($permissionSlugs);

    $admin->roles()->sync([
        (int) $role->id => [
            'site_id' => AdminUser::defaultAdminSiteId(),
            'granted_at' => now(),
        ],
    ]);

    return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
}

function playerPermissionRequest($test, string $token)
{
    app('auth')->forgetGuards();

    return $test->withHeader('Authorization', 'Bearer '.$token);
}

test('admin can freeze and unfreeze player with audit log', function (): void {
    $player = Player::query()->create([
        'site_code' => 'main',
        'site_player_id' => 'freeze-1',
        'username' => 'freeze_user',
        'nickname' => 'Freeze',
        'default_currency' => 'NPR',
        'status' => 0,
    ]);

    PlayerWallet::query()->create([
        'player_id' => $player->id,
        'wallet_type' => 'lottery',
        'currency_code' => 'NPR',
        'balance' => 1_000,
        'frozen_balance' => 0,
        'status' => 0,
        'version' => 0,
    ]);

    $token = playerManageAdminToken();

    $this->withHeader('Authorization', 'Bearer '.$token)
        ->postJson('/api/v1/admin/players/'.$player->id.'/freeze')
        ->assertOk()
        ->assertJsonPath('data.status', 1);

    $this->assertDatabaseHas('audit_logs', [
        'module_code' => 'player_manage',
        'action_code' => 'freeze',
        'target_type' => 'player',
        'target_id' => (string) $player->id,
    ]);

    $this->withHeader('Authorization', 'Bearer '.$token)
        ->postJson('/api/v1/admin/players/'.$player->id.'/unfreeze')
        ->assertOk()
        ->assertJsonPath('data.status', 0);

    expect(AuditLog::query()->where('module_code', 'player_manage')->count())->toBe(2);
});

test('player manage permission gates write and freeze APIs separately from view permissions', function (): void {
    $player = Player::query()->create([
        'site_code' => 'main',
        'site_player_id' => 'perm-1',
        'username' => 'perm_user',
        'nickname' => 'Perm',
        'default_currency' => 'NPR',
        'status' => 0,
    ]);

    $financeToken = playerPermissionAdminToken('player_finance_viewer', ['prd.users.view_finance']);

    playerPermissionRequest($this, $financeToken)
        ->getJson('/api/v1/admin/players?per_page=10')
        ->assertOk();

    playerPermissionRequest($this, $financeToken)
        ->getJson('/api/v1/admin/players/'.$player->id.'/wallets')
        ->assertOk();

    playerPermissionRequest($this, $financeToken)
        ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items')
        ->assertForbidden();

    playerPermissionRequest($this, $financeToken)
        ->postJson('/api/v1/admin/players', [
            'site_code' => 'main',
            'site_player_id' => 'created-by-finance',
            'default_currency' => 'NPR',
        ])
        ->assertForbidden();

    playerPermissionRequest($this, $financeToken)
        ->putJson('/api/v1/admin/players/'.$player->id, ['nickname' => 'blocked'])
        ->assertForbidden();

    playerPermissionRequest($this, $financeToken)
        ->postJson('/api/v1/admin/players/'.$player->id.'/freeze')
        ->assertForbidden();

    $csToken = playerPermissionAdminToken('player_cs_viewer', ['prd.users.view_cs']);

    playerPermissionRequest($this, $csToken)
        ->getJson('/api/v1/admin/players?per_page=10')
        ->assertOk();

    playerPermissionRequest($this, $csToken)
        ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items')
        ->assertOk();

    playerPermissionRequest($this, $csToken)
        ->getJson('/api/v1/admin/players/'.$player->id.'/wallets')
        ->assertForbidden();

    $freezeToken = playerPermissionAdminToken('player_freezer', ['prd.player_freeze.manage']);

    playerPermissionRequest($this, $freezeToken)
        ->getJson('/api/v1/admin/players?per_page=10')
        ->assertForbidden();

    playerPermissionRequest($this, $freezeToken)
        ->postJson('/api/v1/admin/players/'.$player->id.'/freeze')
        ->assertOk()
        ->assertJsonPath('data.status', 1);

    playerPermissionRequest($this, $freezeToken)
        ->postJson('/api/v1/admin/players/'.$player->id.'/unfreeze')
        ->assertOk()
        ->assertJsonPath('data.status', 0);

    $manageToken = playerPermissionAdminToken('player_manager', ['prd.users.manage']);

    playerPermissionRequest($this, $manageToken)
        ->getJson('/api/v1/admin/players/'.$player->id.'/wallets')
        ->assertOk();

    playerPermissionRequest($this, $manageToken)
        ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items')
        ->assertOk();
});