// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package transit

import (
	"context"
	"testing"

	"github.com/hashicorp/vault/sdk/logical"
)

func TestTransit_ConfigKeys(t *testing.T) {
	b, s := createBackendWithSysView(t)

	doReq := func(req *logical.Request) *logical.Response {
		resp, err := b.HandleRequest(context.Background(), req)
		if err != nil || (resp != nil && resp.IsError()) {
			t.Fatalf("got err:\n%#v\nreq:\n%#v\n", err, *req)
		}
		return resp
	}
	doErrReq := func(req *logical.Request) {
		resp, err := b.HandleRequest(context.Background(), req)
		if err == nil {
			if resp == nil || !resp.IsError() {
				t.Fatalf("expected error; req:\n%#v\n", *req)
			}
		}
	}

	// First read the global config
	req := &logical.Request{
		Storage:   s,
		Operation: logical.ReadOperation,
		Path:      "config/keys",
	}
	resp := doReq(req)
	if resp.Data["disable_upsert"].(bool) != false {
		t.Fatalf("expected disable_upsert to be false; got: %v", resp)
	}

	// Ensure we can upsert.
	req.Operation = logical.CreateOperation
	req.Path = "encrypt/upsert-1"
	req.Data = map[string]interface{}{
		"plaintext": "aGVsbG8K",
	}
	doReq(req)

	// Disable upserting.
	req.Operation = logical.UpdateOperation
	req.Path = "config/keys"
	req.Data = map[string]interface{}{
		"disable_upsert": true,
	}
	doReq(req)

	// Attempt upserting again, it should fail.
	req.Operation = logical.CreateOperation
	req.Path = "encrypt/upsert-2"
	req.Data = map[string]interface{}{
		"plaintext": "aGVsbG8K",
	}
	doErrReq(req)

	// Redoing this with the first key should succeed.
	req.Path = "encrypt/upsert-1"
	doReq(req)
}