package rbac

// Tests for RBAC role permissions and role validation.

import (
	"testing"

	"github.com/stretchr/testify/require"
)

// TestRolePermissions verifies role permission checks for individual and aggregate queries.
func TestRolePermissions(t *testing.T) {
	require.True(t, HasPermission(RolePlayer, PermissionPlayGame))
	require.False(t, HasPermission(RolePlayer, PermissionManageSystem))

	require.True(t, HasAnyPermission(RoleModerator, PermissionViewUsers, PermissionManageSystem))
	require.False(t, HasAnyPermission(RolePlayer, PermissionManageSystem))

	require.True(t, HasAllPermissions(RoleAdmin, PermissionManageSystem, PermissionViewDashboard))
	require.False(t, HasAllPermissions(RolePlayer, PermissionViewDashboard, PermissionPlayGame))
}

// TestUserHasPermission verifies role strings grant expected permissions.
func TestUserHasPermission(t *testing.T) {
	require.True(t, UserHasPermission([]string{"player"}, PermissionPlayGame))
	require.False(t, UserHasPermission([]string{"player"}, PermissionManageSystem))
}

// TestGetPermissionsReturnsCopy ensures returned permission slices are not shared.
func TestGetPermissionsReturnsCopy(t *testing.T) {
	perms := GetPermissions(RolePlayer)
	require.NotEmpty(t, perms)
	perms[0] = PermissionManageSystem

	fresh := GetPermissions(RolePlayer)
	require.Equal(t, PermissionPlayGame, fresh[0])
}

// TestIsValidRole verifies known roles are accepted and unknown roles rejected.
func TestIsValidRole(t *testing.T) {
	require.True(t, IsValidRole("player"))
	require.False(t, IsValidRole("ghost"))
}