import logging

import allure
import pytest
from frostfs_testlib import reporter
from frostfs_testlib.cli.frostfs_cli.cli import FrostfsCli
from frostfs_testlib.resources.wellknown_acl import PUBLIC_ACL
from frostfs_testlib.steps.acl import bearer_token_base64_from_file
from frostfs_testlib.steps.cli.container import create_container
from frostfs_testlib.steps.http.http_gate import upload_via_http_gate_curl, verify_object_hash
from frostfs_testlib.storage.cluster import Cluster
from frostfs_testlib.storage.dataclasses import ape
from frostfs_testlib.storage.dataclasses.object_size import ObjectSize
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
from frostfs_testlib.utils.file_utils import generate_file

from pytest_tests.helpers.bearer_token import create_bearer_token

logger = logging.getLogger("NeoLogger")


@pytest.mark.http_gate
@pytest.mark.http_put
class Test_http_bearer(ClusterTestBase):
    PLACEMENT_RULE = "REP 2 IN X CBF 1 SELECT 2 FROM * AS X"

    @pytest.fixture(scope="class")
    def user_container(self, frostfs_cli: FrostfsCli, default_wallet: WalletInfo, cluster: Cluster) -> str:
        with reporter.step("Create container"):
            cid = create_container(default_wallet, self.shell, self.cluster.default_rpc_endpoint, self.PLACEMENT_RULE, PUBLIC_ACL)

        with reporter.step("Deny PUT via APE rule to container"):
            role_condition = ape.Condition.by_role(ape.Role.OWNER)
            rule = ape.Rule(ape.Verb.DENY, ape.ObjectOperations.PUT, role_condition)
            frostfs_cli.ape_manager.add(
                cluster.default_rpc_endpoint, rule.chain_id, target_name=cid, target_type="container", rule=rule.as_string()
            )

        with reporter.step("Wait for one block"):
            self.wait_for_blocks()

        return cid

    @pytest.fixture(scope="class")
    def bearer_token(self, frostfs_cli: FrostfsCli, user_container: str, temp_directory: str, cluster: Cluster) -> str:
        with reporter.step(f"Create bearer token for {ape.Role.OTHERS} with all operations allowed"):
            role_condition = ape.Condition.by_role(ape.Role.OTHERS)
            rule = ape.Rule(ape.Verb.ALLOW, ape.ObjectOperations.WILDCARD_ALL, role_condition)
            bearer = create_bearer_token(frostfs_cli, temp_directory, user_container, rule, cluster.default_rpc_endpoint)

            return bearer_token_base64_from_file(bearer)

    @allure.title(f"[NEGATIVE] Put object without bearer token for {ape.Role.OTHERS}")
    def test_unable_put_without_bearer_token(self, simple_object_size: ObjectSize, user_container: str):
        upload_via_http_gate_curl(
            cid=user_container,
            filepath=generate_file(simple_object_size.value),
            endpoint=self.cluster.default_http_gate_endpoint,
            error_pattern="access to object operation denied",
        )

    def test_put_with_bearer_when_eacl_restrict(
        self,
        object_size: ObjectSize,
        default_wallet: WalletInfo,
        user_container: str,
        bearer_token: str,
    ):
        file_path = generate_file(object_size.value)
        with reporter.step(f"Put object with bearer token for {ape.Role.OTHERS}, then get and verify hashes"):
            headers = [f" -H 'Authorization: Bearer {bearer_token}'"]
            oid = upload_via_http_gate_curl(
                cid=user_container,
                filepath=file_path,
                endpoint=self.cluster.default_http_gate_endpoint,
                headers=headers,
            )
            verify_object_hash(
                oid=oid,
                file_name=file_path,
                wallet=default_wallet,
                cid=user_container,
                shell=self.shell,
                nodes=self.cluster.storage_nodes,
                request_node=self.cluster.cluster_nodes[0],
            )