. $PSScriptRoot\..\..\Load-PesterModules.ps1
$here = Split-Path -Parent $MyInvocation.MyCommand.Path
$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.tests\.', '.'
$global:functionPath = Join-Path -Path $here -ChildPath $sut

InModuleScope -ModuleName Alkami.DevOps.SystemEngineering -ScriptBlock {
    Write-Host "InModuleScope - Overriding SUT: $global:functionPath"
    Import-Module $global:functionPath -Force
    $inScopeModule = "Alkami.DevOps.SystemEngineering"

    Describe "Get-AlkamiSecretResourcePolicyString" {

        Mock -CommandName Import-AWSModule      -ModuleName $inScopeModule -MockWith {}
        Mock -CommandName Get-STSCallerIdentity -ModuleName $inScopeModule -MockWith {
            return @{ Account = '123456' }
        }

        Context "Parameter Validation" {

            It "Throws if ProfileName is Null" {
                { Get-AlkamiSecretResourcePolicyString -ProfileName $null } | Should -Throw
            }

            It "Throws if ProfileName is Empty" {
                { Get-AlkamiSecretResourcePolicyString -ProfileName '' } | Should -Throw
            }
        }

        Context "Logic" {

            It "Returns a String" {

                (Get-Command Get-AlkamiSecretResourcePolicyString).OutputType.Type.ToString() | Should -BeExactly "System.String"
            }

            It "Returns a String With a Valid JSON Conversion" {

                { ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test') } | Should -Not -Throw
            }

            It "Includes CLI-SRE-Admin Role By Default" {

                $searchTerm = 'role/CLI-SRE-Admin'
                $jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test')
                $searchResult = $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Where-Object { $_.EndsWith($searchTerm) }
                $searchResult | Should -Not -BeNull
            }

            It "Includes DAG-AWS-Admins Role By Default" {

                $searchTerm = 'role/DAG-AWS-Admins'
                $jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test')
                $searchResult = $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Where-Object { $_.EndsWith($searchTerm) }
                $searchResult | Should -Not -BeNull
            }

            It "Includes Account Root User By Default" {

                $searchTerm = 'root'
                $jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test')
                $searchResult = $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Where-Object { $_.EndsWith($searchTerm) }
                $searchResult | Should -Not -BeNull
            }

            It "Includes No Other AWS Entites By Default" {

                $exclusionTerms = 'CLI-SRE-Admin|CLI-SRE-SysAdministrator|DAG-AWS-Admins|DAG-AWS-SRE-Infrastructure|root'
                $jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test')
                $searchResult = $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Where-Object { $_ -notmatch $exclusionTerms }
                $searchResult | Should -BeNull
            }

            It "Includes Extra Parameter Values If Provided" {

                $searchTerm = "TestArn"
                $jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test' -SecretAccessExtraArns @($searchTerm))
                $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Should -Contain $searchTerm
            }
        }
    }
}