"""Tests for the SELECT-only SQL guardrail."""

import pytest

from mcp_cucm_axl.sql_validator import validate_select, SqlValidationError


class TestSelectAccepted:
    def test_simple_select(self):
        assert validate_select("SELECT * FROM device") == "SELECT * FROM device"

    def test_with_cte(self):
        q = "WITH x AS (SELECT 1 FROM systables) SELECT * FROM x"
        assert validate_select(q) == q

    def test_lowercase_select(self):
        assert validate_select("select * from numplan") == "select * from numplan"

    def test_trailing_semicolon_stripped(self):
        assert validate_select("SELECT 1 FROM device;") == "SELECT 1 FROM device"

    def test_block_comments_stripped(self):
        q = "/* comment */ SELECT 1 FROM device"
        cleaned = validate_select(q)
        assert "SELECT 1 FROM device" in cleaned

    def test_line_comments_stripped(self):
        q = "-- a comment\nSELECT 1 FROM device"
        cleaned = validate_select(q)
        assert "SELECT 1 FROM device" in cleaned


class TestRejected:
    def test_empty(self):
        with pytest.raises(SqlValidationError, match="empty"):
            validate_select("")

    def test_whitespace_only(self):
        with pytest.raises(SqlValidationError, match="empty"):
            validate_select("   \n  ")

    def test_only_comments(self):
        with pytest.raises(SqlValidationError, match="empty"):
            validate_select("-- just a comment\n/* and another */")

    def test_insert_rejected(self):
        with pytest.raises(SqlValidationError, match="INSERT"):
            validate_select("INSERT INTO device VALUES (1)")

    def test_update_rejected(self):
        with pytest.raises(SqlValidationError, match="UPDATE"):
            validate_select("UPDATE device SET name='x' WHERE pkid='y'")

    def test_delete_rejected(self):
        with pytest.raises(SqlValidationError, match="DELETE"):
            validate_select("DELETE FROM device WHERE pkid='y'")

    def test_drop_rejected(self):
        with pytest.raises(SqlValidationError, match="DROP"):
            validate_select("DROP TABLE device")

    def test_select_with_embedded_drop_rejected(self):
        # Belt-and-suspenders: even if "DROP" appears in a quoted string-ish
        # position our keyword filter still catches it. AXL would also reject
        # this, but failing fast on the client saves a SOAP round-trip.
        with pytest.raises(SqlValidationError, match="DROP"):
            validate_select("SELECT 1 FROM device; DROP TABLE device")

    def test_truncate_rejected(self):
        with pytest.raises(SqlValidationError, match="TRUNCATE"):
            validate_select("TRUNCATE TABLE device")


class TestEdgeCases:
    def test_keyword_as_column_name_blocked(self):
        # A column named "delete" would be blocked. This is acceptable —
        # the data dictionary doesn't use SQL keywords as column names,
        # and conservative blocking is the right call for v1.
        with pytest.raises(SqlValidationError):
            validate_select("SELECT delete FROM device")

    def test_select_with_subquery(self):
        q = "SELECT name FROM device WHERE pkid IN (SELECT fkdevice FROM numplan)"
        assert "SELECT name FROM device" in validate_select(q)


class TestStringLiterals:
    """Forbidden keywords inside string literals must be ignored.

    Otherwise CSS names like 'Call Forward-CSS', DN descriptions containing
    'DELETE' (e.g., 'Delete this voicemail line'), or partition names with
    'INSERT' would all fail to query, even though the SQL itself is read-only.
    """

    def test_call_inside_string_literal_passes(self):
        q = "SELECT pkid FROM callingsearchspace WHERE name = 'Call Forward-CSS'"
        result = validate_select(q)
        assert "Call Forward-CSS" in result  # literal preserved

    def test_delete_inside_string_literal_passes(self):
        q = "SELECT pkid FROM numplan WHERE description = 'Delete after audit'"
        result = validate_select(q)
        assert "Delete after audit" in result

    def test_drop_inside_string_literal_passes(self):
        q = "SELECT pkid FROM numplan WHERE description = 'DROP table backup'"
        assert validate_select(q)

    def test_actual_drop_outside_literal_still_blocked(self):
        with pytest.raises(SqlValidationError, match="DROP"):
            validate_select("SELECT 1 FROM device; DROP TABLE backup")

    def test_escaped_quote_in_literal(self):
        # Informix uses '' (doubled) as escaped single quote within literals
        q = "SELECT pkid FROM numplan WHERE description = 'O''Brien''s line'"
        result = validate_select(q)
        assert "O''Brien''s line" in result

    def test_keyword_just_outside_literal_blocked(self):
        # The literal 'safe text' is fine; the trailing DROP is not.
        with pytest.raises(SqlValidationError, match="DROP"):
            validate_select("SELECT 1 FROM device WHERE x = 'safe text' OR DROP")

    def test_multiple_literals(self):
        q = "SELECT 1 FROM numplan WHERE name = 'CALL' AND description = 'UPDATE pending'"
        assert validate_select(q)