"""
Tests for credential redaction

Issue: #839
"""

import unittest
from tools.credential_redact import (
    CredentialRedactor,
    redact_credentials,
    redact_tool_output,
    should_mask_file,
    mask_sensitive_file,
)


class TestCredentialRedaction(unittest.TestCase):
    
    def test_openai_key(self):
        text = "api_key=sk-abc123def456ghi789jkl012mno"
        redacted, count = redact_credentials(text)
        self.assertGreater(count, 0)
        self.assertIn("REDACTED", redacted)
        self.assertNotIn("sk-abc123", redacted)
    
    def test_github_token(self):
        text = "token: ghp_1234567890abcdef1234567890abcdef12345678"
        redacted, count = redact_credentials(text)
        self.assertGreater(count, 0)
        self.assertIn("REDACTED", redacted)
    
    def test_bearer_token(self):
        text = "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"
        redacted, count = redact_credentials(text)
        self.assertGreater(count, 0)
        self.assertIn("REDACTED", redacted)
    
    def test_password(self):
        text = "password: mySecretPassword123"
        redacted, count = redact_credentials(text)
        self.assertGreater(count, 0)
        self.assertIn("REDACTED", redacted)
    
    def test_aws_key(self):
        text = "AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE"
        redacted, count = redact_credentials(text)
        self.assertGreater(count, 0)
        self.assertIn("REDACTED", redacted)
    
    def test_database_url(self):
        text = "DATABASE_URL=postgres://user:pass@localhost/db"
        redacted, count = redact_credentials(text)
        self.assertGreater(count, 0)
        self.assertIn("REDACTED", redacted)
    
    def test_clean_text_unchanged(self):
        text = "Hello world, this is a normal message"
        redacted, count = redact_credentials(text)
        self.assertEqual(count, 0)
        self.assertEqual(redacted, text)
    
    def test_multiple_credentials(self):
        text = "key1=sk-abc123def456ghi789jkl012mno and token: ghp_1234567890abcdef1234567890abcdef12345678"
        redacted, count = redact_credentials(text)
        self.assertGreaterEqual(count, 2)


class TestToolOutputRedaction(unittest.TestCase):
    
    def test_redaction_notice(self):
        output = "Running with key sk-abc123def456ghi789jkl012mno"
        redacted, notice = redact_tool_output("terminal", output)
        self.assertIn("REDACTED", notice)
        self.assertIn("terminal", notice)
    
    def test_no_notice_when_clean(self):
        output = "Hello world"
        redacted, notice = redact_tool_output("terminal", output)
        self.assertEqual(notice, "")


class TestSensitiveFileMasking(unittest.TestCase):
    
    def test_env_file_detected(self):
        self.assertTrue(should_mask_file("/path/to/.env"))
        self.assertTrue(should_mask_file("/path/to/.env.local"))
        self.assertTrue(should_mask_file("/path/to/config.yaml"))
    
    def test_normal_file_not_detected(self):
        self.assertFalse(should_mask_file("/path/to/readme.md"))
        self.assertFalse(should_mask_file("/path/to/code.py"))
    
    def test_mask_env_file(self):
        content = "API_KEY=sk-abc123\nDATABASE_URL=postgres://u:p@h/d\nNORMAL=value"
        masked = mask_sensitive_file(content, ".env")
        self.assertIn("[REDACTED]", masked)
        self.assertIn("NORMAL=value", masked)


if __name__ == "__main__":
    unittest.main()