"""Test security headers middleware in FastAPI app."""

from fastapi.testclient import TestClient


def test_security_headers_present(client: TestClient):
    """Test that security headers are present in all responses."""
    response = client.get("/")

    # Check for security headers
    assert "X-Frame-Options" in response.headers
    assert response.headers["X-Frame-Options"] == "SAMEORIGIN"

    assert "X-Content-Type-Options" in response.headers
    assert response.headers["X-Content-Type-Options"] == "nosniff"

    assert "X-XSS-Protection" in response.headers
    assert response.headers["X-XSS-Protection"] == "1; mode=block"

    assert "Referrer-Policy" in response.headers
    assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"

    assert "Content-Security-Policy" in response.headers


def test_csp_header_content(client: TestClient):
    """Test that Content Security Policy is properly configured."""
    response = client.get("/")
    csp = response.headers.get("Content-Security-Policy", "")

    # Should restrict default-src to self
    assert "default-src 'self'" in csp

    # Should allow scripts from self and CDN
    assert "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net" in csp

    # Should allow styles from self, CDN, and Google Fonts
    assert "style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net" in csp

    # Should restrict frame ancestors to self
    assert "frame-ancestors 'self'" in csp


def test_health_endpoint_has_security_headers(client: TestClient):
    """Test that security headers are present on all endpoints."""
    response = client.get("/health")

    assert "X-Frame-Options" in response.headers
    assert "X-Content-Type-Options" in response.headers
    assert "Content-Security-Policy" in response.headers