import { describe, it, before, beforeEach, afterEach } from "node:test";
import { DockerTestContainer } from "./DockerTestContainer.js";
import assert from "node:assert";

describe("E2E: Safe chain proxy tunneling", () => {
  let container;

  before(async () => {
    DockerTestContainer.buildImage();
  });

  beforeEach(async () => {
    container = new DockerTestContainer();
    await container.start();

    const installationShell = await container.openShell("zsh");
    await installationShell.runCommand("safe-chain setup");
  });

  afterEach(async () => {
    if (container) {
      await container.stop();
      container = null;
    }
  });

  it("should tunnel non-registry traffic via upstream proxy with authentication", async () => {
    // 1. Configure TinyProxy with Basic Auth
    const proxySetup = await container.openShell("zsh");
    await proxySetup.runCommand(
      `echo 'BasicAuth user password' >> /etc/tinyproxy/tinyproxy.conf`
    );
    await proxySetup.runCommand("service tinyproxy restart || tinyproxy");

    // 2. Setup a test script that makes a non-registry request (using curl)
    const setupShell = await container.openShell("zsh");
    // We use www.example.com as a stable target
    await setupShell.runCommand('npm pkg set scripts.test-curl="curl -v -I https://www.example.com"');

    // 3. Run the test script with HTTPS_PROXY set to the authenticated upstream proxy
    const testShell = await container.openShell("zsh");
    // Set the upstream proxy with credentials
    await testShell.runCommand('export HTTPS_PROXY="http://user:password@localhost:8888"');
    
    // Run the script via npm (which is wrapped by safe-chain)
    // safe-chain should inject its own proxy, which then tunnels to the upstream proxy
    const { output, command } = await testShell.runCommand("npm run test-curl");

    // 4. Verify the result
    // If safe-chain fails to authenticate with upstream, we expect a failure
    // curl -I returns HTTP 200 OK if successful
    
    const success = output.includes("HTTP/2 200") || output.includes("HTTP/1.1 200");
    
    if (!success) {
        console.log("Test failed. Output:", output);
    }

    assert.ok(success, "curl should successfully connect to example.com via the authenticated proxy");
  });

  it("should respect NO_PROXY and bypass upstream proxy", async () => {
    // 1. Setup a test script
    const setupShell = await container.openShell("zsh");
    await setupShell.runCommand('npm pkg set scripts.test-curl="curl -v -I https://www.example.com"');

    // 2. Set a BROKEN upstream proxy, but exclude example.com via NO_PROXY
    const testShell = await container.openShell("zsh");
    await testShell.runCommand('export HTTPS_PROXY="http://non-existent-proxy:1234"');
    await testShell.runCommand('export NO_PROXY="www.example.com"');

    // 3. Run the script
    // If safe-chain ignores NO_PROXY, it will try to use the broken proxy and fail
    // If it respects NO_PROXY, it will connect directly (which works in the container)
    const { output } = await testShell.runCommand("npm run test-curl");

    const success = output.includes("HTTP/2 200") || output.includes("HTTP/1.1 200");
    
    if (!success) {
        console.log("NO_PROXY Test failed. Output:", output);
    }

    assert.ok(success, "curl should bypass the broken proxy for NO_PROXY domains");
  });
});