"""
Tests d'isolation multi-tenants — un client ne peut jamais voir les données d'un autre.
"""
import io
import pytest
import pytest_asyncio
from unittest.mock import patch, AsyncMock
from httpx import AsyncClient

from app.models.client import APIClient
from app.models.image import Image


pytestmark = pytest.mark.asyncio


# ─────────────────────────────────────────────────────────────
# Helper : upload d'une image de test
# ─────────────────────────────────────────────────────────────

async def _upload_test_image(
    async_client: AsyncClient,
    headers: dict,
    filename: str = "test.jpg",
) -> dict:
    """Upload une image de test minimale (1x1 pixel JPEG) et retourne la réponse JSON."""
    # Image JPEG minimale valide (1x1 pixel)
    jpeg_bytes = (
        b"\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00"
        b"\xff\xdb\x00C\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07\x07\t\t"
        b"\x08\n\x0c\x14\r\x0c\x0b\x0b\x0c\x19\x12\x13\x0f\x14\x1d\x1a"
        b"\x1f\x1e\x1d\x1a\x1c\x1c $.\' \",#\x1c\x1c(7),01444\x1f\'9=82<.342"
        b"\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00"
        b"\xff\xc4\x00\x1f\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00"
        b"\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b"
        b"\xff\xc4\x00\xb5\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04"
        b"\x04\x00\x00\x01}\x01\x02\x03\x00\x04\x11\x05\x12!1A\x06\x13Qa\x07"
        b"\x22q\x142\x81\x91\xa1\x08#B\xb1\xc1\x15R\xd1\xf0$3br\x82\t\n\x16"
        b"\x17\x18\x19\x1a%&\'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\x83"
        b"\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a"
        b"\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8"
        b"\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6"
        b"\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1\xf2"
        b"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa"
        b"\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xdb\xae\x8a(\x03\xff\xd9"
    )

    # Le pipeline ARQ est mocké globalement dans conftest.py
    response = await async_client.post(
        "/images/upload",
        files={"file": (filename, io.BytesIO(jpeg_bytes), "image/jpeg")},
        headers=headers,
    )
    return response


# ─────────────────────────────────────────────────────────────
# Client A upload une image → invisible pour Client B
# ─────────────────────────────────────────────────────────────

async def test_client_a_image_invisible_to_client_b(
    async_client: AsyncClient,
    client_a: APIClient,
    client_b: APIClient,
    auth_headers_a: dict,
    auth_headers_b: dict,
):
    """L'image uploadée par A n'apparaît pas dans la liste de B."""
    # A uploade une image
    upload_resp = await _upload_test_image(async_client, auth_headers_a, "photo_a.jpg")
    assert upload_resp.status_code == 201

    # Liste pour A → contient l'image
    response = await async_client.get("/images", headers=auth_headers_a)
    assert response.status_code == 200
    data_a = response.json()
    assert data_a["total"] == 1
    assert data_a["items"][0]["original_name"] == "photo_a.jpg"

    # Liste pour B → vide
    response = await async_client.get("/images", headers=auth_headers_b)
    assert response.status_code == 200
    data_b = response.json()
    assert data_b["total"] == 0
    assert len(data_b["items"]) == 0


# ─────────────────────────────────────────────────────────────
# Client B ne peut pas lire l'image de Client A
# ─────────────────────────────────────────────────────────────

async def test_client_b_cannot_read_client_a_image(
    async_client: AsyncClient,
    client_a: APIClient,
    client_b: APIClient,
    auth_headers_a: dict,
    auth_headers_b: dict,
):
    """Client B reçoit 404 en essayant de lire l'image de A."""
    # A uploade
    upload_resp = await _upload_test_image(async_client, auth_headers_a)
    assert upload_resp.status_code == 201
    image_id = upload_resp.json()["id"]

    # B essaie de lire l'image de A → 404
    response = await async_client.get(f"/images/{image_id}", headers=auth_headers_b)
    assert response.status_code == 404


# ─────────────────────────────────────────────────────────────
# Client B ne peut pas supprimer l'image de Client A
# ─────────────────────────────────────────────────────────────

async def test_client_b_cannot_delete_client_a_image(
    async_client: AsyncClient,
    client_a: APIClient,
    client_b: APIClient,
    auth_headers_a: dict,
    auth_headers_b: dict,
):
    """Client B reçoit 404 en essayant de supprimer l'image de A."""
    # A uploade
    upload_resp = await _upload_test_image(async_client, auth_headers_a)
    assert upload_resp.status_code == 201
    image_id = upload_resp.json()["id"]

    # B essaie de supprimer → 404
    response = await async_client.delete(f"/images/{image_id}", headers=auth_headers_b)
    assert response.status_code == 404

    # L'image existe toujours pour A
    response = await async_client.get(f"/images/{image_id}", headers=auth_headers_a)
    assert response.status_code == 200


# ─────────────────────────────────────────────────────────────
# Chaque client ne voit que ses propres images
# ─────────────────────────────────────────────────────────────

async def test_listing_returns_only_own_images(
    async_client: AsyncClient,
    client_a: APIClient,
    client_b: APIClient,
    auth_headers_a: dict,
    auth_headers_b: dict,
):
    """Chaque client ne voit que ses propres images dans la liste."""
    # A uploade 2 images
    await _upload_test_image(async_client, auth_headers_a, "a1.jpg")
    await _upload_test_image(async_client, auth_headers_a, "a2.jpg")

    # B uploade 1 image
    await _upload_test_image(async_client, auth_headers_b, "b1.jpg")

    # A voit 2 images
    resp_a = await async_client.get("/images", headers=auth_headers_a)
    assert resp_a.json()["total"] == 2

    # B voit 1 image
    resp_b = await async_client.get("/images", headers=auth_headers_b)
    assert resp_b.json()["total"] == 1
    assert resp_b.json()["items"][0]["original_name"] == "b1.jpg"


# ─────────────────────────────────────────────────────────────
# Reprocess d'une image d'un autre client → 404
# ─────────────────────────────────────────────────────────────

async def test_reprocess_other_client_image_returns_404(
    async_client: AsyncClient,
    client_a: APIClient,
    client_b: APIClient,
    auth_headers_a: dict,
    auth_headers_b: dict,
):
    """Reprocess l'image d'un autre client → HTTP 404."""
    # A uploade
    upload_resp = await _upload_test_image(async_client, auth_headers_a)
    assert upload_resp.status_code == 201
    image_id = upload_resp.json()["id"]

    # B essaie de reprocess → 404
    response = await async_client.post(
        f"/images/{image_id}/reprocess",
        headers=auth_headers_b,
    )
    assert response.status_code == 404


# ─────────────────────────────────────────────────────────────
# Statut / EXIF / OCR / AI d'un autre client → 404
# ─────────────────────────────────────────────────────────────

async def test_sub_endpoints_other_client_returns_404(
    async_client: AsyncClient,
    client_a: APIClient,
    client_b: APIClient,
    auth_headers_a: dict,
    auth_headers_b: dict,
):
    """Les sous-endpoints (status, exif, ocr, ai) retournent 404 pour l'autre client."""
    upload_resp = await _upload_test_image(async_client, auth_headers_a)
    assert upload_resp.status_code == 201
    image_id = upload_resp.json()["id"]

    for endpoint in [f"/images/{image_id}/status", f"/images/{image_id}/exif",
                     f"/images/{image_id}/ocr", f"/images/{image_id}/ai"]:
        response = await async_client.get(endpoint, headers=auth_headers_b)
        assert response.status_code == 404, f"Endpoint {endpoint} should return 404 for other client"