package report_test

import (
	"fmt"
	"testing"

	"github.com/stretchr/testify/assert"

	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
	"github.com/aquasecurity/trivy/pkg/compliance/report"
	"github.com/aquasecurity/trivy/pkg/compliance/spec"
	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
	"github.com/aquasecurity/trivy/pkg/types"
)

func TestBuildComplianceReport(t *testing.T) {
	type args struct {
		scanResults []types.Results
		cs          spec.ComplianceSpec
	}
	tests := []struct {
		name    string
		args    args
		want    *report.ComplianceReport
		wantErr assert.ErrorAssertionFunc
	}{
		{
			name: "happy",
			args: args{
				scanResults: []types.Results{
					{
						{
							Target: "Deployment/metrics-server",
							Class:  types.ClassConfig,
							Type:   ftypes.Kubernetes,
							MisconfSummary: &types.MisconfSummary{
								Successes:  1,
								Failures:   0,
								Exceptions: 0,
							},
							Misconfigurations: []types.DetectedMisconfiguration{
								{
									Type:        "Kubernetes Security Check",
									ID:          "KSV001",
									AVDID:       "AVD-KSV-0001",
									Title:       "Process can elevate its own privileges",
									Description: "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
									Message:     "Container 'metrics-server' of Deployment 'metrics-server' should set 'securityContext.allowPrivilegeEscalation' to false",
									Namespace:   "builtin.kubernetes.KSV001",
									Query:       "data.builtin.kubernetes.KSV001.deny",
									Resolution:  "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
									Severity:    dbTypes.SeverityMedium.String(),
									PrimaryURL:  "https://avd.aquasec.com/misconfig/ksv001",
									References: []string{
										"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
										"https://avd.aquasec.com/misconfig/ksv001",
									},
									Status: types.MisconfStatusPassed,
								},
								{
									Type:   "Kubernetes Security Check",
									ID:     "KSV002",
									AVDID:  "AVD-KSV-9999",
									Status: types.MisconfStatusFailure,
								},
							},
						},
					},
					{
						{
							Target: "rancher/metrics-server:v0.3.6 (debian 9.9)",
							Class:  types.ClassOSPkg,
							Type:   "debian",
							Vulnerabilities: []types.DetectedVulnerability{
								{
									VulnerabilityID:  "DLA-2424-1",
									VendorIDs:        []string{"DLA-2424-1"},
									PkgName:          "tzdata",
									InstalledVersion: "2019a-0+deb9u1",
									FixedVersion:     "2020d-0+deb9u1",
									Layer: ftypes.Layer{
										DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
									},
									DataSource: &dbTypes.DataSource{
										ID:   vulnerability.Debian,
										Name: "Debian Security Tracker",
										URL:  "https://salsa.debian.org/security-tracker-team/security-tracker",
									},
									Vulnerability: dbTypes.Vulnerability{
										Title:    "tzdata - new upstream version",
										Severity: dbTypes.SeverityUnknown.String(),
									},
								},
							},
						},
					},
				},
				cs: spec.ComplianceSpec{
					Spec: iacTypes.Spec{
						ID:          "1234",
						Title:       "NSA",
						Description: "National Security Agency - Kubernetes Hardening Guidance",
						Version:     "1.0",
						RelatedResources: []string{
							"https://example.com",
						},
						Controls: []iacTypes.Control{
							{
								ID:          "1.0",
								Name:        "Non-root containers",
								Description: "Check that container is not running as root",
								Severity:    "MEDIUM",
								Checks: []iacTypes.SpecCheck{
									{ID: "AVD-KSV-0001"},
								},
							},
							{
								ID:          "1.1",
								Name:        "Immutable container file systems",
								Description: "Check that container root file system is immutable",
								Severity:    "LOW",
								Checks: []iacTypes.SpecCheck{
									{ID: "AVD-KSV-0002"},
								},
							},
							{
								ID:          "1.2",
								Name:        "tzdata - new upstream version",
								Description: "Bad tzdata package",
								Severity:    "CRITICAL",
								Checks: []iacTypes.SpecCheck{
									{ID: "DLA-2424-1"},
								},
							},
						},
					},
				},
			},
			want: &report.ComplianceReport{
				ID:          "1234",
				Title:       "NSA",
				Description: "National Security Agency - Kubernetes Hardening Guidance",
				Version:     "1.0",
				RelatedResources: []string{
					"https://example.com",
				},
				Results: []*report.ControlCheckResult{
					{
						ID:          "1.0",
						Name:        "Non-root containers",
						Description: "Check that container is not running as root",
						Severity:    "MEDIUM",
						Results: types.Results{
							{
								Target: "Deployment/metrics-server",
								Class:  types.ClassConfig,
								Type:   ftypes.Kubernetes,
								MisconfSummary: &types.MisconfSummary{
									Successes:  1,
									Failures:   0,
									Exceptions: 0,
								},
								Misconfigurations: []types.DetectedMisconfiguration{
									{
										Type:        "Kubernetes Security Check",
										ID:          "KSV001",
										AVDID:       "AVD-KSV-0001",
										Title:       "Process can elevate its own privileges",
										Description: "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
										Message:     "Container 'metrics-server' of Deployment 'metrics-server' should set 'securityContext.allowPrivilegeEscalation' to false",
										Namespace:   "builtin.kubernetes.KSV001",
										Query:       "data.builtin.kubernetes.KSV001.deny",
										Resolution:  "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.",
										Severity:    dbTypes.SeverityMedium.String(),
										PrimaryURL:  "https://avd.aquasec.com/misconfig/ksv001",
										References: []string{
											"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
											"https://avd.aquasec.com/misconfig/ksv001",
										},
										Status: types.MisconfStatusPassed,
									},
								},
							},
						},
					},
					{
						ID:          "1.1",
						Name:        "Immutable container file systems",
						Description: "Check that container root file system is immutable",
						Severity:    "LOW",
						Results:     nil,
					},
					{
						ID:          "1.2",
						Name:        "tzdata - new upstream version",
						Description: "Bad tzdata package",
						Severity:    "CRITICAL",
						Results: types.Results{
							{
								Target: "rancher/metrics-server:v0.3.6 (debian 9.9)",
								Class:  types.ClassOSPkg,
								Type:   "debian",
								Vulnerabilities: []types.DetectedVulnerability{
									{
										VulnerabilityID:  "DLA-2424-1",
										VendorIDs:        []string{"DLA-2424-1"},
										PkgName:          "tzdata",
										InstalledVersion: "2019a-0+deb9u1",
										FixedVersion:     "2020d-0+deb9u1",
										Layer: ftypes.Layer{
											DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
										},
										DataSource: &dbTypes.DataSource{
											ID:   vulnerability.Debian,
											Name: "Debian Security Tracker",
											URL:  "https://salsa.debian.org/security-tracker-team/security-tracker",
										},
										Vulnerability: dbTypes.Vulnerability{
											Title:    "tzdata - new upstream version",
											Severity: dbTypes.SeverityUnknown.String(),
										},
									},
								},
							},
						},
					},
				},
			},
			wantErr: assert.NoError,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := report.BuildComplianceReport(tt.args.scanResults, tt.args.cs)
			if !tt.wantErr(t, err, fmt.Sprintf("BuildComplianceReport(%v, %v)", tt.args.scanResults, tt.args.cs)) {
				return
			}
			assert.Equalf(t, tt.want, got, "BuildComplianceReport(%v, %v)", tt.args.scanResults, tt.args.cs)
		})
	}
}