import requests
import json
import time

# --- Configuration ---
API_ROOT = "https://dev-api.oneskyit.com"
API_KEY = "PMM4n50teUCaOMMTN8qOJA"
SITE_ID = "ltOdfNtjZLo" 
PASSCODE = "10241024"
FQDN = "dev-app.oneskyit.com"

def print_result(label, success, message=""):
    status = "✅ PASS" if success else "❌ FAIL"
    print(f"[{status}] {label} {message}")

def test_site_bootstrap():
    """Tests unauthenticated FQDN lookup (Bootstrap Exception)."""
    print("\n--- Testing Site Bootstrap (Unauth) ---")
    url = f"{API_ROOT}/v3/crud/site_domain/search"
    query = {"and": [{"field": "fqdn", "op": "eq", "value": FQDN}]}
    # NO AUTH HEADERS
    resp = requests.post(url, json=query)
    print_result("Bootstrap lookup (site_domain)", resp.status_code == 200)

def test_passcode_to_jwt():
    """Tests site-specific passcode authentication."""
    print("\n--- Testing Passcode -> JWT Flow ---")
    url = f"{API_ROOT}/api/authenticate_passcode"
    payload = {"site_id": SITE_ID, "passcode": PASSCODE}
    resp = requests.post(url, json=payload)
    
    success = resp.status_code == 200
    token = resp.json().get('data', {}).get('jwt') if success else None
    print_result("Passcode Auth", success and token is not None)
    return token

def test_security_boundaries(token):
    """Tests that a site-token cannot access private journals."""
    print("\n--- Testing Security Boundaries ---")
    url = f"{API_ROOT}/v3/crud/journal/search"
    headers = {"X-Aether-API-Key": API_KEY}
    params = {"jwt": token}
    
    # site-scoped JWT should NOT be able to search global journals
    resp = requests.post(url, headers=headers, params=params, json={"q": "%"})
    print_result("Access Blocked (site-jwt -> journal)", resp.status_code == 403)

def test_machine_auth_exception():
    """Tests that restricted routes fail without API Key."""
    print("\n--- Testing Machine Auth Exceptions ---")
    url = f"{API_ROOT}/v3/crud/journal/search"
    # No headers, no key
    resp = requests.post(url, json={"q": "%"})
    print_result("Unauth block (journal)", resp.status_code == 403)

if __name__ == "__main__":
    print(f"Starting Consolidated Auth & Security E2E Suite")
    
    test_site_bootstrap()
    token = test_passcode_to_jwt()
    if token:
        test_security_boundaries(token)
    test_machine_auth_exception()
    
    print("\nSuite completed.")