package proxy

import (
	"crypto/tls"
	"testing"
)

func TestTLSRuntime_buildTLSConfig_Good(t *testing.T) {
	config := buildTLSConfig(TLSConfig{
		Ciphers:   "ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256",
		Protocols: "TLSv1.2,TLSv1.3",
	})

	if config.MinVersion != tls.VersionTLS12 {
		t.Fatalf("expected min version TLS1.2, got %d", config.MinVersion)
	}
	if config.MaxVersion != tls.VersionTLS13 {
		t.Fatalf("expected max version TLS1.3, got %d", config.MaxVersion)
	}
	if len(config.CipherSuites) != 2 || config.CipherSuites[0] != tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 || config.CipherSuites[1] != tls.TLS_AES_128_GCM_SHA256 {
		t.Fatalf("unexpected cipher suites: %#v", config.CipherSuites)
	}
}

func TestTLSRuntime_buildTLSConfig_Bad(t *testing.T) {
	config := buildTLSConfig(TLSConfig{Protocols: "bogus", Ciphers: "bogus"})

	if config.MinVersion != 0 || config.MaxVersion != 0 {
		t.Fatalf("expected default versions for invalid input, got min=%d max=%d", config.MinVersion, config.MaxVersion)
	}
	if len(config.CipherSuites) != 0 {
		t.Fatalf("expected no cipher suites for invalid input, got %#v", config.CipherSuites)
	}
}

func TestTLSRuntime_buildTLSConfig_Ugly(t *testing.T) {
	config := buildTLSConfig(TLSConfig{Protocols: "1.1:1.2:1.3", Ciphers: "AES128-GCM-SHA256,unknown"})

	if config.MinVersion != tls.VersionTLS11 {
		t.Fatalf("expected min version TLS1.1, got %d", config.MinVersion)
	}
	if config.MaxVersion != tls.VersionTLS13 {
		t.Fatalf("expected max version TLS1.3, got %d", config.MaxVersion)
	}
	if len(config.CipherSuites) != 1 || config.CipherSuites[0] != tls.TLS_RSA_WITH_AES_128_GCM_SHA256 {
		t.Fatalf("unexpected cipher suites: %#v", config.CipherSuites)
	}
}