# tests/integration/security/test_authorization.py
"""
Authorization tests for the API.

Tests role-based access control:
- Admin endpoints require admin role
- Vendor endpoints require vendor context (vendor_id in token)
"""

import pytest


@pytest.mark.integration
@pytest.mark.security
@pytest.mark.auth
class TestAuthorization:
    def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
        """Test that admin endpoints require admin role"""
        response = client.get("/api/v1/admin/users", headers=auth_headers)
        # Regular user should be denied access (401 not admin or 403 forbidden)
        assert response.status_code in [401, 403]

    def test_admin_endpoints_with_admin_access(self, client, admin_headers):
        """Test that admin users can access admin endpoints"""
        admin_endpoints = [
            "/api/v1/admin/users",
            "/api/v1/admin/vendors",
            "/api/v1/admin/marketplace-import-jobs",
        ]

        for endpoint in admin_endpoints:
            response = client.get(endpoint, headers=admin_headers)
            assert response.status_code == 200, (
                f"Admin should have access to {endpoint}"
            )

    def test_vendor_endpoint_requires_vendor_context(self, client, admin_headers):
        """Test that vendor endpoints require vendor context in token"""
        # Admin token doesn't have vendor_id claim
        response = client.get("/api/v1/vendor/products", headers=admin_headers)
        # Should fail - admin token lacks vendor_id claim
        assert response.status_code in [401, 403]

    def test_vendor_owner_access_control(self, client, admin_headers, test_vendor):
        """Test admin can access vendor by vendor code"""
        response = client.get(
            f"/api/v1/admin/vendors/{test_vendor.vendor_code}", headers=admin_headers
        )
        # Admin should be able to view vendor
        assert response.status_code == 200