"""SSRF guard regression tests."""

from __future__ import annotations

import pytest

from notify_bridge_core.notifications.ssrf import (
    UnsafeURLError,
    avalidate_outbound_url,
    validate_outbound_url,
)


class TestScheme:
    def test_rejects_file_scheme(self) -> None:
        with pytest.raises(UnsafeURLError):
            validate_outbound_url("file:///etc/passwd")

    def test_rejects_gopher(self) -> None:
        with pytest.raises(UnsafeURLError):
            validate_outbound_url("gopher://example.com/")

    def test_accepts_https(self) -> None:
        # A well-known public host — validated via real DNS so this test is
        # skipped when offline.
        try:
            validate_outbound_url("https://example.com/")
        except UnsafeURLError as err:
            if "DNS" in str(err):
                pytest.skip("No DNS in test environment")
            raise


class TestBlockedRanges:
    @pytest.mark.parametrize(
        "url",
        [
            "http://127.0.0.1/",
            "http://10.0.0.1/",
            "http://192.168.1.1/",
            "http://169.254.169.254/latest/meta-data/",
            "http://[::1]/",
        ],
    )
    def test_rejects_literal_private(self, url: str) -> None:
        with pytest.raises(UnsafeURLError):
            validate_outbound_url(url)


class TestAsyncValidator:
    @pytest.mark.asyncio
    async def test_async_rejects_loopback(self) -> None:
        with pytest.raises(UnsafeURLError):
            await avalidate_outbound_url("http://127.0.0.1/")

    @pytest.mark.asyncio
    async def test_async_rejects_bad_scheme(self) -> None:
        with pytest.raises(UnsafeURLError):
            await avalidate_outbound_url("file:///etc/passwd")