"""Tests for secret rotation mechanism."""

import time

from fusionagi.api.secret_rotation import SecretRotator


def test_generate_and_validate():
    rotator = SecretRotator()
    key = rotator.generate_key()
    assert rotator.validate_key(key) is True


def test_invalid_key():
    rotator = SecretRotator()
    assert rotator.validate_key("invalid") is False


def test_key_expiry():
    rotator = SecretRotator()
    key = rotator.generate_key(ttl_seconds=0.01)
    assert rotator.validate_key(key) is True
    time.sleep(0.02)
    assert rotator.validate_key(key) is False


def test_revoke():
    rotator = SecretRotator()
    key = rotator.generate_key()
    assert rotator.revoke(key) is True
    assert rotator.validate_key(key) is False


def test_rotate():
    rotator = SecretRotator()
    key1 = rotator.generate_key()
    key2 = rotator.rotate()
    assert rotator.validate_key(key1) is True
    assert rotator.validate_key(key2) is True


def test_max_active_keys():
    rotator = SecretRotator(max_active_keys=2)
    key1 = rotator.generate_key()
    rotator.generate_key()
    rotator.generate_key()
    assert rotator.validate_key(key1) is False


def test_list_keys():
    rotator = SecretRotator()
    rotator.generate_key(label="test")
    keys = rotator.list_keys()
    assert len(keys) == 1
    assert keys[0]["label"] == "test"
    assert "key_hash" not in keys[0]


def test_revoke_expired():
    rotator = SecretRotator()
    rotator.generate_key(ttl_seconds=0.01)
    rotator.generate_key(ttl_seconds=100)
    time.sleep(0.02)
    count = rotator.revoke_expired()
    assert count == 1