package services

import (
	"context"
	"testing"

	"github.com/google/uuid"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"go.uber.org/zap"
	"gorm.io/driver/sqlite"
	"gorm.io/gorm"
)

func setupTestWaveformService(t *testing.T) *WaveformService {
	t.Helper()
	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
	require.NoError(t, err)
	logger := zap.NewNop()
	return NewWaveformService(db, logger, nil)
}

// TestGenerateWaveform_InvalidPath_ReturnsError verifies that paths containing ".." are rejected before exec (VEZA-SEC-007)
func TestGenerateWaveform_InvalidPath_ReturnsError(t *testing.T) {
	svc := setupTestWaveformService(t)
	ctx := context.Background()
	trackID := uuid.New()

	err := svc.generateWaveform(ctx, trackID, "/tmp/../etc/passwd")
	assert.Error(t, err)
	assert.Contains(t, err.Error(), "invalid input path")
}

// TestGenerateFallbackWaveform_InvalidPath_ReturnsError verifies ValidateExecPath in fallback path (VEZA-SEC-007)
func TestGenerateFallbackWaveform_InvalidPath_ReturnsError(t *testing.T) {
	svc := setupTestWaveformService(t)
	ctx := context.Background()
	trackID := uuid.New()

	err := svc.generateFallbackWaveform(ctx, trackID, "/path/with/../traversal")
	assert.Error(t, err)
	assert.Contains(t, err.Error(), "invalid input path")
}