paliad/internal/services/approval_service_test.go

package services

// Approval-service tests. Two layers:
//
//   - Pure-Go: levelOf strict ladder + IsValidRequiredRole. No DB touch.
//   - Live-DB: the full submit→approve and submit→reject flows on real
//     paliad.deadlines / paliad.approval_requests rows. Skipped when
//     TEST_DATABASE_URL is unset, mirroring audit_service_test and
//     deadline_service_test.

import (
	"context"
	"errors"
	"os"
	"testing"
	"time"

	"github.com/google/uuid"
	"github.com/jmoiron/sqlx"
	_ "github.com/lib/pq"

	"mgit.msbls.de/m/paliad/internal/db"
)

// ============================================================================
// Pure-Go tests.
// ============================================================================

func TestLevelOf_StrictLadder(t *testing.T) {
	cases := []struct {
		role string
		want int
	}{
		{"lead", 5},
		{"of_counsel", 4},
		{"associate", 3},
		{"senior_pa", 2},
		{"pa", 1},
		{"local_counsel", 0},
		{"expert", 0},
		{"observer", 0},
		{"", 0},
		{"unknown", 0},
	}
	for _, c := range cases {
		t.Run(c.role, func(t *testing.T) {
			if got := levelOf(c.role); got != c.want {
				t.Errorf("levelOf(%q) = %d, want %d", c.role, got, c.want)
			}
		})
	}
}

func TestLevelOf_HigherSatisfiesLower(t *testing.T) {
	// "Anyone strictly above the required level satisfies it" — verify by
	// asserting the ladder is monotonic and partner > all PA tiers etc.
	if levelOf("lead") <= levelOf("associate") {
		t.Errorf("lead must outrank associate")
	}
	if levelOf("associate") <= levelOf("senior_pa") {
		t.Errorf("associate must outrank senior_pa")
	}
	if levelOf("senior_pa") <= levelOf("pa") {
		t.Errorf("senior_pa must outrank pa")
	}
	if levelOf("of_counsel") <= levelOf("associate") {
		t.Errorf("of_counsel must outrank associate")
	}
	// PA-required policy: anyone associate-or-above must satisfy.
	if levelOf("associate") < levelOf("pa") {
		t.Errorf("associate must satisfy a pa-required policy")
	}
}

func TestIsValidRequiredRole(t *testing.T) {
	cases := []struct {
		role string
		ok   bool
	}{
		{"lead", true},
		{"of_counsel", true},
		{"associate", true},
		{"senior_pa", true},
		{"pa", true},
		{"local_counsel", false},
		{"expert", false},
		{"observer", false},
		{"", false},
	}
	for _, c := range cases {
		t.Run(c.role, func(t *testing.T) {
			if got := IsValidRequiredRole(c.role); got != c.ok {
				t.Errorf("IsValidRequiredRole(%q) = %v, want %v", c.role, got, c.ok)
			}
		})
	}
}

func TestApprovalEventType(t *testing.T) {
	cases := []struct {
		entity, step, want string
	}{
		{"deadline", "requested", "deadline_approval_requested"},
		{"deadline", "approved", "deadline_approval_approved"},
		{"deadline", "rejected", "deadline_approval_rejected"},
		{"deadline", "revoked", "deadline_approval_revoked"},
		{"appointment", "requested", "appointment_approval_requested"},
	}
	for _, c := range cases {
		if got := approvalEventType(c.entity, c.step); got != c.want {
			t.Errorf("approvalEventType(%q,%q) = %q, want %q",
				c.entity, c.step, got, c.want)
		}
	}
}

// ============================================================================
// Live-DB tests.
// ============================================================================

// approvalTestEnv holds a configured ApprovalService + helpers tied to a
// throwaway project / user pool. Caller cleans up via env.cleanup().
type approvalTestEnv struct {
	t          *testing.T
	pool       *sqlx.DB
	approvals  *ApprovalService
	deadlines  *DeadlineService
	users      *UserService
	projects   *ProjectService
	projectID  uuid.UUID
	requester  uuid.UUID
	approver   uuid.UUID
	other      uuid.UUID
	cleanup    func()
}

func setupApprovalTest(t *testing.T) *approvalTestEnv {
	t.Helper()
	url := os.Getenv("TEST_DATABASE_URL")
	if url == "" {
		t.Skip("TEST_DATABASE_URL not set — skipping live DB test")
	}
	if err := db.ApplyMigrations(url); err != nil {
		t.Fatalf("apply migrations: %v", err)
	}
	pool, err := sqlx.Connect("postgres", url)
	if err != nil {
		t.Fatalf("connect: %v", err)
	}
	ctx := context.Background()

	users := NewUserService(pool)
	projects := NewProjectService(pool, users)
	deadlines := NewDeadlineService(pool, projects, nil)
	approvals := NewApprovalService(pool, users)

	// Seed two users + one project. The requester owns the deadline; the
	// approver is the other lead on the team. "other" has no role and is
	// used for the deadlock check (no qualified approver scenario).
	requesterID := uuid.New()
	approverID := uuid.New()
	otherID := uuid.New()

	for _, id := range []uuid.UUID{requesterID, approverID, otherID} {
		if _, err := pool.ExecContext(ctx,
			`INSERT INTO auth.users (id, email) VALUES ($1, $1::text || '@test.local')
			 ON CONFLICT (id) DO NOTHING`, id); err != nil {
			t.Logf("skip auth.users seed: %v (continuing — auth schema may be locked down)", err)
		}
		if _, err := pool.ExecContext(ctx,
			`INSERT INTO paliad.users (id, email, display_name, office, global_role)
			 VALUES ($1, $1::text || '@test.local', 'Test User', 'munich', 'standard')
			 ON CONFLICT (id) DO NOTHING`, id); err != nil {
			t.Fatalf("seed paliad.users: %v", err)
		}
	}

	projectID := uuid.New()
	if _, err := pool.ExecContext(ctx,
		`INSERT INTO paliad.projects (id, type, title, status, created_by)
		 VALUES ($1, 'project', 'Approval Test Project', 'active', $2)`,
		projectID, requesterID); err != nil {
		t.Fatalf("seed project: %v", err)
	}

	// Add requester + approver to the project team. Requester=associate
	// (cannot approve associate-required policy), approver=lead (can).
	for _, m := range []struct {
		uid  uuid.UUID
		role string
	}{
		{requesterID, "associate"},
		{approverID, "lead"},
	} {
		if _, err := pool.ExecContext(ctx,
			`INSERT INTO paliad.project_teams (project_id, user_id, role)
			 VALUES ($1, $2, $3) ON CONFLICT DO NOTHING`,
			projectID, m.uid, m.role); err != nil {
			t.Fatalf("seed project_teams: %v", err)
		}
	}

	cleanup := func() {
		ctx := context.Background()
		pool.ExecContext(ctx, `DELETE FROM paliad.approval_requests WHERE project_id = $1`, projectID)
		pool.ExecContext(ctx, `DELETE FROM paliad.approval_policies WHERE project_id = $1`, projectID)
		pool.ExecContext(ctx, `DELETE FROM paliad.deadlines        WHERE project_id = $1`, projectID)
		pool.ExecContext(ctx, `DELETE FROM paliad.appointments     WHERE project_id = $1`, projectID)
		pool.ExecContext(ctx, `DELETE FROM paliad.project_events   WHERE project_id = $1`, projectID)
		pool.ExecContext(ctx, `DELETE FROM paliad.project_teams    WHERE project_id = $1`, projectID)
		pool.ExecContext(ctx, `DELETE FROM paliad.projects         WHERE id = $1`, projectID)
		for _, id := range []uuid.UUID{requesterID, approverID, otherID} {
			pool.ExecContext(ctx, `DELETE FROM paliad.users WHERE id = $1`, id)
			pool.ExecContext(ctx, `DELETE FROM auth.users   WHERE id = $1`, id)
		}
		pool.Close()
	}

	return &approvalTestEnv{
		t:         t,
		pool:      pool,
		approvals: approvals,
		deadlines: deadlines,
		users:     users,
		projects:  projects,
		projectID: projectID,
		requester: requesterID,
		approver:  approverID,
		other:     otherID,
		cleanup:   cleanup,
	}
}

// seedPolicy sets a policy on the env's project for one (entity, lifecycle).
func (e *approvalTestEnv) seedPolicy(entityType, lifecycle, requiredRole string) {
	e.t.Helper()
	if _, err := e.approvals.UpsertPolicy(context.Background(),
		e.projectID, e.requester, entityType, lifecycle, requiredRole); err != nil {
		e.t.Fatalf("seed policy: %v", err)
	}
}

// seedDeadline inserts a basic deadline row directly (bypassing the
// service so we can test ApprovalService.Submit* in isolation). Returns
// the deadline's ID.
func (e *approvalTestEnv) seedDeadline(due time.Time) uuid.UUID {
	e.t.Helper()
	id := uuid.New()
	if _, err := e.pool.ExecContext(context.Background(),
		`INSERT INTO paliad.deadlines (id, project_id, title, due_date, source, status, created_by, approval_status)
		 VALUES ($1, $2, 'Test Deadline', $3, 'manual', 'pending', $4, 'approved')`,
		id, e.projectID, due, e.requester); err != nil {
		e.t.Fatalf("seed deadline: %v", err)
	}
	return id
}

// TestApprovalService_NoPolicyIsNoop: with no policy, Submit* returns
// (nil, nil) and the entity stays approval_status='approved'.
func TestApprovalService_NoPolicyIsNoop(t *testing.T) {
	env := setupApprovalTest(t)
	defer env.cleanup()
	ctx := context.Background()

	deadlineID := env.seedDeadline(time.Now().AddDate(0, 0, 14))

	tx, err := env.pool.BeginTxx(ctx, nil)
	if err != nil {
		t.Fatalf("begin: %v", err)
	}
	defer tx.Rollback()

	reqID, err := env.approvals.SubmitCreate(ctx, tx, env.projectID, deadlineID, env.requester, EntityTypeDeadline, nil)
	if err != nil {
		t.Fatalf("SubmitCreate: %v", err)
	}
	if reqID != nil {
		t.Errorf("expected nil request id with no policy, got %v", reqID)
	}
	if err := tx.Commit(); err != nil {
		t.Fatalf("commit: %v", err)
	}

	var status string
	if err := env.pool.GetContext(ctx, &status,
		`SELECT approval_status FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
		t.Fatalf("read status: %v", err)
	}
	if status != "approved" {
		t.Errorf("expected approval_status=approved, got %q", status)
	}
}

// TestApprovalService_SubmitMarksPendingAndApproveClears: end-to-end happy
// path. With a policy in place: submit → request row + entity pending →
// approve → entity back to approved with approved_by set.
func TestApprovalService_SubmitApproveCycle(t *testing.T) {
	env := setupApprovalTest(t)
	defer env.cleanup()
	ctx := context.Background()

	env.seedPolicy(EntityTypeDeadline, LifecycleCreate, "associate")
	deadlineID := env.seedDeadline(time.Now().AddDate(0, 0, 14))

	// Submit (inside a tx, as DeadlineService would).
	tx, err := env.pool.BeginTxx(ctx, nil)
	if err != nil {
		t.Fatalf("begin: %v", err)
	}
	reqID, err := env.approvals.SubmitCreate(ctx, tx, env.projectID, deadlineID, env.requester, EntityTypeDeadline,
		map[string]any{"due_date": "2026-05-20"})
	if err != nil {
		tx.Rollback()
		t.Fatalf("SubmitCreate: %v", err)
	}
	if reqID == nil {
		tx.Rollback()
		t.Fatalf("expected request id, got nil")
	}
	if err := tx.Commit(); err != nil {
		t.Fatalf("commit: %v", err)
	}

	// Entity is now pending.
	var status string
	if err := env.pool.GetContext(ctx, &status,
		`SELECT approval_status FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
		t.Fatalf("read status: %v", err)
	}
	if status != "pending" {
		t.Errorf("after submit: approval_status=%q, want pending", status)
	}

	// Self-approval blocks.
	if err := env.approvals.Approve(ctx, *reqID, env.requester, ""); !errors.Is(err, ErrSelfApproval) {
		t.Errorf("self-approve: got %v, want ErrSelfApproval", err)
	}

	// Approver (lead) signs off.
	if err := env.approvals.Approve(ctx, *reqID, env.approver, "looks good"); err != nil {
		t.Fatalf("Approve: %v", err)
	}

	// Entity flipped back to approved with approved_by populated.
	row := struct {
		Status     string     `db:"approval_status"`
		ApprovedBy *uuid.UUID `db:"approved_by"`
	}{}
	if err := env.pool.GetContext(ctx, &row,
		`SELECT approval_status, approved_by FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
		t.Fatalf("read post-approve: %v", err)
	}
	if row.Status != "approved" {
		t.Errorf("after approve: approval_status=%q, want approved", row.Status)
	}
	if row.ApprovedBy == nil || *row.ApprovedBy != env.approver {
		t.Errorf("after approve: approved_by=%v, want %v", row.ApprovedBy, env.approver)
	}

	// Request row marked approved.
	var reqStatus string
	if err := env.pool.GetContext(ctx, &reqStatus,
		`SELECT status FROM paliad.approval_requests WHERE id = $1`, *reqID); err != nil {
		t.Fatalf("read request status: %v", err)
	}
	if reqStatus != "approved" {
		t.Errorf("request status=%q, want approved", reqStatus)
	}

	// Approving again fails (not pending anymore).
	if err := env.approvals.Approve(ctx, *reqID, env.approver, ""); !errors.Is(err, ErrRequestNotPending) {
		t.Errorf("re-approve: got %v, want ErrRequestNotPending", err)
	}
}

// TestApprovalService_RejectRevertsCreateAsDelete: rejecting a CREATE
// request hard-deletes the entity (it never should have existed).
func TestApprovalService_RejectCreateDeletes(t *testing.T) {
	env := setupApprovalTest(t)
	defer env.cleanup()
	ctx := context.Background()

	env.seedPolicy(EntityTypeDeadline, LifecycleCreate, "associate")
	deadlineID := env.seedDeadline(time.Now().AddDate(0, 0, 7))

	tx, err := env.pool.BeginTxx(ctx, nil)
	if err != nil {
		t.Fatalf("begin: %v", err)
	}
	reqID, err := env.approvals.SubmitCreate(ctx, tx, env.projectID, deadlineID, env.requester, EntityTypeDeadline, nil)
	if err != nil {
		tx.Rollback()
		t.Fatalf("SubmitCreate: %v", err)
	}
	if err := tx.Commit(); err != nil {
		t.Fatalf("commit: %v", err)
	}

	if err := env.approvals.Reject(ctx, *reqID, env.approver, "wrong date"); err != nil {
		t.Fatalf("Reject: %v", err)
	}

	// Entity row is gone.
	var n int
	if err := env.pool.GetContext(ctx, &n,
		`SELECT COUNT(*) FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
		t.Fatalf("count deadline: %v", err)
	}
	if n != 0 {
		t.Errorf("after reject-create: deadline still exists (count=%d)", n)
	}
}

// TestApprovalService_RejectUpdateRestoresPreImage: rejecting an UPDATE
// reverts the date fields back to the snapshotted pre_image values.
func TestApprovalService_RejectUpdateRestoresPreImage(t *testing.T) {
	env := setupApprovalTest(t)
	defer env.cleanup()
	ctx := context.Background()

	env.seedPolicy(EntityTypeDeadline, LifecycleUpdate, "associate")

	originalDue := time.Date(2026, 6, 1, 0, 0, 0, 0, time.UTC)
	deadlineID := env.seedDeadline(originalDue)

	// Simulate an update: set due to 2026-06-15, then submit.
	newDue := time.Date(2026, 6, 15, 0, 0, 0, 0, time.UTC)
	tx, err := env.pool.BeginTxx(ctx, nil)
	if err != nil {
		t.Fatalf("begin: %v", err)
	}
	if _, err := tx.ExecContext(ctx,
		`UPDATE paliad.deadlines SET due_date = $1 WHERE id = $2`,
		newDue, deadlineID); err != nil {
		tx.Rollback()
		t.Fatalf("UPDATE pre-submit: %v", err)
	}
	preImage := map[string]any{"due_date": "2026-06-01"}
	payload := map[string]any{"due_date": "2026-06-15"}
	reqID, err := env.approvals.SubmitUpdate(ctx, tx, env.projectID, deadlineID, env.requester, EntityTypeDeadline, preImage, payload)
	if err != nil {
		tx.Rollback()
		t.Fatalf("SubmitUpdate: %v", err)
	}
	if err := tx.Commit(); err != nil {
		t.Fatalf("commit: %v", err)
	}

	// Reject — due_date should snap back to 2026-06-01.
	if err := env.approvals.Reject(ctx, *reqID, env.approver, ""); err != nil {
		t.Fatalf("Reject: %v", err)
	}

	var got time.Time
	if err := env.pool.GetContext(ctx, &got,
		`SELECT due_date FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
		t.Fatalf("read due_date: %v", err)
	}
	if !got.Equal(originalDue) {
		t.Errorf("after reject-update: due_date=%v, want %v", got, originalDue)
	}
}

// TestApprovalService_NoQualifiedApprover: when only the requester would
// qualify, Submit returns ErrNoQualifiedApprover.
func TestApprovalService_NoQualifiedApprover(t *testing.T) {
	env := setupApprovalTest(t)
	defer env.cleanup()
	ctx := context.Background()

	// Demote the approver to observer (level 0 = ineligible). Now requester
	// (associate) is the only on-team user with any role, and observer
	// can't approve.
	if _, err := env.pool.ExecContext(ctx,
		`UPDATE paliad.project_teams SET role='observer' WHERE project_id=$1 AND user_id=$2`,
		env.projectID, env.approver); err != nil {
		t.Fatalf("demote approver: %v", err)
	}

	// Make sure no global_admin exists in our test pool — promote-and-revert
	// any existing global_admin so the deadlock kicks in. We can't safely do
	// that without affecting other tests, so use a project where the
	// requester is the only person + setup excludes other users.
	// Easier approach: temporarily set requester to global_admin, then test
	// against a different "pretend requester" — but we want the case where
	// our seeded requester is the only candidate.
	//
	// Approach: use UpsertPolicy to set 'lead' as required role. Then no
	// project team member (associate, observer) qualifies. The deadlock
	// check still passes if any global_admin exists firmwide (Q8 escape
	// hatch), so we accept this test may be a no-op on pools with admins.
	env.seedPolicy(EntityTypeDeadline, LifecycleCreate, "lead")
	deadlineID := env.seedDeadline(time.Now().AddDate(0, 0, 14))

	// Count global admins; if any exist (e.g. m or tester) the deadlock
	// path can't fire — skip with a note.
	var nAdmins int
	if err := env.pool.GetContext(ctx, &nAdmins,
		`SELECT COUNT(*) FROM paliad.users WHERE global_role='global_admin' AND id <> $1`,
		env.requester); err != nil {
		t.Fatalf("count admins: %v", err)
	}
	if nAdmins > 0 {
		t.Skip("global_admin exists in test pool — deadlock fallback hides ErrNoQualifiedApprover; covered indirectly via canApprove unit checks")
	}

	tx, err := env.pool.BeginTxx(ctx, nil)
	if err != nil {
		t.Fatalf("begin: %v", err)
	}
	defer tx.Rollback()
	_, err = env.approvals.SubmitCreate(ctx, tx, env.projectID, deadlineID, env.requester, EntityTypeDeadline, nil)
	if !errors.Is(err, ErrNoQualifiedApprover) {
		t.Errorf("got %v, want ErrNoQualifiedApprover", err)
	}
}

// TestApprovalService_RevokeRevertsAndMarksRevoked: requester revokes
// their own pending → entity reverts, request status='revoked'.
func TestApprovalService_RevokeRevertsAndMarksRevoked(t *testing.T) {
	env := setupApprovalTest(t)
	defer env.cleanup()
	ctx := context.Background()

	env.seedPolicy(EntityTypeDeadline, LifecycleCreate, "associate")
	deadlineID := env.seedDeadline(time.Now().AddDate(0, 0, 14))

	tx, err := env.pool.BeginTxx(ctx, nil)
	if err != nil {
		t.Fatalf("begin: %v", err)
	}
	reqID, err := env.approvals.SubmitCreate(ctx, tx, env.projectID, deadlineID, env.requester, EntityTypeDeadline, nil)
	if err != nil {
		tx.Rollback()
		t.Fatalf("SubmitCreate: %v", err)
	}
	if err := tx.Commit(); err != nil {
		t.Fatalf("commit: %v", err)
	}

	// Non-requester can't revoke.
	if err := env.approvals.Revoke(ctx, *reqID, env.approver); !errors.Is(err, ErrNotApprover) {
		t.Errorf("non-requester revoke: got %v, want ErrNotApprover", err)
	}

	// Requester revokes — succeeds. Create lifecycle = entity gets deleted.
	if err := env.approvals.Revoke(ctx, *reqID, env.requester); err != nil {
		t.Fatalf("Revoke: %v", err)
	}

	var n int
	if err := env.pool.GetContext(ctx, &n,
		`SELECT COUNT(*) FROM paliad.deadlines WHERE id = $1`, deadlineID); err != nil {
		t.Fatalf("count: %v", err)
	}
	if n != 0 {
		t.Errorf("after revoke-create: entity should be gone (count=%d)", n)
	}

	var reqStatus string
	if err := env.pool.GetContext(ctx, &reqStatus,
		`SELECT status FROM paliad.approval_requests WHERE id = $1`, *reqID); err != nil {
		t.Fatalf("read request: %v", err)
	}
	if reqStatus != "revoked" {
		t.Errorf("request status=%q, want revoked", reqStatus)
	}
}

// TestApprovalService_PolicyCRUDRoundtrip: upsert → list → delete.
func TestApprovalService_PolicyCRUD(t *testing.T) {
	env := setupApprovalTest(t)
	defer env.cleanup()
	ctx := context.Background()

	// Upsert two rows.
	if _, err := env.approvals.UpsertPolicy(ctx, env.projectID, env.requester, EntityTypeDeadline, LifecycleCreate, "associate"); err != nil {
		t.Fatalf("upsert 1: %v", err)
	}
	if _, err := env.approvals.UpsertPolicy(ctx, env.projectID, env.requester, EntityTypeAppointment, LifecycleUpdate, "lead"); err != nil {
		t.Fatalf("upsert 2: %v", err)
	}

	// List.
	got, err := env.approvals.ListPolicies(ctx, env.projectID)
	if err != nil {
		t.Fatalf("list: %v", err)
	}
	if len(got) != 2 {
		t.Errorf("list returned %d rows, want 2", len(got))
	}

	// Re-upsert the first to a different role.
	if _, err := env.approvals.UpsertPolicy(ctx, env.projectID, env.requester, EntityTypeDeadline, LifecycleCreate, "lead"); err != nil {
		t.Fatalf("re-upsert: %v", err)
	}
	got, _ = env.approvals.ListPolicies(ctx, env.projectID)
	for _, p := range got {
		if p.EntityType == EntityTypeDeadline && p.LifecycleEvent == LifecycleCreate && p.RequiredRole != "lead" {
			t.Errorf("after re-upsert: required_role=%q, want lead", p.RequiredRole)
		}
	}

	// Invalid role rejected.
	if _, err := env.approvals.UpsertPolicy(ctx, env.projectID, env.requester, EntityTypeDeadline, LifecycleCreate, "observer"); !errors.Is(err, ErrInvalidInput) {
		t.Errorf("invalid required_role: got %v, want ErrInvalidInput", err)
	}

	// Delete.
	if err := env.approvals.DeletePolicy(ctx, env.projectID, EntityTypeDeadline, LifecycleCreate); err != nil {
		t.Fatalf("delete: %v", err)
	}
	got, _ = env.approvals.ListPolicies(ctx, env.projectID)
	if len(got) != 1 {
		t.Errorf("after delete: %d rows, want 1", len(got))
	}
}