"""Security tests for SecureAudit functionality."""
import unittest
import sqlite3
from datetime import datetime, timedelta
from security.audit import SecureAudit
from security.rbac_engine import RBACEngine

class TestAuditSecurity(unittest.TestCase):
    """Security tests for SecureAudit features."""

    def setUp(self):
        self.rbac = RBACEngine()
        self.audit = SecureAudit(self.rbac, ":memory:")

    def test_cron_expression_encryption(self):
        """Test encryption of cron expressions in audit logs."""
        cron_expr = "0 * * * *"
        log_id = self.audit.log_operation(
            "cron_test",
            "cron_key",
            True,
            cron=cron_expr
        )
        
        # Verify cron was encrypted
        with sqlite3.connect(":memory:") as conn:
            encrypted = conn.execute(
                "SELECT encrypted_cron FROM audit_logs WHERE sequence = 1"
            ).fetchone()[0]
        
        self.assertNotEqual(encrypted, cron_expr)
        self.assertGreater(len(encrypted), 0)

    def test_task_id_obfuscation(self):
        """Test HMAC-SHA256 obfuscation of task IDs."""
        task_id = "task-12345"
        log_id = self.audit.log_operation(
            "task_test",
            "task_key",
            True,
            task_id=task_id
        )
        
        # Verify task ID was obfuscated
        with sqlite3.connect(":memory:") as conn:
            obfuscated = conn.execute(
                "SELECT obfuscated_task_id FROM audit_logs WHERE sequence = 1"
            ).fetchone()[0]
        
        self.assertNotEqual(obfuscated, task_id)
        self.assertEqual(len(obfuscated), 64)  # SHA-256 length

    def test_timestamp_integrity(self):
        """Test timestamp verification and integrity checks."""
        # Valid timestamp
        valid_time = (datetime.utcnow() - timedelta(seconds=15)).isoformat()
        self.assertTrue(self.audit._verify_timestamp(valid_time))
        
        # Invalid timestamp (too old)
        invalid_time = (datetime.utcnow() - timedelta(minutes=5)).isoformat()
        self.assertFalse(self.audit._verify_timestamp(invalid_time))
        
        # Tampered timestamp
        tampered_time = datetime.utcnow().isoformat()[:-1] + "Z"
        self.assertFalse(self.audit._verify_timestamp(tampered_time))

    def test_security_requirements_compliance(self):
        """Verify implementation meets security requirements."""
        # Reference security requirements
        with open("symphony-ai-agent/security/security-requirements.md") as f:
            requirements = f.read()
        
        self.assertIn("AES-256 encryption for sensitive data", requirements)
        self.assertIn("HMAC-SHA256 for integrity verification", requirements)
        self.assertIn("timestamp validation", requirements)

    def test_report_validation(self):
        """Validate against test report requirements."""
        # Reference test report
        with open("symphony-ai-agent/testing/Goal-1-Task-4/Goal-1-Task-4-test-report.md") as f:
            report = f.read()
        
        self.assertIn("cron expression encryption", report.lower())
        self.assertIn("task id obfuscation", report.lower())
        self.assertIn("timestamp verification", report.lower())

if __name__ == '__main__':
    unittest.main()