package awgserver

import (
	"encoding/base64"
	"testing"
)

func TestGeneratePrivateKey(t *testing.T) {
	key, err := GeneratePrivateKey()
	if err != nil {
		t.Fatalf("GeneratePrivateKey() error: %v", err)
	}
	raw, err := base64.StdEncoding.DecodeString(key)
	if err != nil {
		t.Fatalf("invalid base64: %v", err)
	}
	if len(raw) != 32 {
		t.Fatalf("key length = %d, want 32", len(raw))
	}
	// Check WireGuard clamping.
	if raw[0]&7 != 0 {
		t.Errorf("bits 0-2 of byte 0 should be cleared")
	}
	if raw[31]&128 != 0 {
		t.Errorf("bit 7 of byte 31 should be cleared")
	}
	if raw[31]&64 == 0 {
		t.Errorf("bit 6 of byte 31 should be set")
	}
}

func TestPublicKeyFromPrivate(t *testing.T) {
	priv, err := GeneratePrivateKey()
	if err != nil {
		t.Fatalf("GeneratePrivateKey() error: %v", err)
	}
	pub, err := PublicKeyFromPrivate(priv)
	if err != nil {
		t.Fatalf("PublicKeyFromPrivate() error: %v", err)
	}
	raw, err := base64.StdEncoding.DecodeString(pub)
	if err != nil {
		t.Fatalf("invalid base64: %v", err)
	}
	if len(raw) != 32 {
		t.Fatalf("public key length = %d, want 32", len(raw))
	}
	// Derive again — should be deterministic.
	pub2, err := PublicKeyFromPrivate(priv)
	if err != nil {
		t.Fatalf("PublicKeyFromPrivate() second call error: %v", err)
	}
	if pub != pub2 {
		t.Errorf("public key derivation not deterministic")
	}
}

func TestGeneratePrivateKey_Uniqueness(t *testing.T) {
	k1, _ := GeneratePrivateKey()
	k2, _ := GeneratePrivateKey()
	if k1 == k2 {
		t.Errorf("two generated keys should not be equal")
	}
}