"""F11 matrix coverage tests."""

from __future__ import annotations

from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission


def test_every_group_has_at_least_one_permission() -> None:
    for group, perms in GROUP_PERMISSIONS.items():
        assert perms, f"group {group.value} has no permissions"


def test_rt_lead_is_superset_of_operator() -> None:
    lead = GROUP_PERMISSIONS[GroupName.RT_LEAD]
    operator = GROUP_PERMISSIONS[GroupName.RT_OPERATOR]
    assert operator <= lead


def test_soc_cannot_start_runs() -> None:
    soc = GROUP_PERMISSIONS[GroupName.SOC_ANALYST]
    assert Permission.RUN_START not in soc
    assert Permission.RUN_CONTROL not in soc


def test_only_lead_promotes_ttp() -> None:
    operator = GROUP_PERMISSIONS[GroupName.RT_OPERATOR]
    soc = GROUP_PERMISSIONS[GroupName.SOC_ANALYST]
    assert Permission.TTP_PROMOTE not in operator
    assert Permission.TTP_PROMOTE not in soc
    assert Permission.TTP_PROMOTE in GROUP_PERMISSIONS[GroupName.RT_LEAD]


def test_audit_read_lead_only() -> None:
    for group in (GroupName.RT_OPERATOR, GroupName.SOC_ANALYST):
        assert Permission.AUDIT_READ not in GROUP_PERMISSIONS[group]
    assert Permission.AUDIT_READ in GROUP_PERMISSIONS[GroupName.RT_LEAD]


def test_only_lead_issues_soc_tokens() -> None:
    for group in (GroupName.RT_OPERATOR, GroupName.SOC_ANALYST):
        assert Permission.ENGAGEMENT_SOC_TOKEN_ISSUE not in GROUP_PERMISSIONS[group]


def test_operator_cannot_control_run() -> None:
    operator = GROUP_PERMISSIONS[GroupName.RT_OPERATOR]
    assert Permission.RUN_START not in operator
    assert Permission.RUN_CONTROL not in operator


def test_soc_can_only_read_report_and_add_detection() -> None:
    soc = GROUP_PERMISSIONS[GroupName.SOC_ANALYST]
    assert Permission.DETECTION_ADD in soc
    assert Permission.REPORT_READ in soc
    assert Permission.EVIDENCE_ADD not in soc
    assert Permission.HOST_CRUD not in soc