// Tests that the decoder is safe against adversarial input: malformed
// initial bytes, premature EOF, depth bombs, indefinite-length nesting,
// and invalid UTF-8.
module main

import encoding.cbor
import encoding.hex

fn h(s string) []u8 {
	return hex.decode(s) or { panic('invalid hex: ${s}') }
}

// ---------------------------------------------------------------------
// EOF handling
// ---------------------------------------------------------------------

fn test_eof_truncated_uint() {
	// 0x18 = uint(1-byte arg), but no following byte.
	if _ := cbor.decode[u64](h('18'), cbor.DecodeOpts{}) {
		assert false, 'expected EOF error'
	}
}

fn test_eof_truncated_array() {
	// 0x83 = array of 3, but only 1 element follows.
	if _ := cbor.decode[[]int](h('8301'), cbor.DecodeOpts{}) {
		assert false, 'expected EOF error in array'
	}
}

fn test_eof_truncated_string() {
	// 0x65 = text len 5, but only 3 bytes follow.
	if _ := cbor.decode[string](h('656162'), cbor.DecodeOpts{}) {
		assert false, 'expected EOF error in text'
	}
}

// ---------------------------------------------------------------------
// Reserved additional info
// ---------------------------------------------------------------------

fn test_reserved_info_rejected() {
	// 0x1c = major 0, info 28 (reserved).
	if _ := cbor.decode[cbor.Value](h('1c'), cbor.DecodeOpts{}) {
		assert false, 'expected malformed for info 28'
	}
}

// ---------------------------------------------------------------------
// Depth bomb
// ---------------------------------------------------------------------

fn test_depth_bomb_rejected() {
	// Build an indefinite-length array nested 1000 deep.
	mut deep := []u8{cap: 2002}
	for _ in 0 .. 1000 {
		deep << 0x9f // start indefinite array
	}
	for _ in 0 .. 1000 {
		deep << 0xff // close
	}
	if _ := cbor.decode[cbor.Value](deep, cbor.DecodeOpts{ max_depth: 16 }) {
		assert false, 'expected MaxDepthError'
	}
}

// ---------------------------------------------------------------------
// Indefinite-length string with mismatched chunk
// ---------------------------------------------------------------------

fn test_indef_text_with_byte_chunk_rejected() {
	// 0x7f = indef text. 0x42 = bytes(2). Should fail.
	if _ := cbor.decode[string](h('7f4201020203ff'), cbor.DecodeOpts{}) {
		assert false, 'expected malformed for mixed indef-text chunk'
	}
}

fn test_nested_indef_text_rejected() {
	// 0x7f7f...ff is indef text containing indef text — disallowed.
	if _ := cbor.decode[string](h('7f7f60ffff'), cbor.DecodeOpts{}) {
		assert false, 'expected malformed for nested indef text'
	}
}

// ---------------------------------------------------------------------
// UTF-8 validation
// ---------------------------------------------------------------------

fn test_invalid_utf8_rejected() {
	// 0x62 = text len 2, then invalid 2-byte sequence 0xc3 0x28.
	if _ := cbor.decode[string](h('62c328'), cbor.DecodeOpts{}) {
		assert false, 'expected InvalidUtf8Error'
	}
}

fn test_invalid_utf8_can_be_disabled() {
	// Same input but with validate_utf8 = false succeeds (caller
	// accepts responsibility for handling raw bytes).
	got := cbor.decode[string](h('62c328'), cbor.DecodeOpts{ validate_utf8: false }) or {
		panic('expected success: ${err}')
	}
	assert got.len == 2
}

fn test_invalid_utf8_overlong_rejected() {
	// "/" = 0x2f, but encoded as 2-byte overlong 0xc0 0xaf — rejected.
	if _ := cbor.decode[string](h('62c0af'), cbor.DecodeOpts{}) {
		assert false, 'expected InvalidUtf8Error for overlong'
	}
}

fn test_invalid_utf8_surrogate_rejected() {
	// U+D800 (high surrogate) in 3-byte form: 0xed 0xa0 0x80.
	if _ := cbor.decode[string](h('63eda080'), cbor.DecodeOpts{}) {
		assert false, 'expected InvalidUtf8Error for surrogate'
	}
}

// ---------------------------------------------------------------------
// Unknown fields in struct decode
// ---------------------------------------------------------------------

struct Strict {
	a int
}

fn test_unknown_field_tolerated_by_default() {
	// {"a": 1, "b": 2}
	bytes := h('a26161016162 02'.replace(' ', ''))
	got := cbor.decode[Strict](bytes, cbor.DecodeOpts{})!
	assert got.a == 1
}

fn test_unknown_field_rejected_when_opted_in() {
	bytes := h('a26161016162 02'.replace(' ', ''))
	if _ := cbor.decode[Strict](bytes, cbor.DecodeOpts{ deny_unknown_fields: true }) {
		assert false, 'expected UnknownFieldError'
	}
}

// ---------------------------------------------------------------------
// Native tag 0/1 content-type validation (RFC 8949 §3.4.1). Unlike a
// permissive decoder, we reject tag 0 wrapping non-text and tag 1
// wrapping non-numbers — same behaviour as QCBOR (the IETF reference).
// These cases come from the cbor-wg/bad conformance corpus.
// ---------------------------------------------------------------------

fn test_tag0_wrapping_map_rejected() {
	// c0 a1 61 61 00 = tag(0, {"a": 0}) — tag 0 must be tstr.
	if _ := cbor.decode[cbor.Value](h('c0a1616100'), cbor.DecodeOpts{}) {
		assert false, 'expected tag-0 type rejection'
	}
}

fn test_tag1_wrapping_map_rejected() {
	// c1 a1 61 61 00 = tag(1, {"a": 0}) — tag 1 must be int or float.
	if _ := cbor.decode[cbor.Value](h('c1a1616100'), cbor.DecodeOpts{}) {
		assert false, 'expected tag-1 type rejection'
	}
}

fn test_tag0_wrapping_text_accepted() {
	// c0 74 ... = tag(0, "2013-03-21T20:04:00Z") — well-formed.
	v := cbor.decode[cbor.Value](h('c074323031332d30332d32315432303a30343a30305a'), cbor.DecodeOpts{}) or {
		assert false, 'tag 0 + text MUST be accepted: ${err}'
		return
	}
	assert v is cbor.Tag
}

fn test_tag1_wrapping_int_or_float_accepted() {
	v := cbor.decode[cbor.Value](h('c11a514b67b0'), cbor.DecodeOpts{}) or {
		assert false, 'tag 1 + int MUST be accepted: ${err}'
		return
	}
	assert v is cbor.Tag

	v2 := cbor.decode[cbor.Value](h('c1fb41d452d9ec200000'), cbor.DecodeOpts{}) or {
		assert false, 'tag 1 + float MUST be accepted: ${err}'
		return
	}
	assert v2 is cbor.Tag
}

// ---------------------------------------------------------------------
// Header-length overflow: lengths beyond i64::max must be rejected,
// not silently wrapped to -1 (which would alias the indefinite-length
// sentinel and steer callers into the wrong loop). See decoder.v
// `unpack_array_header` / `unpack_map_header`.
// ---------------------------------------------------------------------

fn test_array_header_oversized_length_rejected() {
	// 9b ff ff ff ff ff ff ff ff = array, info=27, arg=u64::max.
	mut u := cbor.new_unpacker(h('9bffffffffffffffff'), cbor.DecodeOpts{})
	if n := u.unpack_array_header() {
		assert false, 'expected oversized length rejection, got ${n}'
	}
}

fn test_map_header_oversized_length_rejected() {
	// bb ff ff ff ff ff ff ff ff = map, info=27, arg=u64::max.
	mut u := cbor.new_unpacker(h('bbffffffffffffffff'), cbor.DecodeOpts{})
	if n := u.unpack_map_header() {
		assert false, 'expected oversized length rejection, got ${n}'
	}
}

fn test_array_header_at_i64_max_accepted() {
	// 9b 7f ff ff ff ff ff ff ff = array, info=27, arg=i64::max — boundary.
	mut u := cbor.new_unpacker(h('9b7fffffffffffffff'), cbor.DecodeOpts{})
	n := u.unpack_array_header() or {
		assert false, 'i64::max boundary must succeed: ${err}'
		return
	}
	assert n == max_i64
}

// ---------------------------------------------------------------------
// skip_value MUST enforce RFC 8949 §3.2.3 chunk rules for indefinite
// strings: each chunk must be a definite-length string of the same
// major type. Otherwise the skip path silently accepts what
// unpack_text / unpack_bytes correctly reject — letting malformed
// CBOR through RawMessage / Unmarshaler / unknown-field skipping.
// ---------------------------------------------------------------------

fn test_skip_value_rejects_cross_type_indef_string_chunk() {
	// 7f 41 00 ff = indef text containing one bytes chunk (major=2),
	// then break. Same chunk-type rule applies to skip_value as to
	// unpack_text — both reject cross-type chunks.
	mut u := cbor.new_unpacker(h('7f4100ff'), cbor.DecodeOpts{})
	if _ := u.skip_value() {
		assert false, 'skip_value must reject cross-type indef chunk'
	}
}

fn test_skip_value_rejects_nested_indef_string_chunk() {
	// 7f 7f 61 61 ff ff = indef text whose chunk is itself indefinite.
	mut u := cbor.new_unpacker(h('7f7f6161ffff'), cbor.DecodeOpts{})
	if _ := u.skip_value() {
		assert false, 'skip_value must reject nested indef chunk'
	}
}

fn test_raw_message_rejects_malformed_indef_string() {
	// Same payload as above, but exercised through the RawMessage path
	// (which calls skip_value internally to compute the slice bounds).
	mut u := cbor.new_unpacker(h('7f4100ff'), cbor.DecodeOpts{})
	if _ := u.unpack_raw() {
		assert false, 'unpack_raw must reject cross-type indef chunk'
	}
}