from django.test import SimpleTestCase, override_settings

from core.security.attachments import (
    validate_attachment_metadata,
    validate_attachment_url,
)


class AttachmentSecurityTests(SimpleTestCase):
    def test_blocks_html_payload(self):
        with self.assertRaises(ValueError):
            validate_attachment_metadata(
                filename="payload.html",
                content_type="text/html",
                size=32,
            )

    @override_settings(ATTACHMENT_MAX_BYTES=10)
    def test_blocks_oversized_payload(self):
        with self.assertRaises(ValueError):
            validate_attachment_metadata(
                filename="dump.bin",
                content_type="application/octet-stream",
                size=32,
            )

    @override_settings(ATTACHMENT_ALLOW_PRIVATE_URLS=False)
    def test_blocks_private_url_by_default(self):
        with self.assertRaises(ValueError):
            validate_attachment_url("http://localhost/internal")

    @override_settings(ATTACHMENT_ALLOW_PRIVATE_URLS=True)
    def test_allows_private_url_when_explicitly_enabled(self):
        self.assertEqual(
            "http://localhost/internal",
            validate_attachment_url("http://localhost/internal"),
        )