//! Input validation and security checks

use anyhow::{anyhow, Result};

/// Validate API key meets minimum security requirements
///
/// Requirements:
/// - Minimum 32 characters
/// - Not a common weak key
/// - Sufficient character diversity
pub fn validate_api_key_strength(api_key: &str) -> Result<()> {
    // Minimum length check
    if api_key.len() < 32 {
        return Err(anyhow!("API key must be at least 32 characters long for security"));
    }

    // Check for common weak keys
    let weak_keys = [
        "password", "12345", "admin", "test", "api_key",
        "secret", "changeme", "default", "guruconnect"
    ];
    let lowercase_key = api_key.to_lowercase();
    for weak in &weak_keys {
        if lowercase_key.contains(weak) {
            return Err(anyhow!("API key contains weak/common patterns and is not secure"));
        }
    }

    // Check for sufficient entropy (basic diversity check)
    let unique_chars: std::collections::HashSet<char> = api_key.chars().collect();
    if unique_chars.len() < 10 {
        return Err(anyhow!(
            "API key has insufficient character diversity (need at least 10 unique characters)"
        ));
    }

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_validate_api_key_strength() {
        // Too short
        assert!(validate_api_key_strength("short").is_err());

        // Weak pattern
        assert!(validate_api_key_strength("password_but_long_enough_now_123456789").is_err());

        // Low entropy
        assert!(validate_api_key_strength("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa").is_err());

        // Good key
        assert!(validate_api_key_strength("KfPrjjC3J6YMx9q1yjPxZAYkHLM2JdFy1XRxHJ9oPnw0NU3xH074ufHk7fj").is_ok());
    }
}