from mcp.waf_intelligence.analyzer import WAFRuleAnalyzer


def test_analyzer_detects_managed_waf_ruleset():
    analyzer = WAFRuleAnalyzer()

    tf = """
resource "cloudflare_ruleset" "managed_waf" {
  name  = "Managed WAF"
  kind  = "zone"
  phase = "http_request_firewall_managed"

  rules {
    action = "execute"
    action_parameters {
      id = "efb7b8c949ac4650a09736fc376e9aee"
    }
    expression  = "true"
    description = "Execute Cloudflare Managed Ruleset"
    enabled     = true
  }
}
"""

    result = analyzer.analyze_terraform_text("snippet.tf", tf, min_severity="warning")
    assert result.violations == []


def test_analyzer_warns_when_managed_waf_missing():
    analyzer = WAFRuleAnalyzer()

    tf = """
resource "cloudflare_ruleset" "security_rules" {
  name  = "Security Rules"
  kind  = "zone"
  phase = "http_request_firewall_custom"
}
"""

    result = analyzer.analyze_terraform_text("snippet.tf", tf, min_severity="warning")
    assert [v.message for v in result.violations] == [
        "No managed WAF rules detected in this snippet."
    ]