from pve_backup_report.sanitization import sanitize_message


def test_sanitize_message_masks_api_tokens_and_secrets() -> None:
    message = (
        "PVEAPIToken=user@pve!report=pve-secret "
        "PBSAPIToken=user@pbs!report:pbs-secret "
        "PBS01_API_TOKEN_SECRET=secret1 "
        "password=secret2 "
        "secret=secret3"
    )

    sanitized = sanitize_message(message)

    assert "pve-secret" not in sanitized
    assert "pbs-secret" not in sanitized
    assert "secret1" not in sanitized
    assert "secret2" not in sanitized
    assert "secret3" not in sanitized
    assert "PVEAPIToken=***" in sanitized
    assert "PBSAPIToken=***" in sanitized
    assert "PBS01_API_TOKEN_SECRET=***" in sanitized
    assert "password=***" in sanitized
    assert "secret=***" in sanitized


def test_sanitize_message_flattens_newlines() -> None:
    assert sanitize_message("line1\nsecret=value") == "line1 secret=***"


def test_sanitize_message_masks_exact_pbs_api_token_shape() -> None:
    assert sanitize_message("error PBSAPIToken=abc:secret") == "error PBSAPIToken=***"