//! TLS Configuration - Contains intentional vulnerabilities
//!
//! Vulnerabilities:
//! - Certificate verification disabled
//! - Insecure TLS versions allowed

use reqwest::ClientBuilder;

/// VULNERABILITY: TLS certificate verification disabled
/// Allows man-in-the-middle attacks
pub async fn fetch_insecure(url: &str) -> Result<String, String> {
    let client = ClientBuilder::new()
        // BLOCK: danger_accept_invalid_certs disables certificate verification
        .danger_accept_invalid_certs(true)
        .build()
        .map_err(|e| e.to_string())?;

    client.get(url)
        .send()
        .await
        .map_err(|e| e.to_string())?
        .text()
        .await
        .map_err(|e| e.to_string())
}

/// VULNERABILITY: Invalid hostnames accepted
/// Combined with invalid certs, completely breaks TLS security
pub async fn fetch_no_hostname_check(url: &str) -> Result<String, String> {
    let client = ClientBuilder::new()
        // BLOCK: danger_accept_invalid_hostnames allows hostname mismatch
        .danger_accept_invalid_hostnames(true)
        .danger_accept_invalid_certs(true)
        .build()
        .map_err(|e| e.to_string())?;

    client.get(url)
        .send()
        .await
        .map_err(|e| e.to_string())?
        .text()
        .await
        .map_err(|e| e.to_string())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn test_insecure_tls_patterns() {
        // These patterns should be detected by Aphoria
        // Don't actually run - just verify code compiles
    }
}