import os
import socket

import paramiko

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')


def test_apt_proxy(host):
    """
    Tests if proxy configuration for apt is missing.
    """

    assert not host.file('/etc/apt/apt.conf.d/00proxy').exists


def test_bash_prompt_content(host):
    """
    Tests if bash prompt configuration file has not colouring and ID information
    contained within.
    """

    bash_prompt = host.file('/etc/profile.d/bash_prompt.sh')

    assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\[\\033[0m\\]\\u@\\h:\\w\\$ \\[\\033[0m\\]'" in bash_prompt.content_string
    assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '" in bash_prompt.content_string


def test_ssh_login_mechanisms(host):
    """
    Tests available SSH login mechanisms (should be just public key).
    """

    # Extract first non-IPv6 IP. Crude test, but it should work.
    remote_ip = next(a for a in host.interface("eth1").addresses if ":" not in a)

    sock = socket.socket()
    sock.connect((remote_ip, 22))

    transport = paramiko.transport.Transport(sock)
    transport.connect()

    try:
        transport.auth_none('')
    except paramiko.transport.BadAuthenticationType as err:
        assert err.allowed_types == ['publickey']


def test_emacs_electric_indent_mode(host):
    """
    Tests if Emacs electric indent mode has been disabled via custom
    configuration file. With just mandatory options set, the file should not be
    present.
    """

    emacs_config = host.file('/etc/emacs/site-start.d/01disable-electric-indent-mode')

    assert not emacs_config.exists


def test_ferm_base_rules(host):
    """
    Test if base ferm configuration has been deployed correctly (content-wise).
    """

    with host.sudo():
        ferm_base = host.file('/etc/ferm/conf.d/00-base.conf')

        assert "mod hashlimit hashlimit 3/second hashlimit-burst 9" in ferm_base.content_string

        iptables = host.command('iptables-save')

        assert iptables.rc == 0
        assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout
        assert "-A flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout

        ip6tables = host.command('ip6tables-save')
        assert ip6tables.rc == 0
        assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout
        assert "-A flood -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in ip6tables.stdout


def test_pipreqcheck_virtualenv_user(host):
    """
    Tests if user/group for running the pip requirements upgrade checks have
    been created correctly.
    """

    group = host.group('pipreqcheck')
    assert group.exists
    assert group.gid == 1001

    user = host.user('pipreqcheck')
    assert user.exists
    assert user.home == '/var/lib/pipreqcheck'
    assert user.uid == 1001
    assert user.group == 'pipreqcheck'
    assert user.groups == ['pipreqcheck']


def test_backup_configuration_absent(host):
    """
    Tests if backup configuration is absent. This should be the case when only
    mandatory parameters are provided.
    """

    with host.sudo():
        assert not host.file('/etc/duply/main/patterns/common').exists


def test_ntp_software_not_installed(host):
    """
    Tests if NTP packages are absent.
    """

    assert not host.package('ntpsec').is_installed
    assert not host.package('ntpsec-ntpdate').is_installed


def test_ntp_listening_interfaces(host):
    """
    Tests if NTP server is not listening.
    """

    assert not host.socket('udp://:::123').is_listening


def test_pipreqcheck_input_content(host):
    """
    Tests content of requirements input file used for virtual
    environment utilised by script that performs pip requirements
    upgrade checks.
    """

    requirements_path = '/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in'
    expected_requirements = [
        "pip",
        "pip-tools",
        "setuptools",
        "wheel"
    ]

    with host.sudo():
        deployed_requirements = host.file(requirements_path).content_string

        expected_requirements = sorted([line.lower() for line in expected_requirements])
        actual_requirements = sorted(deployed_requirements.lower().strip().split("\n"))

        assert actual_requirements == expected_requirements