import os

import defusedxml.ElementTree as ElementTree

import pytest

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')


def test_prosody_configuration_file_content(host):
    """
    Tests if Prosody configuration file has correct content.
    """

    hostname = host.run('hostname').stdout.strip()

    with host.sudo():

        config = host.file('/etc/prosody/prosody.cfg.lua')

        assert "admins = { \"jane.doe@domain2\", \"mick.doe@domain3\",  }" in config.content_string
        assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string
        assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string
        assert "ldap_server = \"ldap-server\"" in config.content_string
        assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string
        assert "ldap_password = \"prosodypassword\"" in config.content_string
        assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string
        assert "ldap_base = \"ou=people,dc=local\"" in config.content_string
        assert "archive_expires_after = \"1w\"" in config.content_string

        assert """VirtualHost "domain2"
Component "conference.domain2" "muc"
  restrict_room_creation = "local"
Component "proxy.domain2" "proxy65"
  proxy65_acl = { "domain2" }""" in config.content_string

        assert """VirtualHost "domain3"
Component "conference.domain3" "muc"
  restrict_room_creation = "local"
Component "proxy.domain3" "proxy65"
  proxy65_acl = { "domain3" }""" in config.content_string


@pytest.mark.parametrize("port", [
    5222,
    5223
])
def test_xmpp_c2s_tls_version_and_ciphers(host, port):
    """
    Tests if the correct TLS version and ciphers have been enabled for
    XMPP C2S ports.
    """

    expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]

    expected_tls_ciphers = [
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    ]

    # Run the nmap scanner against the server, and fetch the results.
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port))
    assert nmap.rc == 0
    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []
    tls_ciphers = set()

    for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
        tls_versions.append(child.attrib['key'])

    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
        tls_ciphers.add(child.text)

    tls_versions.sort()
    tls_ciphers = sorted(list(tls_ciphers))

    assert tls_versions == expected_tls_versions
    assert tls_ciphers == expected_tls_ciphers