import os

import defusedxml.ElementTree as ElementTree

import pytest

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')


def test_certificate_validity_check_configuration(host):
    """
    Tests if certificate validity check configuration file has been deployed
    correctly.
    """

    hostname = host.run('hostname').stdout.strip()

    config = host.file('/etc/check_certificate/%s_xmpp.conf' % hostname)
    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644
    assert config.content_string == "/etc/ssl/certs/%s_xmpp.pem" % hostname


def test_prosody_configuration_file_content(host):
    """
    Tests if Prosody configuration file has correct content.
    """

    hostname = host.run('hostname').stdout.strip()

    with host.sudo():

        config = host.file('/etc/prosody/prosody.cfg.lua')

        assert "admins = { \"jane.doe@domain2\", \"mick.doe@domain3\",  }" in config.content_string
        assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string
        assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string
        assert "ldap_server = \"ldap-server\"" in config.content_string
        assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string
        assert "ldap_password = \"prosodypassword\"" in config.content_string
        assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string
        assert "ldap_base = \"ou=people,dc=local\"" in config.content_string

        assert """VirtualHost "domain2"
Component "conference.domain2" "muc"
  restrict_room_creation = "local"
Component "proxy.domain2" "proxy65"
  proxy65_acl = { "domain2" }""" in config.content_string

        assert """VirtualHost "domain3"
Component "conference.domain3" "muc"
  restrict_room_creation = "local"
Component "proxy.domain3" "proxy65"
  proxy65_acl = { "domain3" }""" in config.content_string


def test_correct_prosody_package_installed(host):
    """
    Tests if correct Prosody package has been installed.
    """

    assert host.package('prosody-0.10').is_installed


def test_xmpp_server_uses_correct_dh_parameters(host):
    """
    Tests if the HTTP server uses the generated Diffie-Hellman parameter.
    """

    fqdn = host.run('hostname -f').stdout.strip()

    with host.sudo():
        expected_dhparam = host.file('/etc/ssl/private/%s_xmpp.dh.pem' % fqdn).content_string.rstrip()

    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=xmpp --port 5222 "
                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose domain2")

    output = connection.stdout
    begin_marker = "-----BEGIN DH PARAMETERS-----"
    end_marker = "-----END DH PARAMETERS-----"
    used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]

    assert used_dhparam == expected_dhparam


def test_tls_connectivity(host):
    """
    Tests if it is possible to connect to the XMPP server using
    STARTTLS/TLS.
    """

    starttls = host.run('echo "test" | openssl s_client -quiet -starttls xmpp -xmpphost domain2 -connect localhost:5222')
    assert starttls.rc == 0
    assert 'jabber:client' in starttls.stdout
    assert 'not-well-formed' in starttls.stdout

    tls = host.run('echo "test" | openssl s_client -quiet -connect domain2:5223')
    assert tls.rc == 0
    assert 'jabber:client' in starttls.stdout
    assert 'not-well-formed' in starttls.stdout

    s2s = host.run('echo "test" | openssl s_client -quiet -starttls xmpp-server -xmpphost domain2 -connect localhost:5222')
    assert s2s.rc == 0
    assert 'jabber:client' in s2s.stdout
    assert 'not-well-formed' in s2s.stdout


@pytest.mark.parametrize("port", [
    5222,
    5223
])
def test_xmpp_c2s_tls_version_and_ciphers(host, port):
    """
    Tests if the correct TLS version and ciphers have been enabled for
    XMPP C2S ports.
    """

    expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]

    expected_tls_ciphers = [
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    ]

    # Run the nmap scanner against the server, and fetch the results.
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port))
    assert nmap.rc == 0
    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []
    tls_ciphers = set()

    for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
        tls_versions.append(child.attrib['key'])

    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
        tls_ciphers.add(child.text)

    tls_versions.sort()
    tls_ciphers = sorted(list(tls_ciphers))

    assert tls_versions == expected_tls_versions
    assert tls_ciphers == expected_tls_ciphers