#!/usr/bin/env bats
# Comprehensive security compliance tests
# Reference: CIS Benchmark, FedRAMP, CMMC

@test "Full Disk Encryption configured" {
    grep -q "crypto" /workspace/config/includes.installer/preseed.cfg
}

@test "Password complexity configured" {
    grep -q "pwquality" /workspace/config/includes.installer/preseed.cfg
}

@test "WiFi blacklisted" {
    grep -q "cfg80211" /workspace/src/security-hardening.sh
}

@test "Bluetooth blacklisted" {
    grep -q "btusb" /workspace/src/security-hardening.sh
}

@test "Firewall configured" {
    grep -q "nftables" /workspace/config/package-lists/knel-football.list.chroot
}

# FR-006: SSH Access - Client Only (no inbound services)
@test "SSH client only (no server)" {
    ! grep -q "openssh-server" /workspace/config/package-lists/knel-football.list.chroot
}

@test "SSH client installed" {
    grep -q "openssh-client" /workspace/config/package-lists/knel-football.list.chroot
}

@test "SSH client configuration exists" {
    grep -q "configure_ssh_client" /workspace/src/security-hardening.sh
}

@test "SSH client disables password auth" {
    grep -q "PasswordAuthentication no" /workspace/src/security-hardening.sh
}

# CIS 1.4 - File Integrity Monitoring (FIM)
@test "CIS 1.4/FedRAMP AU-7/CMMC AU.3.059: AIDE package installed" {
    grep -q "aide" /workspace/config/package-lists/knel-football.list.chroot
}

@test "CIS 1.4: FIM configuration function exists" {
    grep -q "configure_fim" /workspace/src/security-hardening.sh
}

@test "CIS 1.4: FIM monitors /etc" {
    grep -q "/etc SECURITY" /workspace/src/security-hardening.sh
}

@test "CIS 1.4: FIM monitors /boot" {
    grep -q "/boot SECURITY" /workspace/src/security-hardening.sh
}

@test "CIS 1.4: FIM monitors /usr" {
    grep -q "/usr SECURITY" /workspace/src/security-hardening.sh
}

@test "CIS 1.4: FIM uses SHA256/SHA512" {
    grep -q "sha256\|sha512" /workspace/src/security-hardening.sh
}

# CIS 5.3 - System Resource Limits
@test "CIS 5.3: System resource limits configured" {
    grep -q "hard core 0" /workspace/src/security-hardening.sh
}

@test "CIS 5.3: Process limits configured" {
    grep -q "nproc" /workspace/src/security-hardening.sh
}

# CIS 6.2 - Audit Configuration (Comprehensive)
@test "CIS 6.2/FedRAMP AU-2/CMMC AU.2.042: Audit daemon installed" {
    grep -q "auditd" /workspace/config/package-lists/knel-football.list.chroot
}

@test "CIS 6.2: Audit rules function exists" {
    grep -q "configure_audit_rules" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit watches /etc/passwd" {
    grep -q "/etc/passwd.*-k identity" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit watches /etc/shadow" {
    grep -q "/etc/shadow.*-k identity" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit watches /etc/sudoers" {
    grep -q "/etc/sudoers.*-k privilege_escalation" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit watches authentication files" {
    grep -q "/etc/pam.d" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit watches network config" {
    grep -q "/etc/hosts" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit watches WireGuard config" {
    grep -q "/etc/wireguard" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit watches boot configuration" {
    grep -q "/boot/" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit watches kernel modules" {
    grep -q "init_module\|delete_module" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit monitors privilege escalation" {
    grep -q "/usr/bin/sudo.*-k privilege" /workspace/src/security-hardening.sh
}

@test "CIS 6.2: Audit monitors password changes" {
    grep -q "/usr/bin/passwd" /workspace/src/security-hardening.sh
}

# CIS 2.1 - Package Management Disabled
@test "CIS 2.1: Package management disable script exists" {
    [ -f "/workspace/config/hooks/installed/disable-package-management.sh" ]
}

@test "CIS 2.1: Package management disables apt" {
    grep -q "chmod -x.*apt" /workspace/config/hooks/installed/disable-package-management.sh
}

@test "CIS 2.1: Package management disables dpkg" {
    grep -q "chmod -x.*dpkg" /workspace/config/hooks/installed/disable-package-management.sh
}

@test "CIS 2.1: Package management makes tools immutable" {
    grep -q "chattr +i" /workspace/config/hooks/installed/disable-package-management.sh
}

# CIS 5.4 - Sudo Configuration
@test "CIS 5.4: Sudo package installed" {
    grep -q "sudo" /workspace/config/package-lists/knel-football.list.chroot
}

# Network Security - WireGuard
@test "WireGuard installed for VPN access" {
    grep -q "wireguard" /workspace/config/package-lists/knel-football.list.chroot
}

@test "Remmina RDP client installed" {
    grep -q "remmina" /workspace/config/package-lists/knel-football.list.chroot
}

# CIS 5.7 - Display Manager Privacy
@test "CIS 5.7: Display manager privacy configured" {
    grep -q "greeter-hide-users\|hide-users" /workspace/config/hooks/live/desktop-environment.sh
}

@test "CIS 5.7: No auto-login configured" {
    grep -q "autologin-user=\|auto-login" /workspace/config/hooks/live/desktop-environment.sh || \
    grep -q "# autologin" /workspace/config/hooks/live/desktop-environment.sh
}