#!/usr/bin/env bats
# KNEL-Football System Tests - Secure Boot Verification
# Tests for Secure Boot support in the ISO
# Copyright © 2026 Known Element Enterprises LLC
# License: GNU Affero General Public License v3.0 only

# These tests verify Secure Boot packages and configuration

# Test: Verify Secure Boot packages are in package list
@test "Secure Boot package shim-signed is in package list" {
    grep -q "shim-signed" config/package-lists/knel-football.list.chroot
}

@test "Secure Boot package grub-efi-amd64-signed is in package list" {
    grep -q "grub-efi-amd64-signed" config/package-lists/knel-football.list.chroot
}

@test "Secure Boot package grub-efi-amd64-bin is in package list" {
    grep -q "grub-efi-amd64-bin" config/package-lists/knel-football.list.chroot
}

@test "UEFI package efibootmgr is in package list" {
    grep -q "efibootmgr" config/package-lists/knel-football.list.chroot
}

# Test: Verify Secure Boot section comment exists
@test "Package list has Secure Boot section comment" {
    grep -q "Secure Boot" config/package-lists/knel-football.list.chroot
}

# Test: Verify encryption configuration for Secure Boot compatibility
@test "Encryption setup uses LUKS2 format" {
    grep -q "luks2" config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup configures initramfs for crypto" {
    grep -q "dm_crypt" config/hooks/installed/encryption-setup.sh
}

# Test: Verify preseed has UEFI/GPT configuration
@test "Preseed uses GPT partitioning for UEFI compatibility" {
    [ -f "config/includes.installer/preseed.cfg" ]
    grep -q "gpt\|GPT" config/includes.installer/preseed.cfg || grep -q "efi\|EFI" config/includes.installer/preseed.cfg || true
}

# Test: Verify GRUB configuration exists
@test "Encryption setup configures GRUB" {
    grep -q "grub" config/hooks/installed/encryption-setup.sh
}

# Runtime tests (require VM)
# These are placeholders that will be skipped if VM is not available

@test "VM boots with UEFI (requires VM)" {
    # This test requires a running VM
    if ! virsh domstate knel-football-test 2>/dev/null | grep -q "running"; then
        skip "VM not running - start with ./run.sh test:iso create"
    fi
    
    # Check UEFI boot would require VM console access
    skip "Requires manual verification via console"
}

@test "Secure Boot verification (requires VM)" {
    # This test requires manual verification
    if ! virsh domstate knel-football-test 2>/dev/null | grep -q "running"; then
        skip "VM not running - start with ./run.sh test:iso create"
    fi
    
    # Secure Boot verification requires console access
    skip "Requires manual verification: dmesg | grep -i secure"
}