#!/usr/bin/env bats
# Unit tests for firewall-setup.sh
# Reference: PRD.md FR-005 (Firewall)

@test "firewall-setup.sh exists and is executable" {
    [ -f "/workspace/src/firewall-setup.sh" ]
    [ -x "/workspace/src/firewall-setup.sh" ]
}

@test "parse_wg_endpoint function exists" {
    grep -q "parse_wg_endpoint()" /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules function exists" {
    grep -q "generate_nftables_rules()" /workspace/src/firewall-setup.sh
}

@test "apply_firewall function exists" {
    grep -q "apply_firewall()" /workspace/src/firewall-setup.sh
}

@test "Firewall uses nftables" {
    grep -q "nft" /workspace/src/firewall-setup.sh
}

@test "Firewall input chain has drop policy" {
    grep -q "chain input" /workspace/src/firewall-setup.sh
    grep -q "policy drop" /workspace/src/firewall-setup.sh
}

@test "Firewall forward chain has drop policy" {
    grep -q "chain forward" /workspace/src/firewall-setup.sh
}

@test "Firewall output chain has drop policy" {
    grep -q "chain output" /workspace/src/firewall-setup.sh
}

@test "Firewall allows loopback" {
    grep -q "iif lo accept" /workspace/src/firewall-setup.sh
    grep -q "oif lo accept" /workspace/src/firewall-setup.sh
}

@test "Firewall allows WireGuard traffic" {
    grep -q "WireGuard" /workspace/src/firewall-setup.sh
}

@test "Firewall allows ping" {
    grep -q "icmp" /workspace/src/firewall-setup.sh
}

@test "main function exists" {
    grep -q "main()" /workspace/src/firewall-setup.sh
}