#!/usr/bin/env bats
# Comprehensive unit tests for firewall-setup.sh (100% coverage)

# Test parse_wg_endpoint function exists
@test "parse_wg_endpoint function is defined" {
  source /workspace/src/firewall-setup.sh
  declare -f parse_wg_endpoint
}

@test "parse_wg_endpoint accepts optional config parameter" {
  grep -q 'wg_config=.*${1:-' /workspace/src/firewall-setup.sh
}

@test "parse_wg_endpoint checks for WireGuard config file" {
  grep -q '\[\[ ! -f.*wg_config \]\]' /workspace/src/firewall-setup.sh
}

@test "parse_wg_endpoint returns error when config not found" {
  grep -q 'return 1' /workspace/src/firewall-setup.sh
}

@test "parse_wg_endpoint parses endpoint from config" {
  grep -q 'grep -oP.*Endpoint.*' /workspace/src/firewall-setup.sh
}

@test "parse_wg_endpoint returns error on parse failure" {
  grep -q 'Could not parse endpoint' /workspace/src/firewall-setup.sh
}

# Test generate_nftables_rules function exists
@test "generate_nftables_rules function is defined" {
  source /workspace/src/firewall-setup.sh
  declare -f generate_nftables_rules
}

@test "generate_nftables_rules accepts endpoint parameter" {
  grep -q 'endpoint="$1"' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules parses IP from endpoint" {
  grep -q 'local ip=' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules parses port from endpoint" {
  grep -q 'local port=' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules generates nftables config" {
  grep -q 'cat <<EOF' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules flushes ruleset" {
  grep -q 'flush ruleset' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules defines input chain" {
  grep -q 'chain input' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules sets input policy to drop" {
  grep -q 'policy drop' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules accepts loopback traffic" {
  grep -q 'iif lo accept' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules accepts ping" {
  grep -q 'icmp type echo-request accept' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules defines forward chain" {
  grep -q 'chain forward' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules defines output chain" {
  grep -q 'chain output' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules accepts WireGuard traffic" {
  grep -q 'udp dport.*ip daddr.*accept' /workspace/src/firewall-setup.sh
}

@test "generate_nftables_rules uses inet filter table" {
  grep -q 'table inet filter' /workspace/src/firewall-setup.sh
}

# Test apply_firewall function exists
@test "apply_firewall function is defined" {
  source /workspace/src/firewall-setup.sh
  declare -f apply_firewall
}

@test "apply_firewall accepts optional config parameter" {
  grep -q 'wg_config=.*${1:-' /workspace/src/firewall-setup.sh
}

@test "apply_firewall checks for WireGuard config" {
  grep -q '\[\[ -f.*wg_config \]\]' /workspace/src/firewall-setup.sh
}

@test "apply_firewall calls parse_wg_endpoint" {
  grep -q 'parse_wg_endpoint' /workspace/src/firewall-setup.sh
}

@test "apply_firewall generates rules when endpoint found" {
  grep -q 'generate_nftables_rules' /workspace/src/firewall-setup.sh
}

@test "apply_firewall writes nftables config" {
  grep -q '>/etc/nftables.conf' /workspace/src/firewall-setup.sh
}

@test "apply_firewall enables nftables service" {
  grep -q 'systemctl enable nftables' /workspace/src/firewall-setup.sh
}

@test "apply_firewall restarts nftables service" {
  grep -q 'systemctl restart nftables' /workspace/src/firewall-setup.sh
}

@test "apply_firewall handles missing config" {
  grep -q 'Warning: WireGuard config not found' /workspace/src/firewall-setup.sh
}

@test "apply_firewall handles parse failure" {
  grep -q 'Warning: Could not parse WireGuard endpoint' /workspace/src/firewall-setup.sh
}

# Test main function exists
@test "main function is defined" {
  source /workspace/src/firewall-setup.sh
  declare -f main
}

@test "main calls apply_firewall" {
  grep -q 'apply_firewall' /workspace/src/firewall-setup.sh
}

@test "main outputs setup messages" {
  grep -q 'Setting up' /workspace/src/firewall-setup.sh
  grep -q 'completed' /workspace/src/firewall-setup.sh
}

# Test script behavior
@test "script uses set -euo pipefail" {
  grep -q "set -euo pipefail" /workspace/src/firewall-setup.sh
}

@test "script is executable" {
  [ -x "/workspace/src/firewall-setup.sh" ]
}

@test "script has proper shebang" {
  head -n1 /workspace/src/firewall-setup.sh | grep -q "#!/bin/bash"
}

@test "script has comments explaining functions" {
  grep -q "# Function to" /workspace/src/firewall-setup.sh
}

@test "script checks if executed directly" {
  grep -q 'BASH_SOURCE' /workspace/src/firewall-setup.sh
}

@test "script calls main only when executed directly" {
  grep -q '== "${0}"' /workspace/src/firewall-setup.sh
}

@test "script has proper error messages" {
  grep -q "Error:" /workspace/src/firewall-setup.sh
}

@test "script has proper warning messages" {
  grep -q "Warning:" /workspace/src/firewall-setup.sh
}