#!/usr/bin/env bats
# Comprehensive unit tests for security-hardening.sh (100% coverage)

# Test create_wifi_blacklist function exists
@test "create_wifi_blacklist function is defined" {
  source /workspace/src/security-hardening.sh
  declare -f create_wifi_blacklist
}

@test "create_wifi_blacklist accepts optional output parameter" {
  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
}

@test "create_wifi_blacklist creates modprobe.d file" {
  grep -q '/etc/modprobe.d/blacklist-wifi.conf' /workspace/src/security-hardening.sh
}

@test "create_wifi_blacklist blacklists cfg80211" {
  grep -q 'blacklist cfg80211' /workspace/src/security-hardening.sh
}

@test "create_wifi_blacklist blacklists mac80211" {
  grep -q 'blacklist mac80211' /workspace/src/security-hardening.sh
}

@test "create_wifi_blacklist blacklists brcmfmac" {
  grep -q 'blacklist brcmfmac' /workspace/src/security-hardening.sh
}

@test "create_wifi_blacklist blacklists iwlwifi" {
  grep -q 'blacklist iwlwifi' /workspace/src/security-hardening.sh
}

@test "create_wifi_blacklist blacklists ath9k" {
  grep -q 'blacklist ath9k' /workspace/src/security-hardening.sh
}

@test "create_wifi_blacklist blacklists rt73usb" {
  grep -q 'blacklist rt73usb' /workspace/src/security-hardening.sh
}

@test "create_wifi_blacklist outputs completion message" {
  grep -q 'created at' /workspace/src/security-hardening.sh
}

# Test create_bluetooth_blacklist function exists
@test "create_bluetooth_blacklist function is defined" {
  source /workspace/src/security-hardening.sh
  declare -f create_bluetooth_blacklist
}

@test "create_bluetooth_blacklist accepts optional output parameter" {
  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
}

@test "create_bluetooth_blacklist creates modprobe.d file" {
  grep -q '/etc/modprobe.d/blacklist-bluetooth.conf' /workspace/src/security-hardening.sh
}

@test "create_bluetooth_blacklist blacklists btusb" {
  grep -q 'blacklist btusb' /workspace/src/security-hardening.sh
}

@test "create_bluetooth_blacklist blacklists bluetooth" {
  grep -q 'blacklist bluetooth' /workspace/src/security-hardening.sh
}

@test "create_bluetooth_blacklist blacklists btrtl" {
  grep -q 'blacklist btrtl' /workspace/src/security-hardening.sh
}

@test "create_bluetooth_blacklist blacklists btintel" {
  grep -q 'blacklist btintel' /workspace/src/security-hardening.sh
}

@test "create_bluetooth_blacklist blacklists btbcm" {
  grep -q 'blacklist btbcm' /workspace/src/security-hardening.sh
}

@test "create_bluetooth_blacklist outputs completion message" {
  grep -q 'created at' /workspace/src/security-hardening.sh
}

# Test configure_ssh function exists
@test "configure_ssh function is defined" {
  source /workspace/src/security-hardening.sh
  declare -f configure_ssh
}

@test "configure_ssh accepts optional output parameter" {
  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
}

@test "configure_ssh creates sshd_config file" {
  grep -q '/etc/ssh/sshd_config' /workspace/src/security-hardening.sh
}

@test "configure_ssh sets Protocol to 2" {
  grep -q 'Protocol 2' /workspace/src/security-hardening.sh
}

@test "configure_ssh disables root login" {
  grep -q 'PermitRootLogin no' /workspace/src/security-hardening.sh
}

@test "configure_ssh disables empty passwords" {
  grep -q 'PermitEmptyPasswords no' /workspace/src/security-hardening.sh
}

@test "configure_ssh sets MaxAuthTries to 3" {
  grep -q 'MaxAuthTries 3' /workspace/src/security-hardening.sh
}

@test "configure_ssh sets ClientAliveInterval to 300" {
  grep -q 'ClientAliveInterval 300' /workspace/src/security-hardening.sh
}

@test "configure_ssh sets ClientAliveCountMax to 2" {
  grep -q 'ClientAliveCountMax 2' /workspace/src/security-hardening.sh
}

@test "configure_ssh disables X11 forwarding" {
  grep -q 'X11Forwarding no' /workspace/src/security-hardening.sh
}

@test "configure_ssh outputs completion message" {
  grep -q 'created at' /workspace/src/security-hardening.sh
}

# Test configure_password_policy function exists
@test "configure_password_policy function is defined" {
  source /workspace/src/security-hardening.sh
  declare -f configure_password_policy
}

@test "configure_password_policy accepts optional output parameter" {
  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
}

@test "configure_password_policy creates pwquality.conf file" {
  grep -q '/etc/security/pwquality.conf' /workspace/src/security-hardening.sh
}

@test "configure_password_policy sets minlen to 14" {
  grep -q 'minlen = 14' /workspace/src/security-hardening.sh
}

@test "configure_password_policy requires 1 digit" {
  grep -q 'dcredit = -1' /workspace/src/security-hardening.sh
}

@test "configure_password_policy requires 1 uppercase" {
  grep -q 'ucredit = -1' /workspace/src/security-hardening.sh
}

@test "configure_password_policy requires 1 lowercase" {
  grep -q 'lcredit = -1' /workspace/src/security-hardening.sh
}

@test "configure_password_policy requires 1 special char" {
  grep -q 'ocredit = -1' /workspace/src/security-hardening.sh
}

@test "configure_password_policy enforces minimum requirements" {
  grep -q 'enforcing = 1' /workspace/src/security-hardening.sh
}

@test "configure_password_policy checks dictionary" {
  grep -q 'dictcheck = 1' /workspace/src/security-hardening.sh
}

@test "configure_password_policy checks username" {
  grep -q 'usercheck = 1' /workspace/src/security-hardening.sh
}

@test "configure_password_policy sets maxrepeat to 2" {
  grep -q 'maxrepeat = 2' /workspace/src/security-hardening.sh
}

@test "configure_password_policy sets maxsequence to 2" {
  grep -q 'maxsequence = 2' /workspace/src/security-hardening.sh
}

@test "configure_password_policy sets minclass to 3" {
  grep -q 'minclass = 3' /workspace/src/security-hardening.sh
}

@test "configure_password_policy has security comments" {
  grep -q 'NIST SP 800-63B' /workspace/src/security-hardening.sh
}

@test "configure_password_policy outputs completion message" {
  grep -q 'configured at' /workspace/src/security-hardening.sh
}

# Test configure_system_limits function exists
@test "configure_system_limits function is defined" {
  source /workspace/src/security-hardening.sh
  declare -f configure_system_limits
}

@test "configure_system_limits accepts optional output parameter" {
  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
}

@test "configure_system_limits creates limits file" {
  grep -q '/etc/security/limits.d/security.conf' /workspace/src/security-hardening.sh
}

@test "configure_system_limits disables core dumps" {
  grep -q 'hard core 0' /workspace/src/security-hardening.sh
}

@test "configure_system_limits sets nproc limits" {
  grep -q 'nproc' /workspace/src/security-hardening.sh
}

@test "configure_system_limits outputs completion message" {
  grep -q 'configured at' /workspace/src/security-hardening.sh
}

# Test configure_audit_rules function exists
@test "configure_audit_rules function is defined" {
  source /workspace/src/security-hardening.sh
  declare -f configure_audit_rules
}

@test "configure_audit_rules accepts optional output parameter" {
  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
}

@test "configure_audit_rules creates audit.rules file" {
  grep -q '/etc/audit/rules.d/audit.rules' /workspace/src/security-hardening.sh
}

@test "configure_audit_rules monitors passwd file" {
  grep -q '/etc/passwd' /workspace/src/security-hardening.sh
}

@test "configure_audit_rules monitors shadow file" {
  grep -q '/etc/shadow' /workspace/src/security-hardening.sh
}

@test "configure_audit_rules monitors sshd_config" {
  grep -q '/etc/ssh/sshd_config' /workspace/src/security-hardening.sh
}

@test "configure_audit_rules monitors wireguard directory" {
  grep -q '/etc/wireguard/' /workspace/src/security-hardening.sh
}

@test "configure_audit_rules monitors audit logs" {
  grep -q '/var/log/audit/' /workspace/src/security-hardening.sh
}

@test "configure_audit_rules outputs completion message" {
  grep -q 'configured at' /workspace/src/security-hardening.sh
}

# Test apply_security_hardening function exists
@test "apply_security_hardening function is defined" {
  source /workspace/src/security-hardening.sh
  declare -f apply_security_hardening
}

@test "apply_security_hardening calls create_wifi_blacklist" {
  grep -q 'create_wifi_blacklist' /workspace/src/security-hardening.sh
}

@test "apply_security_hardening calls create_bluetooth_blacklist" {
  grep -q 'create_bluetooth_blacklist' /workspace/src/security-hardening.sh
}

@test "apply_security_hardening calls configure_ssh" {
  grep -q 'configure_ssh' /workspace/src/security-hardening.sh
}

@test "apply_security_hardening calls configure_password_policy" {
  grep -q 'configure_password_policy' /workspace/src/security-hardening.sh
}

@test "apply_security_hardening calls configure_system_limits" {
  grep -q 'configure_system_limits' /workspace/src/security-hardening.sh
}

@test "apply_security_hardening calls configure_audit_rules" {
  grep -q 'configure_audit_rules' /workspace/src/security-hardening.sh
}

@test "apply_security_hardening outputs progress messages" {
  grep -q 'Applying security hardening' /workspace/src/security-hardening.sh
}

@test "apply_security_hardening outputs completion message" {
  grep -q 'completed' /workspace/src/security-hardening.sh
}

# Test main function exists
@test "main function is defined" {
  source /workspace/src/security-hardening.sh
  declare -f main
}

@test "main calls apply_security_hardening" {
  grep -q 'apply_security_hardening' /workspace/src/security-hardening.sh
}

@test "main outputs start message" {
  grep -q 'Starting KNEL-Football security hardening' /workspace/src/security-hardening.sh
}

@test "main outputs completion message" {
  grep -q 'completed successfully' /workspace/src/security-hardening.sh
}

# Test script behavior
@test "script uses set -euo pipefail" {
  grep -q "set -euo pipefail" /workspace/src/security-hardening.sh
}

@test "script is executable" {
  [ -x "/workspace/src/security-hardening.sh" ]
}

@test "script has proper shebang" {
  head -n1 /workspace/src/security-hardening.sh | grep -q "#!/bin/bash"
}

@test "script checks if executed directly" {
  grep -q 'BASH_SOURCE' /workspace/src/security-hardening.sh
}

@test "script calls main only when executed directly" {
  grep -q '== "${0}"' /workspace/src/security-hardening.sh
}

@test "script has comments explaining security requirements" {
  grep -q 'NIST' /workspace/src/security-hardening.sh
  grep -q 'CIS' /workspace/src/security-hardening.sh
}

@test "script has mandatory password requirements" {
  grep -q 'MANDATORY' /workspace/src/security-hardening.sh
}

@test "script has compliance references" {
  grep -q 'tier0' /workspace/src/security-hardening.sh
}