#!/usr/bin/env bats
# Comprehensive unit tests for security-hardening.sh (100% coverage)

# Add bats library to BATS_LIB_PATH
export BATS_LIB_PATH="/usr/lib/bats-core"

load 'bats-support/load'
load 'bats-assert/load'
load 'bats-file/load'
load '../test_helper/common.bash'

setup() {
    export TEST_ROOT="${TEST_TEMP_DIR}/security-hardening"
    mkdir -p "${TEST_ROOT}"
}

@test "security-hardening.sh exists and is executable" {
    assert_file_exists "${PROJECT_ROOT}/src/security-hardening.sh"
    assert [ -x "${PROJECT_ROOT}/src/security-hardening.sh" ]
}

@test "create_wifi_blacklist creates correct configuration" {
    source "${PROJECT_ROOT}/src/security-hardening.sh"

    local test_output="${TEST_ROOT}/blacklist-wifi.conf"
    create_wifi_blacklist "$test_output"

    assert_file_exists "$test_output"
    assert_file_contains "$test_output" "blacklist cfg80211"
    assert_file_contains "$test_output" "blacklist mac80211"
    assert_file_contains "$test_output" "blacklist brcmfmac"
    assert_file_contains "$test_output" "blacklist iwlwifi"
    assert_file_contains "$test_output" "blacklist ath9k"
    assert_file_contains "$test_output" "blacklist rt73usb"
}

@test "create_bluetooth_blacklist creates correct configuration" {
    source "${PROJECT_ROOT}/src/security-hardening.sh"

    local test_output="${TEST_ROOT}/blacklist-bluetooth.conf"
    create_bluetooth_blacklist "$test_output"

    assert_file_exists "$test_output"
    assert_file_contains "$test_output" "blacklist btusb"
    assert_file_contains "$test_output" "blacklist bluetooth"
    assert_file_contains "$test_output" "blacklist btrtl"
    assert_file_contains "$test_output" "blacklist btintel"
    assert_file_contains "$test_output" "blacklist btbcm"
}

@test "configure_ssh creates secure configuration" {
    source "${PROJECT_ROOT}/src/security-hardening.sh"

    local test_output="${TEST_ROOT}/sshd_config"
    configure_ssh "$test_output"

    assert_file_exists "$test_output"
    assert_file_contains "$test_output" "Protocol 2"
    assert_file_contains "$test_output" "PermitRootLogin no"
    assert_file_contains "$test_output" "PasswordAuthentication yes"
    assert_file_contains "$test_output" "PubkeyAuthentication yes"
    assert_file_contains "$test_output" "PermitEmptyPasswords no"
    assert_file_contains "$test_output" "ChallengeResponseAuthentication no"
    assert_file_contains "$test_output" "X11Forwarding no"
    assert_file_contains "$test_output" "MaxAuthTries 3"
    assert_file_contains "$test_output" "ClientAliveInterval 300"
    assert_file_contains "$test_output" "ClientAliveCountMax 2"
}

@test "configure_password_policy creates secure policy" {
    source "${PROJECT_ROOT}/src/security-hardening.sh"

    local test_output="${TEST_ROOT}/pwquality.conf"
    configure_password_policy "$test_output"

    assert_file_exists "$test_output"

    # Minimum length
    assert_file_contains "$test_output" "minlen = 14"

    # Character class requirements
    assert_file_contains "$test_output" "dcredit = -1"
    assert_file_contains "$test_output" "ucredit = -1"
    assert_file_contains "$test_output" "lcredit = -1"
    assert_file_contains "$test_output" "ocredit = -1"

    # Complexity requirements
    assert_file_contains "$test_output" "difok = 4"
    assert_file_contains "$test_output" "maxrepeat = 2"
    assert_file_contains "$test_output" "maxclassrepeat = 2"
    assert_file_contains "$test_output" "maxsequence = 2"

    # Security checks
    assert_file_contains "$test_output" "usercheck = 1"
    assert_file_contains "$test_output" "dictcheck = 1"
    assert_file_contains "$test_output" "gecoscheck = 1"
    assert_file_contains "$test_output" "enforcing = 1"

    # Bad words
    assert_file_contains "$test_output" "badwords = password secret admin root knel football tier0"

    # Minimum character classes
    assert_file_contains "$test_output" "minclass = 3"
}

@test "configure_auditd creates audit configuration" {
    source "${PROJECT_ROOT}/src/security-hardening.sh"

    local test_output="${TEST_ROOT}/auditd.conf"
    configure_auditd "$test_output"

    assert_file_exists "$test_output"
}

@test "configure_limits creates resource limits" {
    source "${PROJECT_ROOT}/src/security-hardening.sh"

    local test_output="${TEST_ROOT}/limits.conf"
    configure_limits "$test_output"

    assert_file_exists "$test_output"
    assert_file_contains "$test_output" "* soft core 0"
}

@test "configure_sysctl creates kernel hardening" {
    source "${PROJECT_ROOT}/src/security-hardening.sh"

    local test_output="${TEST_ROOT}/99-security.conf"
    configure_sysctl "$test_output"

    assert_file_exists "$test_output"
}

@test "security-hardening.sh script is valid bash" {
    run bash -n "${PROJECT_ROOT}/src/security-hardening.sh"
    assert_success
}

@test "all functions are callable without error" {
    source "${PROJECT_ROOT}/src/security-hardening.sh"

    run create_wifi_blacklist "${TEST_ROOT}/test-wifi.conf"
    assert_success

    run create_bluetooth_blacklist "${TEST_ROOT}/test-bt.conf"
    assert_success

    run configure_ssh "${TEST_ROOT}/test-ssh.conf"
    assert_success

    run configure_password_policy "${TEST_ROOT}/test-pw.conf"
    assert_success
}