football/tests/unit/encryption-validation_test.bats

#!/usr/bin/env bats
# Unit tests for encryption-validation.sh hook
# Reference: PRD.md FR-001 (Full Disk Encryption)

@test "encryption-validation.sh exists and is executable" {
    [ -f "/workspace/config/hooks/installed/encryption-validation.sh" ]
    [ -x "/workspace/config/hooks/installed/encryption-validation.sh" ]
}

@test "Validation checks for LUKS2 format" {
    grep -q "LUKS\|luks" /workspace/config/hooks/installed/encryption-validation.sh
}

@test "Validation checks for encryption status" {
    grep -q "crypt\|Crypt" /workspace/config/hooks/installed/encryption-validation.sh
}

@test "Validation script uses set -e for error handling" {
    grep -q "set -e" /workspace/config/hooks/installed/encryption-validation.sh
}

# =============================================================================
# USERNAME CONSISTENCY (FINDING-008)
# =============================================================================

@test "Username 'football' is consistent across all hook files" {
    # preseed.cfg creates user 'football', hooks should reference same username
    run grep -r "kneluser" /workspace/config/hooks/
    [ "$status" -ne 0 ]
}

@test "Username in preseed.cfg is 'football'" {
    grep -q "passwd/username string football" /workspace/config/includes.installer/preseed.cfg
}

@test "encryption-validation.sh uses correct username 'football'" {
    # Should NOT reference 'kneluser'
    ! grep -q "kneluser" /workspace/config/hooks/installed/encryption-validation.sh
}

@test "usb-automount.sh uses correct username 'football'" {
    # Should NOT reference 'kneluser'
    ! grep -q "kneluser" /workspace/config/hooks/live/usb-automount.sh
}

@test "install-scripts.sh uses correct username 'football'" {
    # Should NOT reference 'kneluser'
    ! grep -q "kneluser" /workspace/config/hooks/installed/install-scripts.sh
}

# =============================================================================
# ENCRYPTION PARAMETER VALIDATION (FINDING-007)
# =============================================================================

# Tests for preseed.cfg encryption configuration

@test "preseed.cfg configures AES-XTS-PLAIN64 cipher" {
    grep -q "partman-crypto/cipher aes-xts-plain64" /workspace/config/includes.installer/preseed.cfg || \
    grep -q "partman-crypto/cipher string aes-xts-plain64" /workspace/config/includes.installer/preseed.cfg
}

@test "preseed.cfg configures 512-bit keysize" {
    grep -q "partman-crypto/keysize 512" /workspace/config/includes.installer/preseed.cfg || \
    grep -q "partman-crypto/keysize string 512" /workspace/config/includes.installer/preseed.cfg
}

@test "preseed.cfg enables LUKS2 format" {
    grep -q "partman-crypto/use-luks2 boolean true" /workspace/config/includes.installer/preseed.cfg
}

@test "preseed.cfg enables crypto method for full disk encryption" {
    grep -q "partman-auto/method string crypto" /workspace/config/includes.installer/preseed.cfg
}

@test "preseed.cfg enables secure disk erasure" {
    grep -q "partman-crypto/erase_disks_secure boolean true" /workspace/config/includes.installer/preseed.cfg
}

# Tests for encryption-setup.sh proper configuration

@test "encryption-setup.sh configures cipher in crypttab" {
    grep -q "cipher=aes-xts-plain64" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "encryption-setup.sh configures key-size in crypttab" {
    grep -q "key-size=512" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "encryption-setup.sh includes dm_crypt module" {
    grep -q "dm_crypt" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "encryption-setup.sh includes aes_xts module" {
    grep -q "aes_xts" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "encryption-setup.sh configures LUKS2 type" {
    grep -q "luks2\|--type luks2" /workspace/config/hooks/installed/encryption-setup.sh
}

# Tests for encryption documentation accuracy

@test "README documents AES-256-XTS cipher" {
    grep -q "AES-256-XTS" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "README documents 512-bit key size" {
    grep -q "512 bits\|Key Size: 512" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "README documents LUKS2 format" {
    grep -q "Format: LUKS2\|LUKS2" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "README documents SHA-512 hash" {
    grep -q "SHA-512\|Hash: SHA-512" /workspace/config/hooks/installed/encryption-setup.sh
}

# Integration tests - consistency checks

@test "Cipher configuration is consistent between preseed and encryption-setup" {
    # Both should reference aes-xts
    grep -q "aes-xts" /workspace/config/includes.installer/preseed.cfg
    grep -q "aes-xts" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Keysize configuration is consistent between preseed and encryption-setup" {
    # Both should reference 512-bit key
    grep -q "512" /workspace/config/includes.installer/preseed.cfg
    grep -q "512" /workspace/config/hooks/installed/encryption-setup.sh
}