#
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License;
# you may not use this file except in compliance with the Elastic License.
#

# frozen_string_literal: true

require 'faraday_middleware'

require 'utility/middleware/restrict_hostnames'

describe Utility::Middleware::RestrictHostnames do
  let(:localhost_ipv4_url) do
    { :url => Addressable::URI.parse('http://127.0.0.1') }
  end
  let(:localhost_url) do
    { :url => Addressable::URI.parse('http://localhost:8080') }
  end
  let(:localhost_ipv6_url) do
    { :url => Addressable::URI.parse('http://[::1]') }
  end
  let(:external_url) do
    { :url => Addressable::URI.parse('https://google.com') }
  end

  class StubbedApp
    def call(_)
      'it worked'
    end
  end

  subject do
    described_class.new(StubbedApp.new, :allowed_hosts => hosts)
  end

  shared_examples_for 'a blocked call' do
    it 'raises because the address is not allowed' do
      expect { subject.call(env) }.to raise_error(Utility::Middleware::RestrictHostnames::AddressNotAllowed)
    end
  end

  shared_examples_for 'an allowed call' do
    it '' do
      expect(subject.call(env)).to eq('it worked')
    end
  end

  context 'by default' do
    let(:hosts) { [] }
    context 'localhost ip4' do
      let(:env) { localhost_ipv4_url }
      it_behaves_like 'a blocked call'
    end

    context 'localhost ipv6' do
      let(:env) { localhost_ipv6_url }
      it_behaves_like 'a blocked call'
    end

    context 'localhost domain' do
      let(:env) { localhost_url }
      it_behaves_like 'a blocked call'
    end

    context 'external domain' do
      let(:env) { external_url }
      it_behaves_like 'a blocked call'
    end
  end

  context 'when localhost URLs are allowed by hostname' do
    let(:hosts) { ['localhost'] }

    context 'localhost ipv4' do
      let(:env) { localhost_ipv4_url }
      it_behaves_like 'an allowed call'
    end

    context 'localhost ipv6' do
      let(:env) { localhost_ipv6_url }
      skip 'jenkins docker does not bind localhost to ipv6' do
        it_behaves_like 'an allowed call'
      end
    end

    context 'localhost domain' do
      let(:env) { localhost_url }
      it_behaves_like 'an allowed call'
    end

    context 'external domain' do
      let(:env) { external_url }
      it_behaves_like 'a blocked call'
    end
  end

  context 'when localhost URLs are allowed by IP' do
    let(:hosts) { ['127.0.0.1'] }

    context 'localhost ipv4' do
      let(:env) { localhost_ipv4_url }
      it_behaves_like 'an allowed call'
    end

    context 'localhost ipv6' do
      let(:env) { localhost_ipv6_url }
      it_behaves_like 'a blocked call'
    end

    context 'localhost domain' do
      let(:env) { localhost_url }
      it_behaves_like 'an allowed call'
    end

    context 'external domain' do
      let(:env) { external_url }
      it_behaves_like 'a blocked call'
    end
  end

  context 'when localhost IPV6 URLs are allowed' do
    let(:hosts) { ['::1'] }

    context 'localhost ipv4' do
      let(:env) { localhost_ipv4_url }
      it_behaves_like 'a blocked call'
    end

    context 'localhost ipv6' do
      let(:env) { localhost_ipv6_url }
      it_behaves_like 'an allowed call'
    end

    context 'localhost domain' do
      let(:env) { localhost_url }
      skip 'jenkins docker does not bind localhost to ipv6' do
        it_behaves_like 'an allowed call'
      end
    end

    context 'external domain' do
      let(:env) { external_url }
      it_behaves_like 'a blocked call'
    end
  end

  context 'when external URLs are allowed by URL' do
    let(:hosts) { ['https://google.com'] }

    context 'localhost ipv4' do
      let(:env) { localhost_ipv4_url }
      it_behaves_like 'a blocked call'
    end

    context 'localhost ipv6' do
      let(:env) { localhost_ipv6_url }
      it_behaves_like 'a blocked call'
    end

    context 'localhost domain' do
      let(:env) { localhost_url }
      it_behaves_like 'a blocked call'
    end

    context 'external domain' do
      let(:actual_ip) { double('good ip', :ip_address => '203.0.113.1') }
      let(:env) { external_url }

      before(:each) do
        allow(Addrinfo).to receive(:getaddrinfo).with(external_url[:url].host, nil, :UNSPEC, :STREAM).and_return(
          [actual_ip],
          [actual_ip]
        )
      end

      it_behaves_like 'an allowed call'

      context 'when DNS lookup changes between initialization and request' do
        let(:fake_ip) { double('bad ip', :ip_address => '203.0.113.0') } # TEST-NET-3
        let(:actual_ip) { double('good ip', :ip_address => '203.0.113.1') }

        before(:each) do
          allow(Addrinfo).to receive(:getaddrinfo).with(external_url[:url].host, nil, :UNSPEC, :STREAM).and_return(
            [fake_ip],
            [actual_ip]
          )
          expect(Utility::Logger).to receive(:warn).with('Requested url https://google.com with resolved ip addresses [#<IPAddr: IPv4:203.0.113.1/255.255.255.255>] does not match allowed hosts ["https://google.com"] with resolved ip addresses [#<IPAddr: IPv4:203.0.113.0/255.255.255.255>]. Retrying.').and_call_original
          expect(Utility::Logger).to_not receive(:error)
        end

        it_behaves_like 'an allowed call'
      end
    end
  end
end