# These tests confirm that calling the generate_secrets recipe works correctly
# both when using the default path and and when using anoptional path to the
# secrets file. It tests that the file is created and contains secrets. It does
# not exhaustively test the resulting secrets file contents. Those tests are
# left to secrets_helper_spec.rb.

require 'chef_helper'
require_relative '../../../../../files/gitlab-cookbooks/package/libraries/helpers/secrets_helper'

RSpec.describe 'generate_secrets' do
  let(:chef_runner) { ChefSpec::SoloRunner.new }
  let(:chef_run) { chef_runner.converge('gitlab::generate_secrets') }
  let(:node) { chef_runner.node }

  optional_path = '/etc/mygitlab/mysecrets.json'.freeze
  hex_key = /\h{128}/.freeze
  rsa_key = /\A-----BEGIN RSA PRIVATE KEY-----\n.+\n-----END RSA PRIVATE KEY-----\n\Z/m.freeze
  alphanumeric_key_regex = /\A[A-Za-z0-9]{32}\Z/m.freeze
  default_secrets_error_regexp = %r{You have enabled writing to the default secrets file location with package\['generate_secrets_json_file'].*}

  before do
    allow(File).to receive(:directory?).and_call_original
    allow(File).to receive(:exist?).and_call_original
    allow(File).to receive(:read).and_call_original
    allow(File).to receive(:open).and_call_original
  end

  context 'when default directory does not exist' do
    it 'does not write secrets to the file' do
      allow(File).to receive(:directory?).with(File.dirname(SecretsHelper::SECRETS_FILE)).and_return(false)
      expect(File).not_to receive(:open).with(SecretsHelper::SECRETS_FILE, 'w')

      chef_run
    end
  end

  context 'when optional path directory does not exist' do
    it 'does not write secrets to the file' do
      allow(File).to receive(:directory?).with(File.dirname(optional_path)).and_return(false)
      expect(File).not_to receive(:open).with(optional_path, 'w')

      node.normal[SecretsHelper::SECRETS_FILE_CHEF_ATTR] = optional_path
      chef_run
    end
  end

  context 'when optional path directory does exists and we request the optional secret path' do
    let(:file) { double(:file) }
    let(:new_secrets) { @new_secrets }
    before do
      allow(SecretsHelper).to receive(:system)
      allow(File).to receive(:directory?).with(File.dirname(optional_path)).and_return(true)

      allow(file).to receive(:puts) { |json| @new_secrets = JSON.parse(json) }
      allow(file).to receive(:chmod).and_return(true)
    end

    context 'when there are no existing secrets and generate_secrets_json_file = false' do
      before do
        allow(File).to receive(:open).with(optional_path, 'w', 0600).and_yield(file).once

        node.normal[SecretsHelper::SECRETS_FILE_CHEF_ATTR] = optional_path
        node.normal['package']['generate_secrets_json_file'] = false
        chef_run
      end

      it 'writes new secrets to the file, with different values for each' do
        rails_keys = new_secrets['gitlab_rails']
        hex_keys = rails_keys.values_at('db_key_base', 'otp_key_base', 'secret_key_base', 'encrypted_settings_key_base')
        alphanumeric_keys = rails_keys.values_at(
          'active_record_encryption_primary_key',
          'active_record_encryption_deterministic_key',
          'active_record_encryption_key_derivation_salt'
        ).flatten
        rsa_keys = rails_keys.values_at('openid_connect_signing_key')

        expect(rails_keys.to_a.uniq).to eq(rails_keys.to_a)
        expect(hex_keys).to all(match(hex_key))
        expect(alphanumeric_keys.flatten).to all(match(alphanumeric_key_regex))
        expect(rsa_keys).to all(match(rsa_key))
      end
    end
  end

  context 'when there are no existing secrets and generate_secrets_json_file = true' do
    before do
      allow(File).to receive(:directory?).with(optional_path).and_return(false)
      allow(File).to receive(:exist?).with(File.dirname(optional_path)).and_return(true)
      node.normal[SecretsHelper::SECRETS_FILE_CHEF_ATTR] = optional_path
      node.normal['package']['generate_secrets_json_file'] = true
    end

    it 'does not write secrets to the file' do
      expect(File).not_to receive(:directory?).with(File.dirname(optional_path))
      expect(File).not_to receive(:open).with(optional_path, 'w')
      expect(LoggingHelper).to receive(:warning).with(default_secrets_error_regexp)

      chef_run
    end
  end

  context 'when there are no existing secrets and generate_secrets_json_file is not set' do
    before do
      allow(File).to receive(:directory?).with(optional_path).and_return(false)
      allow(File).to receive(:exist?).with(File.dirname(optional_path)).and_return(true)
      node.normal[SecretsHelper::SECRETS_FILE_CHEF_ATTR] = optional_path
    end

    it 'does not write secrets to the file' do
      expect(File).not_to receive(:directory?).with(File.dirname(optional_path))
      expect(File).not_to receive(:open).with(optional_path, 'w')
      expect(LoggingHelper).to receive(:warning).with(default_secrets_error_regexp)

      chef_run
    end
  end
end