require 'chef_helper'

RSpec.describe LetsEncrypt do
  subject { ::LetsEncrypt }

  before do
    allow(Gitlab).to receive(:[]).and_call_original
  end

  context '.parse_variables' do
    it 'calls to parse_enable' do
      expect(subject).to receive(:parse_enable)

      subject.parse_variables
    end
  end

  context '.parse_enable' do
    context 'when specifying letsencrypt enabled' do
      context 'true' do
        before { stub_gitlab_rb(letsencrypt: { enable: true }) }

        it 'should not call should_auto_enable?' do
          expect(subject).not_to receive(:should_auto_enable?)

          subject.parse_enable
        end
      end

      context 'false' do
        before { stub_gitlab_rb(letsencrypt: { enable: false }) }

        it 'should not call should_auto_enable?' do
          expect(subject).not_to receive(:should_auto_enable?)

          subject.parse_enable
        end
      end

      context 'unspecified' do
        it 'should use the value of should_auto_enable' do
          allow(subject).to receive(:should_auto_enable?).and_return('bananas')
          subject.parse_enable

          expect(Gitlab['letsencrypt']['enable']).to eq('bananas')
        end
      end
    end
  end

  context '.should_auto_enable?' do
    let(:node) { Mash.new(gitlab: { nginx: {} }) }

    before do
      stub_gitlab_rb(
        gitlab_rails: {
          gitlab_https: true
        },
        nginx: {
          ssl_certificate_key: 'example.key',
          ssl_certificate: 'example.crt'
        }
      )

      allow(Gitlab).to receive(:[]).with(:node).and_return(node)
      allow(File).to receive(:exist?).with('example.key').and_return(false)
      allow(File).to receive(:exist?).with('example.crt').and_return(false)
    end

    it 'is true' do
      expect(subject.should_auto_enable?).to be_truthy
    end

    it 'is false when not using a https url' do
      stub_gitlab_rb(gitlab_rails: { gitlab_https: false })

      expect(subject.should_auto_enable?).to be_falsey
    end

    it 'is false when nginx is not enabled' do
      stub_gitlab_rb(nginx: { enable: false })

      expect(subject.should_auto_enable?).to be_falsey
    end

    it 'is false when nginx is disabled by roles' do
      allow(node['gitlab']['nginx']).to receive(:[]).with('enable').and_return(false)

      expect(subject.should_auto_enable?).to be_falsey
    end

    it 'is false with explicit nginx.listen_https = false' do
      stub_gitlab_rb(nginx: { listen_https: false })

      expect(subject.should_auto_enable?).to be_falsey
    end

    it 'is false with the key present' do
      allow(File).to receive(:exist?).with('example.key').and_return(true)

      expect(subject.should_auto_enable?).to be_falsey
    end

    it 'is false with the cert present' do
      mock_cert = OpenSSL::X509::Certificate.new
      allow(mock_cert).to receive(:not_after).and_return(Time.now + 600)
      allow(File).to receive(:exist?).with('example.crt').and_return(true)
      allow(File).to receive(:read).with('example.crt').and_return(nil)
      allow(OpenSSL::X509::Certificate).to receive(:new).and_return(mock_cert)

      expect(subject.should_auto_enable?).to be_falsey
    end

    it 'is true when files present, but we provisioned them before' do
      stub_gitlab_rb(letsencrypt: { auto_enabled: true })

      allow(File).to receive(:exist?).with('example.key').and_return(true)
      allow(File).to receive(:exist?).with('example.crt').and_return(true)

      expect(subject.should_auto_enable?).to be_truthy
    end

    it 'is true when files present, but LE certificate is expired' do
      mock_cert = OpenSSL::X509::Certificate.new
      allow(mock_cert).to receive(:not_after).and_return(Time.now - 1)
      allow(mock_cert).to receive(:issuer).and_return(
        OpenSSL::X509::Name.parse(%(/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3)))
      allow(File).to receive(:exist?).with('example.key').and_return(true)
      allow(File).to receive(:exist?).with('example.crt').and_return(true)
      allow(File).to receive(:read).with('example.crt').and_return(nil)
      allow(OpenSSL::X509::Certificate).to receive(:new).and_return(mock_cert)

      expect(subject.should_auto_enable?).to be_truthy
    end

    it 'is false when files present, but non-LE certificate is expired' do
      mock_cert = OpenSSL::X509::Certificate.new
      allow(mock_cert).to receive(:not_after).and_return(Time.now - 1)
      allow(mock_cert).to receive(:issuer).and_return(
        OpenSSL::X509::Name.parse('/C=US/O=Example Corporation/CN=Example'))
      allow(File).to receive(:exist?).with('example.key').and_return(true)
      allow(File).to receive(:exist?).with('example.crt').and_return(true)
      allow(File).to receive(:read).with('example.crt').and_return(nil)
      allow(OpenSSL::X509::Certificate).to receive(:new).and_return(mock_cert)

      expect(subject.should_auto_enable?).to be_falsey
    end
  end

  context '.save_auto_enabled' do
    it 'does nothing if not auto_enabled' do
      expect(SecretsHelper).not_to receive(:load_gitlab_secrets)

      subject.save_auto_enabled
    end

    context 'auto_enabled' do
      before do
        stub_gitlab_rb(letsencrypt: { auto_enabled: true })
        allow(SecretsHelper).to receive(:load_gitlab_secrets).and_return({})
        allow(SecretsHelper).to receive(:write_to_gitlab_secrets)
      end

      it 'writes when secret is absent' do
        expect(SecretsHelper).to receive(:write_to_gitlab_secrets)

        subject.save_auto_enabled
      end

      it 'does not write if secret is already true' do
        allow(SecretsHelper).to receive(:load_gitlab_secrets)
          .and_return('letsencrypt' => { 'auto_enabled' => true })
        expect(SecretsHelper).not_to receive(:write_to_gitlab_secrets)

        subject.save_auto_enabled
      end
    end
  end
end