# frozen_string_literal: true
require 'chef_helper'

RSpec.describe SELinuxHelper do
  let(:chef_run) { converge_config }

  context 'when building SELinux policy command strings' do
    before do
      allow(File).to receive(:exist?).and_call_original
      allow(File).to receive(:exist?).with('/var/opt/gitlab/.ssh').and_return(true)
      allow(File).to receive(:exist?).with('/var/opt/gitlab/.ssh/authorized_keys').and_return(true)
      allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret').and_return(true)
      allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-shell/config.yml').and_return(true)
      allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-workhorse/sockets').and_return(true)
    end

    def semanage_fcontext(filename)
      "semanage fcontext -a -t gitlab_shell_t '#{filename}'"
    end

    using RSpec::Parameterized::TableSyntax
    where(:dry_run, :restorecon_options) do
      true  | '-v -n'
      false | '-v'
    end

    with_them do
      let(:node) { chef_run.node }
      let(:lines) { SELinuxHelper.commands(node, dry_run: dry_run) }

      it 'adds the correct parameters to restorecon' do
        expect(lines).to include("restorecon -R #{restorecon_options} '/var/opt/gitlab/.ssh'")
        expect(lines).to include("restorecon #{restorecon_options} '/var/opt/gitlab/.ssh/authorized_keys'")
        expect(lines).to include("restorecon #{restorecon_options} '/var/opt/gitlab/gitlab-shell/config.yml'")
        expect(lines).to include("restorecon #{restorecon_options} '/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret'")
        expect(lines).to include("restorecon #{restorecon_options} '/var/opt/gitlab/gitlab-workhorse/sockets'")
      end

      it 'adds the correct SELinux file contexts' do
        files = %w(/var/opt/gitlab/.ssh(/.*)?
                   /var/opt/gitlab/.ssh/authorized_keys
                   /var/opt/gitlab/gitlab-shell/config.yml
                   /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret
                   /var/opt/gitlab/gitlab-workhorse/sockets)

        managed_files = files.map { |file| semanage_fcontext(file) }
        expect(lines).to include(*managed_files)
      end
    end

    with_them do
      let(:user_sockets_directory) { '/how/do/you/do' }
      let(:node) { chef_run.node }
      let(:lines) { SELinuxHelper.commands(node, dry_run: dry_run) }

      before do
        allow(Gitlab).to receive(:[]).and_call_original
        stub_gitlab_rb(
          gitlab_workhorse: {
            listen_network: 'unix',
            sockets_directory: user_sockets_directory
          }
        )
        allow(File).to receive(:exist?).with(user_sockets_directory).and_return(true)
      end

      context 'when the user sets a custom workhorse sockets directory' do
        it 'applies the security context to the custom workhorse sockets directory' do
          files = [user_sockets_directory]
          managed_files = files.map { |file| semanage_fcontext(file) }

          expect(lines).to include(*managed_files)
          expect(lines).to include("restorecon #{restorecon_options} '#{user_sockets_directory}'")
        end
      end
    end
  end
end