# Copyright 2018 Red Hat, Inc.
# Copyright 2021 Acme Gating, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


import json


testinfra_hosts = ['keycloak99.opendev.org']


def test_rdbms_listening(host):
    rdbms = host.socket("tcp://::1:3306")
    assert rdbms.is_listening

def test_keycloak_listening(host):
    keycloak = host.socket("tcp://::1:8080")
    assert keycloak.is_listening

def test_rdbms_used(host):
    # This checks that keycloak created tables in the database,
    # ensuring our intended database backend is actually used.

    # The nested quotes get really ornery, so try to defuse some
    # of it with a raw string included via string formatting.
    query = (r'select DESCRIPTION from keycloak.KEYCLOAK_ROLE '
             'where NAME=\\"default-roles-master\\"')
    cmd = host.run(
        """docker-compose -f /etc/keycloak-docker/docker-compose.yaml \
        exec -T mariadb bash -c '/usr/bin/mysql -B -p$MARIADB_PASSWORD \
        -ukeycloak -e "%s"'""" % query)
    assert ("role_default-roles" in cmd.stdout)

def test_keycloak_openid_config(host):
    # This tests the proxy config since the output is determined by
    # the proxy headers and is not hard-coded configuration.
    cmd = host.run('curl --insecure '
                   '--resolve keycloak.opendev.org:443:[::1] '
                   'https://keycloak.opendev.org/realms/master'
                   '/.well-known/openid-configuration')
    assert ('"issuer":"https://keycloak.opendev.org/realms/master"'
            in cmd.stdout)

def test_keycloak_admin_api(host):
    # This tests the admin account and password can be used to
    # acquire an OIDC bearer token and then use it to check the
    # user count.
    cmd = host.run('curl --insecure '
                   '--resolve keycloak.opendev.org:443:[::1] '
                   '-X POST '
                   '-H "Content-Type: application/x-www-form-urlencoded" '
                   '-d "username=admin" '
                   '-d "password=testpassword" '
                   '-d "grant_type=password" '
                   '-d "client_id=admin-cli" '
                   'https://keycloak.opendev.org'
                   '/realms/master/protocol/openid-connect/token')
    token = json.loads(cmd.stdout)
    assert token["token_type"] == "Bearer"
    cmd = host.run('curl --insecure '
                   '--resolve keycloak.opendev.org:443:[::1] '
                   '-H "Authorization: Bearer %s" '
                   '-H "Content-Type: application/json" '
                   'https://keycloak.opendev.org'
                   '/admin/realms/master/users/count' % token["access_token"])
    assert cmd.stdout == "1"