#!/usr/bin/python
# -*- coding: utf-8 -*-

# This file is part of Cockpit.
#
# Copyright (C) 2013 Red Hat, Inc.
#
# Cockpit is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Cockpit is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with Cockpit; If not, see <http://www.gnu.org/licenses/>.

import parent
from testlib import *

class TestReauthorize(MachineCase):
    def testBasic(self):
        self.allow_authorize_journal_messages()
        self.allow_journal_messages('.*dropping message while waiting for child to exit.*')
        b = self.browser

        # Log in without being authorized
        self.login_and_go("/playground/test", authorized=False)
        b.click(".cockpit-internal-reauthorize .btn")
        b.wait_in_text(".cockpit-internal-reauthorize span", 'result:')
        self.assertEqual(b.text(".cockpit-internal-reauthorize span"), 'result: access-denied')

        # Log in again but be authorized
        b.relogin("/playground/test", authorized=True)
        b.click(".cockpit-internal-reauthorize .btn")
        b.wait_in_text(".cockpit-internal-reauthorize span", 'result:')
        self.assertEqual(b.text(".cockpit-internal-reauthorize span"), 'result: authorized')

        # Deauthorize from the top bar
        b.leave_page()
        b.click("#navbar-dropdown")
        b.click("#credentials-item")
        b.wait_visible("a.credential-clear")
        b.click("a.credential-clear")
        b.wait_not_visible("a.credential-clear")
        b.click("#credentials-dialog [data-dismiss]")

        b.enter_page("/playground/test")

        b.click(".cockpit-internal-reauthorize .btn")
        b.wait_in_text(".cockpit-internal-reauthorize span", 'result:')

        self.assertEqual(b.text(".cockpit-internal-reauthorize span"), 'result: access-denied')

    def testSuper(self):
        self.allow_authorize_journal_messages()
        self.allow_journal_messages("Error receiving data: Connection reset by peer")
        self.allow_journal_messages("connection unexpectedly closed by peer")
        b = self.browser

        self.login_and_go("/playground/test")

        b.click(".super-channel .btn")
        b.wait_in_text(".super-channel span", 'result: ')

        self.assertIn('result: uid=0', b.text(".super-channel span"))

        # Deauthorize
        b.leave_page()
        b.click("#navbar-dropdown")
        b.click("#credentials-item")
        b.click("button.credential-clear")
        b.wait_not_visible("button.credential-clear")
        b.click("#credentials-dialog [data-dismiss]")

        b.enter_page("/playground/test")

        b.click(".super-channel .btn")
        b.wait_in_text(".super-channel span", 'result:')

        self.assertEqual(b.text(".super-channel span"), 'result: access-denied')

        # Now log in as root even without password caching
        b.logout
        self.login_and_go("/playground/test", authorized=False, user="root")
        b.click(".super-channel .btn")
        b.wait_in_text(".super-channel span", 'result: ')
        self.assertIn('result: uid=0', b.text(".super-channel span"))

        # When root and not authorized, the 'Locked' or 'Unlocked' indicators should not be visible
        b.leave_page()
        b.wait_not_visible("li.credential-lock")

    def testSudo(self):
        self.allow_authorize_journal_messages()
        m = self.machine
        b = self.browser

        m.execute("useradd user -s /bin/bash -c 'Barney' || true")
        m.execute("echo user:foobar | chpasswd")

        b.default_user = "user"
        self.login_and_go("/playground/test")
        b.click(".super-channel .btn")
        b.wait_in_text(".super-channel span", 'result: ')
        self.assertEqual(b.text(".super-channel span"), 'result: access-denied')
        b.logout()

        # HACK: https://bugzilla.redhat.com/show_bug.cgi?id=1196451
        # RHEL used to require this
        m.execute("sed -i /requiretty/d /etc/sudoers")

        # So first ask the user to retype their password
        m.execute("echo 'user ALL=(ALL) ALL' >> /etc/sudoers.d/user-override")
        self.login_and_go("/playground/test")
        b.click(".super-channel .btn")
        b.wait_in_text(".super-channel span", 'result: ')
        self.assertIn('result: uid=0', b.text(".super-channel span"))
        b.logout()

        # Next don't allow password to authorize the user, we should fail
        self.login_and_go("/playground/test", authorized=False)
        b.click(".super-channel .btn")
        b.wait_in_text(".super-channel span", 'result: ')
        self.assertEqual(b.text(".super-channel span"), 'result: access-denied')
        b.logout()

        # Next allow the user to do this without a password, succeeds
        m.execute("echo 'user ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers.d/user-override")
        self.login_and_go("/playground/test", authorized=False)
        b.click(".super-channel .btn")
        b.wait_in_text(".super-channel span", 'result: ')
        self.assertIn('result: uid=0', b.text(".super-channel span"))

if __name__ == '__main__':
    test_main()
