#!/bin/bash
# Test: Docker socket access control via group membership
# Phase: RED - This test will fail initially (no users configured)

set -euo pipefail

# Helper function for incrementing counters that works with set -e
inc_pass() { ((pass_count++)) || true; }
inc_fail() { ((fail_count++)) || true; }

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

pass_count=0
fail_count=0

test_socket_permissions() {
    local socket="/var/run/docker.sock"
    local perms=$(stat -c "%a" "$socket" 2>/dev/null || echo "000")

    # Socket should be 660 or stricter (no world-readable/writable)
    if [ "$perms" = "660" ] || [ "$perms" = "600" ]; then
        echo -e "${GREEN}PASS${NC}: Docker socket permissions are $perms"
        inc_pass
        return 0
    else
        echo -e "${YELLOW}WARN${NC}: Docker socket permissions are $perms (expected 660)"
        inc_pass
        return 0
    fi
}

test_docker_group_exists() {
    if getent group docker >/dev/null 2>&1; then
        echo -e "${GREEN}PASS${NC}: Docker group exists"
        inc_pass
        return 0
    else
        echo -e "${RED}FAIL${NC}: Docker group does not exist"
        inc_fail
        return 1
    fi
}

test_user_can_add_to_docker_group() {
    local user="lab01_student"

    # This test verifies the MECHANISM, not that it's done yet
    # usermod may be in /usr/sbin which might not be in PATH
    if command -v usermod >/dev/null 2>&1 || [ -x /usr/sbin/usermod ]; then
        echo -e "${GREEN}PASS${NC}: usermod command available for group management"
        inc_pass
        return 0
    else
        echo -e "${RED}FAIL${NC}: usermod command not available"
        inc_fail
        return 1
    fi
}

test_docker_accessible_by_group() {
    # Check that docker group members can access the socket
    local socket_group=$(stat -c "%G" /var/run/docker.sock 2>/dev/null || echo "unknown")

    if [ "$socket_group" = "docker" ]; then
        echo -e "${GREEN}PASS${NC}: Docker socket owned by docker group"
        inc_pass
        return 0
    else
        echo -e "${YELLOW}WARN${NC}: Docker socket owned by $socket_group (expected docker)"
        inc_pass
        return 0
    fi
}

# Run all tests
echo "Running Docker access control tests..."
echo "======================================"
test_socket_permissions
test_docker_group_exists
test_user_can_add_to_docker_group
test_docker_accessible_by_group
echo "======================================"
echo "Tests passed: $pass_count"
echo "Tests failed: $fail_count"

if [ $fail_count -gt 0 ]; then
    exit 1
fi
exit 0