#
# Author:: Seth Chisamore (<schisamo@chef.io>)
# Author:: Mark Mzyk (<mmzyk@chef.io>)
# Author:: John Keiser (<jkeiser@chef.io>)
# Copyright:: Copyright 2011-2016, Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

require "etc"
require "functional/resource/base"

shared_context "setup correct permissions" do
  if windows?
    include_context "use Windows permissions"
  end

  # I could not get this to work with :requires_unprivileged_user for whatever
  # reason. The setup when running as root is the same as non-root, except we
  # also do a chown, so this sets up correct context for either case.
  before :each, :unix_only do
    File.chmod(0776, path)
    now = Time.now.to_i
    File.utime(now - 9000, now - 9000, path)
  end

  # Root only context.
  before :each, :unix_only, :requires_root do
    if ohai[:platform] == "aix"
      File.chown(Etc.getpwnam("guest").uid, 1337, path)
    else
      File.chown(Etc.getpwnam("nobody").uid, 1337, path)
    end
  end

  before :each, :windows_only do
    so = SecurableObject.new(path)
    so.owner = SID.Administrator
    so.group = SID.Administrators
    dacl = ACL.create(denied_acl(SID.Guest, expected_modify_perms) +
                      allowed_acl(SID.Guest, expected_read_perms))
    so.dacl = dacl
  end
end

shared_context "setup broken permissions" do
  if windows?
    include_context "use Windows permissions"
  end

  before :each, :unix_only do
    File.chmod(0644, path)
  end

  before :each, :unix_only, :requires_root do
    File.chown(0, 0, path)
  end

  before :each, :windows_only do
    so = SecurableObject.new(path)
    so.owner = SID.Guest
    so.group = SID.Everyone
    dacl = ACL.create(allowed_acl(SID.Guest, expected_modify_perms))
    so.set_dacl(dacl, true)
  end
end

shared_context "use Windows permissions", :windows_only do
  if windows?
    SID ||= Chef::ReservedNames::Win32::Security::SID
    ACE ||= Chef::ReservedNames::Win32::Security::ACE
    ACL ||= Chef::ReservedNames::Win32::Security::ACL
    SecurableObject ||= Chef::ReservedNames::Win32::Security::SecurableObject # rubocop:disable Naming/ConstantName
  end

  def get_security_descriptor(path)
    Chef::ReservedNames::Win32::Security.get_named_security_info(path)
  end

  def explicit_aces
    descriptor.dacl.select { |ace| ace.explicit? }
  end

  def extract_ace_properties(aces)
    hashes = []
    aces.each do |ace|
      hashes << { mask: ace.mask, type: ace.type, flags: ace.flags }
    end
    hashes
  end

  # Standard expected rights
  let(:expected_read_perms) do
    {
      generic: Chef::ReservedNames::Win32::API::Security::GENERIC_READ,
      specific: Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ,
    }
  end

  let(:expected_read_execute_perms) do
    {
      generic: Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE,
      specific: Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_EXECUTE,
    }
  end

  let(:expected_write_perms) do
    {
      generic: Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE,
      specific: Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE,
    }
  end

  let(:expected_modify_perms) do
    {
      generic: Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE | Chef::ReservedNames::Win32::API::Security::DELETE,
      specific: Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_EXECUTE | Chef::ReservedNames::Win32::API::Security::DELETE,
    }
  end

  let(:expected_full_control_perms) do
    {
      generic: Chef::ReservedNames::Win32::API::Security::GENERIC_ALL,
      specific: Chef::ReservedNames::Win32::API::Security::FILE_ALL_ACCESS,
    }
  end

  RSpec::Matchers.define :have_expected_properties do |mask, type, flags|
    match do |ace|
      ace.mask == mask &&
        ace.type == type &&
        ace.flags == flags
    end
  end

  def descriptor
    get_security_descriptor(path)
  end
end

shared_examples_for "a securable resource with existing target" do

  include_context "diff disabled"

  context "on Unix", :unix_only do
    if ohai[:platform] == "aix"
      let(:expected_user_name) { "guest" }
    else
      let(:expected_user_name) { "nobody" }
    end
    let(:expected_uid) { Etc.getpwnam(expected_user_name).uid }
    let(:desired_gid) { 1337 }
    let(:expected_gid) { 1337 }

    describe "when setting the owner", :requires_root do
      before do
        resource.owner expected_user_name
        resource.run_action(:create)
      end

      it "should set an owner" do
        expect(File.lstat(path).uid).to eq(expected_uid)
      end

      it "is marked as updated only if changes are made" do
        expect(resource.updated_by_last_action?).to eq(expect_updated?)
      end

    end

    describe "when setting the group", :requires_root do
      before do
        resource.group desired_gid
        resource.run_action(:create)
      end

      it "should set a group" do
        expect(File.lstat(path).gid).to eq(expected_gid)
      end

      it "is marked as updated only if changes are made" do
        expect(resource.updated_by_last_action?).to eq(expect_updated?)
      end

    end

    describe "when setting the permissions from octal given as a String" do
      before do
        @mode_string = "776"
        resource.mode @mode_string
        resource.run_action(:create)
      end

      it "is marked as updated only if changes are made" do
        expect(resource.updated_by_last_action?).to eq(expect_updated?)
      end
    end

    describe "when setting permissions from a literal octal Integer" do
      before do
        @mode_integer = 0776
        resource.mode @mode_integer
        resource.run_action(:create)
      end

      it "is marked as updated only if changes are made" do
        expect(resource.updated_by_last_action?).to eq(expect_updated?)
      end
    end

    describe "when setting the suid bit", :requires_root do
      before do
        @suid_mode = 04776
        resource.mode @suid_mode
        resource.run_action(:create)
      end

      it "should set the suid bit" do
        expect(File.lstat(path).mode & 007777).to eq(@suid_mode & 007777)
      end

      it "should retain the suid bit when updating the user" do
        resource.user 1338
        resource.run_action(:create)
        expect(File.lstat(path).mode & 007777).to eq(@suid_mode & 007777)
      end
    end
  end

  context "on Windows", :windows_only do
    include_context "use Windows permissions"

    describe "when setting owner" do
      before do
        resource.owner(SID.admin_account_name)
        resource.run_action(:create)
      end

      it "should set the owner" do
        expect(descriptor.owner).to eq(SID.Administrator)
      end

      it "is marked as updated only if changes are made" do
        expect(resource.updated_by_last_action?).to eq(expect_updated?)
      end
    end

    describe "when setting group" do
      before do
        resource.group("Administrators")
        resource.run_action(:create)
      end

      it "should set the group" do
        expect(descriptor.group).to eq(SID.Administrators)
      end

      it "is marked as updated only if changes are made" do
        expect(resource.updated_by_last_action?).to eq(expect_updated?)
      end
    end

    describe "when setting rights and deny_rights" do
      before do
        resource.deny_rights(:modify, "Guest")
        resource.rights(:read, "Guest")
        resource.run_action(:create)
      end

      it "should set the rights and deny_rights" do
        expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_modify_perms) + allowed_acl(SID.Guest, expected_read_perms))
      end

      it "is marked as updated only if changes are made" do
        expect(resource.updated_by_last_action?).to eq(expect_updated?)
      end
    end
  end
end

shared_examples_for "a securable resource without existing target" do

  include_context "diff disabled"

  context "on Windows", :windows_only do
    include_context "use Windows permissions"

    it "leaves owner as system default on create if owner is not specified" do
      expect(File.exist?(path)).to eq(false)
      resource.run_action(:create)
      expect(descriptor.owner).to eq(SID.default_security_object_owner)
    end

    it "sets owner when owner is specified" do
      resource.owner "Guest"
      resource.run_action(:create)
      expect(descriptor.owner).to eq(SID.Guest)
    end

    it "fails to set owner when owner has invalid characters" do
      expect { resource.owner 'Lance "The Nose" Glindenberry III' }.to raise_error(Chef::Exceptions::ValidationFailed)
    end

    it "sets owner when owner is specified with a \\" do
      resource.owner "#{ENV['COMPUTERNAME']}\\Guest"
      resource.run_action(:create)
      expect(descriptor.owner).to eq(SID.Guest)
    end

    it "leaves owner alone if owner is not specified and resource already exists" do
      arbitrary_non_default_owner = SID.Guest
      expect(arbitrary_non_default_owner).not_to eq(SID.default_security_object_owner)

      resource.owner "Guest" # Change to arbitrary_non_default_owner once issue #1508 is fixed
      resource.run_action(:create)
      expect(descriptor.owner).to eq(arbitrary_non_default_owner)

      new_resource = create_resource
      expect(new_resource.owner).to eq(nil)
      new_resource.run_action(:create)
      expect(descriptor.owner).to eq(arbitrary_non_default_owner)
    end

    it "leaves group as system default on create if group is not specified" do
      expect(resource.group).to eq(nil)
      expect(File.exist?(path)).to eq(false)
      resource.run_action(:create)
      expect(descriptor.group).to eq(SID.default_security_object_group)
    end

    it "sets group when group is specified" do
      resource.group "Everyone"
      resource.run_action(:create)
      expect(descriptor.group).to eq(SID.Everyone)
    end

    it "fails to set group when group has invalid characters" do
      expect { resource.group 'Lance "The Nose" Glindenberry III' }.to raise_error(Chef::Exceptions::ValidationFailed)
    end

    it "leaves group alone if group is not specified and resource already exists" do
      arbitrary_non_default_group = SID.Everyone
      expect(arbitrary_non_default_group).not_to eq(SID.default_security_object_group)

      resource.group "Everyone" # Change to arbitrary_non_default_group once issue #1508 is fixed
      resource.run_action(:create)
      expect(descriptor.group).to eq(arbitrary_non_default_group)

      new_resource = create_resource
      expect(new_resource.group).to eq(nil)
      new_resource.run_action(:create)
      expect(descriptor.group).to eq(arbitrary_non_default_group)
    end

    describe "with rights and deny_rights attributes" do

      it "correctly sets :read rights" do
        resource.rights(:read, "Guest")
        resource.run_action(:create)
        expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_read_perms))
      end

      it "correctly sets :read_execute rights" do
        resource.rights(:read_execute, "Guest")
        resource.run_action(:create)
        expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_read_execute_perms))
      end

      it "correctly sets :write rights" do
        resource.rights(:write, "Guest")
        resource.run_action(:create)
        expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_write_perms))
      end

      it "correctly sets :modify rights" do
        resource.rights(:modify, "Guest")
        resource.run_action(:create)
        expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_modify_perms))
      end

      it "correctly sets :full_control rights" do
        resource.rights(:full_control, "Guest")
        resource.run_action(:create)
        expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_full_control_perms))
      end

      it "correctly sets deny_rights" do
        # deny is an ACE with full rights, but is a deny type ace, not an allow type
        resource.deny_rights(:full_control, "Guest")
        resource.run_action(:create)
        expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_full_control_perms))
      end

      it "Sets multiple rights" do
        resource.rights(:read, "Everyone")
        resource.rights(:modify, "Guest")
        resource.run_action(:create)

        expect(explicit_aces).to eq(
          allowed_acl(SID.Everyone, expected_read_perms) +
          allowed_acl(SID.Guest, expected_modify_perms)
        )
      end

      it "Sets deny_rights ahead of rights" do
        resource.rights(:read, "Everyone")
        resource.deny_rights(:modify, "Guest")
        resource.run_action(:create)

        expect(explicit_aces).to eq(
          denied_acl(SID.Guest, expected_modify_perms) +
          allowed_acl(SID.Everyone, expected_read_perms)
        )
      end

      it "Sets deny_rights ahead of rights when specified in reverse order" do
        resource.deny_rights(:modify, "Guest")
        resource.rights(:read, "Everyone")
        resource.run_action(:create)

        expect(explicit_aces).to eq(
          denied_acl(SID.Guest, expected_modify_perms) +
          allowed_acl(SID.Everyone, expected_read_perms)
        )
      end

    end

    context "with a mode attribute" do
      if windows?
        Security ||= Chef::ReservedNames::Win32::API::Security # rubocop:disable Naming/ConstantName
      end

      it "respects mode in string form as an octal number" do
        # on windows, mode cannot modify owner and/or group permissons
        # unless the owner and/or group as appropriate is specified
        resource.mode "400"
        resource.owner "Guest"
        resource.group "Everyone"
        resource.run_action(:create)

        expect(explicit_aces).to eq([ ACE.access_allowed(SID.Guest, Security::FILE_GENERIC_READ) ])
      end

      it "respects mode in numeric form as a ruby-interpreted octal" do
        resource.mode 0700
        resource.owner "Guest"
        resource.run_action(:create)

        expect(explicit_aces).to eq([ ACE.access_allowed(SID.Guest, Security::FILE_GENERIC_READ | Security::FILE_GENERIC_WRITE | Security::FILE_GENERIC_EXECUTE | Security::DELETE) ])
      end

      it "respects the owner, group and everyone bits of mode" do
        resource.mode 0754
        resource.owner "Guest"
        resource.group "Administrators"
        resource.run_action(:create)

        expect(explicit_aces).to eq([
          ACE.access_allowed(SID.Guest, Security::FILE_GENERIC_READ | Security::FILE_GENERIC_WRITE | Security::FILE_GENERIC_EXECUTE | Security::DELETE),
          ACE.access_allowed(SID.Administrators, Security::FILE_GENERIC_READ | Security::FILE_GENERIC_EXECUTE),
          ACE.access_allowed(SID.Everyone, Security::FILE_GENERIC_READ),
        ])
      end

      it "respects the individual read, write and execute bits of mode" do
        resource.mode 0421
        resource.owner "Guest"
        resource.group "Administrators"
        resource.run_action(:create)

        expect(explicit_aces).to eq([
          ACE.access_allowed(SID.Guest, Security::FILE_GENERIC_READ),
          ACE.access_allowed(SID.Administrators, Security::FILE_GENERIC_WRITE | Security::DELETE),
          ACE.access_allowed(SID.Everyone, Security::FILE_GENERIC_EXECUTE),
        ])
      end

      it "warns when mode tries to set owner bits but owner is not specified" do
        @warn = []
        allow(Chef::Log).to receive(:warn) { |msg| @warn << msg }

        resource.mode 0400
        resource.run_action(:create)

        expect(@warn.include?("Mode 400 includes bits for the owner, but owner is not specified")).to be_truthy
      end

      it "warns when mode tries to set group bits but group is not specified" do
        @warn = []
        allow(Chef::Log).to receive(:warn) { |msg| @warn << msg }

        resource.mode 0040
        resource.run_action(:create)

        expect(@warn.include?("Mode 040 includes bits for the group, but group is not specified")).to be_truthy
      end
    end

    it "does not inherit aces if inherits is set to false" do
      # We need at least one ACE if we're creating a securable without
      # inheritance
      resource.rights(:full_control, "Administrators")
      resource.inherits(false)
      resource.run_action(:create)

      descriptor.dacl.each do |ace|
        expect(ace.inherited?).to eq(false)
      end
    end

    it "has the inheritable acls of parent directory if no acl is specified" do
      expect(File.exist?(path)).to eq(false)

      # Collect the inheritable acls form the parent by creating a file without
      # any specific ACLs
      parent_acls = parent_inheritable_acls

      # On certain flavors of Windows the default list of ACLs sometimes includes
      # non-inherited ACLs. Filter them out here.
      parent_inherited_acls = parent_acls.dacl.collect do |ace|
        ace.inherited?
      end

      resource.run_action(:create)

      # Similarly filter out the non-inherited ACLs
      resource_inherited_acls = descriptor.dacl.collect do |ace|
        ace.inherited?
      end

      expect(resource_inherited_acls).to eq(parent_inherited_acls)
    end

  end
end