#
# Author:: Adam Edwards (<adamed@chef.io>)
# Copyright:: Copyright (c) 2015 Chef Software, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

require "spec_helper"
require "chef/util/windows/logon_session"

describe ::Chef::Util::Windows::LogonSession do
  before do
    stub_const("Chef::ReservedNames::Win32::API::Security", Class.new)
    stub_const("Chef::ReservedNames::Win32::API::Security::LOGON32_LOGON_NEW_CREDENTIALS", 314)
    stub_const("Chef::ReservedNames::Win32::API::Security::LOGON32_PROVIDER_DEFAULT", 159)
    stub_const("Chef::ReservedNames::Win32::API::System", Class.new )
  end

  let(:session) { ::Chef::Util::Windows::LogonSession.new(session_user, password, session_domain, authentication) }
  let(:authentication) { :remote }

  shared_examples_for "it received syntactically invalid credentials" do
    it "does not raisees an exception when it is initialized" do
      expect { session }.to raise_error(ArgumentError)
    end
  end

  shared_examples_for "it received an incorrect username and password combination" do
    before do
      expect(Chef::ReservedNames::Win32::API::Security).to receive(:LogonUserW).and_return(false)
    end

    it "raises a Chef::Exceptions::Win32APIError exception when the open method is called" do
      expect { session.open }.to raise_error(Chef::Exceptions::Win32APIError)
      expect(session).not_to receive(:close)
      expect(Chef::ReservedNames::Win32::API::System).not_to receive(:CloseHandle)
    end
  end

  shared_examples_for "it received valid credentials" do
    it "does not raise an exception when the open method is called" do
      expect(Chef::ReservedNames::Win32::API::Security).to receive(:LogonUserW).and_return(true)
      expect { session.open }.not_to raise_error
    end
  end

  shared_examples_for "the session is not open" do
    it "does not raise an exception when #open is called" do
      expect(Chef::ReservedNames::Win32::API::Security).to receive(:LogonUserW).and_return(true)
      expect { session.open }.not_to raise_error
    end

    it "raises an exception if #close is called" do
      expect { session.close }.to raise_error(RuntimeError)
    end

    it "raises an exception if #restore_user_context is called" do
      expect { session.restore_user_context }.to raise_error(RuntimeError)
    end
  end

  shared_examples_for "the session is open" do
    before do
      allow(Chef::ReservedNames::Win32::API::System).to receive(:CloseHandle)
    end
    it "does not result in an exception when #restore_user_context is called" do
      expect { session.restore_user_context }.not_to raise_error
    end

    it "does not result in an exception when #close is called" do
      expect { session.close }.not_to raise_error
    end

    it "does close the operating system handle when #close is called" do
      expect(Chef::ReservedNames::Win32::API::System).not_to receive(:CloseHandle)
      expect { session.restore_user_context }.not_to raise_error
    end
  end

  context "when the session is initialized with a nil user" do
    context "when the password, and domain are all nil" do
      let(:session_user) { nil }
      let(:session_domain) { nil }
      let(:password) { nil }
      it_behaves_like "it received syntactically invalid credentials"
    end

    context "when the password is non-nil password, and the domain is nil" do
      let(:session_user) { nil }
      let(:password) { "ponies" }
      let(:session_domain) { nil }
      it_behaves_like "it received syntactically invalid credentials"
    end

    context "when the password is nil and the domain is non-nil" do
      let(:session_user) { nil }
      let(:password) { nil }
      let(:session_domain) { "fairyland" }
      it_behaves_like "it received syntactically invalid credentials"
    end

    context "when the password and domain are non-nil" do
      let(:session_user) { nil }
      let(:password) { "ponies" }
      let(:session_domain) { "fairyland" }
      it_behaves_like "it received syntactically invalid credentials"
    end
  end

  context "when the session is initialized with a valid user" do
    let(:session_user) { "chalena" }

    context "when the password is nil" do
      let(:password) { nil }
      context "when the domain is non-nil" do
        let(:session_domain) { "fairyland" }
        it_behaves_like "it received syntactically invalid credentials"
      end

      context "when the domain is nil" do
        context "when the domain is non-nil" do
          let(:session_domain) { nil }
          it_behaves_like "it received syntactically invalid credentials"
        end
      end
    end

    context "when a syntactically valid username and password are supplied" do
      context "when the password is non-nil and the domain is nil" do
        let(:password) { "ponies" }
        let(:session_domain) { nil }
        it "does not raise an exception if it is initialized with a non-nil username, non-nil password, and a nil domain" do
          expect { session }.not_to raise_error
        end

        it_behaves_like "it received valid credentials"
        it_behaves_like "it received an incorrect username and password combination"
      end

      context "when the password and domain are non-nil" do
        let(:password) { "ponies" }
        let(:session_domain) { "fairyland" }
        it "does not raise an exception if it is initialized with a non-nil username, non-nil password, and non-nil domain" do
          expect { session }.not_to raise_error
        end

        it_behaves_like "it received valid credentials"
        it_behaves_like "it received an incorrect username and password combination"
      end

      context "when the #open method has not been called" do
        let(:password) { "ponies" }
        let(:session_domain) { "fairyland" }
        it_behaves_like "the session is not open"
      end

      context "when the session was opened" do
        let(:password) { "ponies" }
        let(:session_domain) { "fairyland" }

        before do
          expect(Chef::ReservedNames::Win32::API::Security).to receive(:LogonUserW).and_return(true)
          expect { session.open }.not_to raise_error
        end

        it "raises an exception if #open is called" do
          expect { session.open }.to raise_error(RuntimeError)
        end

        context "when the session was opened and then closed with the #close method" do
          before do
            expect(Chef::ReservedNames::Win32::API::System).to receive(:CloseHandle)
            expect { session.close }.not_to raise_error
          end
          it_behaves_like "the session is not open"
        end

        it "can be closed and close the operating system handle" do
          expect(Chef::ReservedNames::Win32::API::System).to receive(:CloseHandle)
          expect { session.close }.not_to raise_error
        end

        it "can impersonate the user" do
          expect(Chef::ReservedNames::Win32::API::Security).to receive(:ImpersonateLoggedOnUser).and_return(true)
          expect { session.set_user_context }.not_to raise_error
        end

        context "when #set_user_context fails due to low resources causing a failure to impersonate" do
          before do
            expect(Chef::ReservedNames::Win32::API::Security).to receive(:ImpersonateLoggedOnUser).and_return(false)
          end

          it "raises an exception when #set_user_context fails because impersonation failed" do
            expect { session.set_user_context }.to raise_error(Chef::Exceptions::Win32APIError)
          end

          context "when calling subsequent methods" do
            before do
              expect { session.set_user_context }.to raise_error(Chef::Exceptions::Win32APIError)
              expect(Chef::ReservedNames::Win32::API::Security).not_to receive(:RevertToSelf)
            end

            it_behaves_like "the session is open"
          end
        end

        context "when #set_user_context successfully impersonates the user" do
          before do
            expect(Chef::ReservedNames::Win32::API::Security).to receive(:ImpersonateLoggedOnUser).and_return(true)
            expect { session.set_user_context }.not_to raise_error
          end

          context "when attempting to impersonate while already impersonating" do
            it "raises an error if the #set_user_context is called again" do
              expect { session.set_user_context }.to raise_error(RuntimeError)
            end
          end

          describe "the impersonation will be reverted" do
            before do
              expect(Chef::ReservedNames::Win32::API::Security).to receive(:RevertToSelf).and_return(true)
            end
            it_behaves_like "the session is open"
          end

          context "when the attempt to revert impersonation fails" do
            before do
              expect(Chef::ReservedNames::Win32::API::Security).to receive(:RevertToSelf).and_return(false)
            end

            it "raises an exception when #restore_user_context is called" do
              expect { session.restore_user_context }.to raise_error(Chef::Exceptions::Win32APIError)
            end

            it "raises an exception when #close is called and impersonation fails" do
              expect { session.close }.to raise_error(Chef::Exceptions::Win32APIError)
            end

            context "when calling methods after revert fails in #restore_user_context" do
              before do
                expect { session.restore_user_context }.to raise_error(Chef::Exceptions::Win32APIError)
              end

              context "when revert continues to fail" do
                before do
                  expect(Chef::ReservedNames::Win32::API::Security).to receive(:RevertToSelf).and_return(false)
                end
                it "raises an exception when #close is called and impersonation fails" do
                  expect { session.close }.to raise_error(Chef::Exceptions::Win32APIError)
                end
              end

              context "when revert stops failing and succeeds" do
                before do
                  expect(Chef::ReservedNames::Win32::API::Security).to receive(:RevertToSelf).and_return(true)
                end

                it "does not raise an exception when #restore_user_context is called" do
                  expect { session.restore_user_context }.not_to raise_error
                end

                it "does not raise an exception when #close is called" do
                  expect(Chef::ReservedNames::Win32::API::System).to receive(:CloseHandle)
                  expect { session.close }.not_to raise_error
                end
              end
            end
          end
        end

      end
    end
  end
end