// Tests for auth_client.c.

#include <stdlib.h>
#include "gtest/gtest.h"
extern "C" {
#include "auth_client.h"
}

static const char *server = NULL;

static const char *ssl_ca = "../authserv/test/testca/ca.pem";
static const char *ssl_cert = "../authserv/test/testca/certs/client.pem";
static const char *ssl_key = "../authserv/test/testca/private/client.key";
static const char *ssl_bad_ca = "../authserv/test/testca-bad/ca.pem";
static const char *ssl_bad_cert = "../authserv/test/testca-bad/certs/client.pem";
static const char *ssl_bad_key = "../authserv/test/testca-bad/private/client.key";

TEST(AuthClientCurlInterface, ErrorConversion) {
  int curl_err = 35;
  int err = auth_client_err_from_curl(curl_err);
  int translated = auth_client_err_to_curl(err);
  EXPECT_EQ(curl_err, translated);
}

class AuthClientTest
  : public ::testing::Test
{
public:
  AuthClientTest() {
    ac = auth_client_new("service", server);
    assert(ac != NULL);
    auth_client_set_verbose(ac, 1);
  }

  virtual ~AuthClientTest() {
    auth_client_free(ac);
  }

  auth_client_t ac;
};

TEST_F(AuthClientTest, CertSetupFailsWithoutCA) {
  EXPECT_NE(AC_OK,
            auth_client_set_certificate(ac, "nonexisting.pem", ssl_cert, ssl_key));
  EXPECT_NE(AC_OK,
            auth_client_set_certificate(ac, ssl_ca, "nonexisting.pem", ssl_key));
  EXPECT_NE(AC_OK,
            auth_client_set_certificate(ac, ssl_ca, ssl_cert, "nonexisting.key"));
}

TEST_F(AuthClientTest, AuthOK) {
  int result;

  result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);

  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
  EXPECT_EQ(AC_OK, result) << "authenticate() error: " << auth_client_strerror(result)
                           << ", server=" << server;
}

TEST_F(AuthClientTest, SSLFailsWithBadCertificate) {
  int result;

  // We can't tell auth_client to make an https request without a
  // client certificate, but we can try to force a failure by
  // providing a bad (unloadable) certificate, for example one where
  // the private and public keys do not match. In this case,
  // auth_client_set_certificate() should still succeed, since it
  // doesn't perform this kind of correctness check.
  result = auth_client_set_certificate(ac, ssl_ca, ssl_ca, ssl_key);
  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);

  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
  EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}

// Test CA validation on the client.
TEST_F(AuthClientTest, SSLFailsWithBadCAClientSide) {
  int result;

  result = auth_client_set_certificate(ac, ssl_bad_ca, ssl_cert, ssl_key);
  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);

  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
  EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}

// Test CA validation on the server.
TEST_F(AuthClientTest, SSLFailsWithBadCAServerSide) {
  int result;

  result = auth_client_set_certificate(ac, ssl_ca, ssl_bad_cert, ssl_bad_key);
  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);

  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
  EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}

int main(int argc, char **argv) {
  server = getenv("AUTH_SERVER");
  if (server == NULL) {
    server = "localhost:1617";
  }

  ::testing::InitGoogleTest(&argc, argv);
  return RUN_ALL_TESTS();
}