#!/usr/bin/python3

# This file is part of Cockpit.
#
# Copyright (C) 2013 Red Hat, Inc.
#
# Cockpit is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Cockpit is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with Cockpit; If not, see <http://www.gnu.org/licenses/>.

import parent
from testlib import *


@skipDistroPackage()
class TestRoles(MachineCase):

    def testBasic(self):
        m = self.machine
        b = self.browser

        # Create a user without any role
        m.execute("useradd user -s /bin/bash -c 'User' || true")
        m.execute("echo user:foobar | chpasswd")
        self.allow_failed_sudo_journal_messages()

        m.start_cockpit()

        def login(user, password):
            b.set_val("#login-user-input", user)
            b.set_val("#login-password-input", password)
            b.click('#login-button')

        # login
        b.open("/system")
        b.wait_visible("#login")
        login("user", "foobar")
        b.expect_load()
        b.enter_page("/system")
        b.switch_to_top()
        b.wait_text('#current-username', 'user')

        b.go("/users#/user")
        b.enter_page("/users")

        admin_role_sel = 'input[data-name="%s"]' % m.get_admin_group()

        b.wait_text("#account-user-name", "user")
        b.wait_visible("#account-locked[disabled]")
        b.wait_visible('output#account-real-name')
        b.wait_visible("#account-set-password:not([disabled])")
        b.wait_not_present("#account-delete")
        b.wait_not_present("#account-logout")
        b.wait_visible(admin_role_sel + "[disabled]")
        b.wait_visible(admin_role_sel + ":not(:checked)")

        # Check permissions for admin account
        b.go("#/admin")
        b.wait_text("#account-user-name", "admin")
        b.wait_visible("#account-locked[disabled]")
        b.wait_visible('output#account-real-name')
        b.wait_not_present("#account-set-password")
        b.wait_not_present("#account-delete")
        b.wait_not_present("#account-logout")
        b.wait_visible(admin_role_sel + "[disabled]")
        b.wait_visible(admin_role_sel + ":checked")

        # Add admin role from the outside (and wait for it to stick)
        b.go("#/user")
        b.wait_text("#account-user-name", "user")

        b.wait_visible(admin_role_sel + ":not(:checked)")
        m.execute("usermod -a -G %s user" % m.get_admin_group())
        b.wait_visible(admin_role_sel + ":checked")

        b.relogin("/users", "user", superuser=True)
        b.wait_text("#account-user-name", "user")

        # Check permissions for admin again
        b.go("#/admin")
        b.wait_text("#account-user-name", "admin")
        b.wait_visible("#account-locked:not([disabled])")
        b.wait_visible("input#account-real-name")
        b.wait_visible("#account-set-password:not([disabled])")
        b.wait_visible("#account-delete:not([disabled])")
        # admin is not logged in, thus still disabled
        b.wait_visible("#account-logout[disabled]")
        b.wait_visible(admin_role_sel + ":not([disabled])")
        b.wait_visible(admin_role_sel + ":checked")

        self.allow_restart_journal_messages()

    def testDynamic(self):
        m = self.machine
        b = self.browser

        m.execute("getent group docker >/dev/null || groupadd docker")

        self.login_and_go("/users")
        b.go("#/admin")

        b.wait_in_text("#account-change-roles-roles", "Container administrator")

        m.execute("groupdel docker")
        b.wait_not_in_text("#account-change-roles-roles", "Container administrator")


if __name__ == '__main__':
    test_main()
