#!/usr/bin/python3

# This file is part of Cockpit.
#
# Copyright (C) 2013 Red Hat, Inc.
#
# Cockpit is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Cockpit is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with Cockpit; If not, see <http://www.gnu.org/licenses/>.

import re
import time

import parent
from testlib import *


os_release = """
NAME="Foobar Adventure Linux Server"
VERSION="2.0 (Day of Doom)"
ID="foobar"
VERSION_ID="2.0"
PRETTY_NAME="Foobar Adventure Linux Server 2.0 (Day of Doom)"
"""

lscpu = """#!/bin/sh
echo 'CPU(s):              8'
echo 'On-line CPU(s) list: 0-7'
echo 'Thread(s) per core:  {0}'
echo 'Core(s) per socket:  4'
echo 'Socket(s):           1'
"""

dmidecode = """#!/bin/sh
[ "$1" = "-t" -a "$2" = "memory" ] || exit 1
cat <<EOF
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.7 present.

Handle 0x0008, DMI type 17, 34 bytes
Memory Device
\tTotal Width: 64 bits
\tSize: 8192 MB
\tForm Factor: SODIMM
\tLocator: ChannelA-DIMM0
\tBank Locator: BANK 0
\tType: DDR3
\tSpeed: 1600 MT/s
\tManufacturer: Samsung
\tAsset Tag: None
\tRank: Unknown
\tConfigured Memory Speed: 1600 MT/s

Handle 0x0009, DMI type 17, 34 bytes
Memory Device
\tTotal Width: 64 bits
\tSize: 8192 MB
\tForm Factor: SODIMM
\tLocator: ChannelB-DIMM0
\tBank Locator: BANK 2
\tMemory technology: Awesome
\tType: DDR3
\tSpeed: 1600 MT/s
\tManufacturer: Samsung
\tAsset Tag: None
\tRank: 1
\tConfigured Memory Speed: 1600 MT/s
EOF
"""


def ssh_reconnect(machine, timeout_sec=120):
    start_time = time.time()
    error = None
    while (time.time() - start_time) < timeout_sec:
        try:
            machine.execute("true", quiet=True)
            return
        except Exception as e:
            error = e
        time.sleep(0.5)

    raise error


@skipDistroPackage()
class TestSystemInfo(MachineCase):
    def setUp(self):
        super().setUp()

        # Debian will not allow timesyncd to start if any other NTP package is installed We only
        # support timesyncd for NTP configuration, so make sure chrony is not installed in the older
        # debian images which don't yet have systemd-timesyncd
        if self.machine.image in ["debian-stable"]:
            self.machine.execute("dpkg --remove chrony")

        # Most OSes don't set nosmt by default, but there are some exceptions
        self.expect_smt_default = self.machine.image in ["fedora-coreos"]

    @enableAxe
    def testBasic(self):
        m = self.machine
        b = self.browser

        # /etc/os-release might be a symlink and file watching doesn't
        # follow symlinks, so we remove it and then create a regular
        # file.
        #
        # In addition hostnamed does not expect os-release to change so
        # we force a restart. Usually any such changes to os-release are
        # expected to happen during reboot, or picked up after a reboot.
        #
        # subscription-manager also screws with os-release so set it
        # to immutable
        #
        m.execute("rm /etc/os-release")
        m.write("/etc/os-release", os_release)
        m.execute("chattr +i /etc/os-release && (systemctl restart systemd-hostnamed || systemctl restart hostnamed)")

        self.login_and_go("/system")

        b.wait_visible('#system_information_os_text')

        mid = m.execute("cat /etc/machine-id")
        b.wait_text('#system_machine_id', mid)

        self.check_axe()

        # Generate a new rsa key and change the config
        m.execute("ssh-keygen -f /etc/ssh/weirdname -t rsa -N ''")
        m.execute("chmod 600 /etc/ssh/weirdname")
        m.execute("restorecon /etc/ssh/weirdname || true")

        new_default = m.execute("ssh-keygen -l -f /etc/ssh/weirdname -E md5 | cut -d' ' -f2 | tr -d '\n'")
        new_alt = m.execute("ssh-keygen -l -f /etc/ssh/weirdname -E sha256 | cut -d' ' -f2 | tr -d '\n'")
        old_default = m.execute("ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key -E md5 | cut -d' ' -f2 | tr -d '\n'")
        old_alt = m.execute("ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key -E sha256 | cut -d' ' -f2 | tr -d '\n'")

        b.click("#system-ssh-keys-link")
        b.wait_in_text("#system_information_ssh_keys .list-group", "ED25519")
        b.wait_in_text("#system_information_ssh_keys .list-group", "RSA")
        b.wait_in_text("#system_information_ssh_keys .list-group", "ECDSA")
        b.wait_not_in_text("#system_information_ssh_keys .list-group", new_default)
        b.wait_in_text("#system_information_ssh_keys .list-group", old_default)
        b.wait_not_in_text("#system_information_ssh_keys .list-group", new_alt)
        b.wait_in_text("#system_information_ssh_keys .list-group", old_alt)

        b.click('#system_information_ssh_keys button:contains("Close")')
        b.wait_not_present("#system_information_ssh_keys")

        # Change ssh config and restart
        self.sed_file(r"s,.*HostKey *,#,; $ a HostKey /etc/ssh/weirdname", "/etc/ssh/sshd_config",
                      # Restart sshd but stop socket so we can make sure we are restarted
                      "( ! systemctl is-active sshd.socket || systemctl stop sshd.socket) && systemctl restart sshd.service")
        ssh_reconnect(m)

        b.click("#system-ssh-keys-link")
        b.wait_visible("#system_information_ssh_keys")
        b.wait_not_in_text("#system_information_ssh_keys .list-group", "ED25519")
        b.wait_in_text("#system_information_ssh_keys .list-group", "RSA")
        b.wait_not_in_text("#system_information_ssh_keys .list-group", "ECDSA")
        b.wait_in_text("#system_information_ssh_keys .list-group", new_default)
        b.wait_not_in_text("#system_information_ssh_keys .list-group", old_default)
        b.wait_not_in_text("#system_information_ssh_keys .list-group", old_alt)
        b.wait_in_text("#system_information_ssh_keys .list-group", new_alt)

        b.wait_in_text('#system_information_os_text',
                       "Foobar Adventure Linux Server 2.0 (Day of Doom)")

        b.click('#system_information_ssh_keys button:contains("Close")')
        b.wait_not_present("#system_information_ssh_keys")

        m.execute("hostnamectl set-hostname --static --pretty 'Adventure Box'")
        b.wait_in_text('#system_information_hostname_text', "Adventure Box")

        b.click('#system_information_hostname_button')
        b.wait_visible("#system_information_change_hostname")
        b.wait_val("#sich-pretty-hostname", "Adventure Box")
        b.set_input_text("#sich-hostname", "host1.cockpit.lan")
        b.click("#system_information_change_hostname button:contains('Change')")
        b.wait_not_present("#system_information_change_hostname")

        b.wait_in_text('#system_information_hostname_text', "Adventure Box (host1.cockpit.lan)")
        self.assertEqual(m.execute("hostname").strip(), "host1.cockpit.lan")

        m.execute("hostnamectl set-hostname ''")
        m.execute("hostnamectl set-hostname --transient 'mydhcpname'")
        b.wait_in_text('#system_information_hostname_text', 'mydhcpname')

        b.logout()
        m.execute("chattr -i /etc/os-release && rm /etc/os-release")
        m.execute("rm /usr/lib/os-release || true")

        self.login_and_go("/system")
        b.wait_text('#system_machine_id', mid)

        # uptime (introduced in PR #13885)
        b.wait_text_not("#system_uptime", "")
        # replace it with a known value, it should automatically update every minute
        m.write("/tmp/fake_uptime", "2000.12 12345.30\n")
        m.execute("mount -o bind /tmp/fake_uptime /proc/uptime")
        self.addCleanup(m.execute, "umount /proc/uptime")
        with b.wait_timeout(70):
            b.wait_text("#system_uptime", "33 minutes")
        # 4 months and a bit, timeformat rounds quite aggressively; also, test a slightly different format
        m.write("/tmp/fake_uptime", "10370000 12345.30\n")
        with b.wait_timeout(70):
            b.wait_text("#system_uptime", "4 months")

        self.allow_journal_messages("error loading contents of os-release: .*",
                                    "sudo: unable to resolve host host1.cockpit.lan: .*")

    def set_change_time_dialog_mode(self, mode):
        b = self.browser
        b.click("#system_information_change_systime label:contains('Set time') + div button")
        b.click("#change_systime button:contains('%s')" % mode)
        b.wait_in_text("#system_information_change_systime label:contains('Set time') + div button", mode)

    def testTime(self):
        m = self.machine
        b = self.browser

        def ntp_enabled():
            return 'true' in m.execute(
                'busctl get-property org.freedesktop.timedate1 /org/freedesktop/timedate1 org.freedesktop.timedate1 NTP')

        # make sure system is on expected timezone EEST
        m.execute("timedatectl set-timezone Europe/Helsinki")

        # Something gets confused when systemd-timesyncd isn't
        # available.  This is harmless.
        #
        self.allow_journal_messages(
            "org.freedesktop.systemd1: couldn't get property org.freedesktop.systemd1.Service ExecMain at /org/freedesktop/systemd1/unit/systemd_2dtimedated_2eservice: GDBus.Error:org.freedesktop.DBus.Error.UnknownProperty: Unknown property")

        self.login_and_go("/system", superuser=False)
        b.wait_text_not("#system_information_systime_button", "")
        b.wait_visible('#system_information_systime_button[disabled]')

        # Gain admin access
        b.click(".pf-c-alert:contains('Web console is running in limited access mode.') button:contains('Turn on')")
        b.wait_in_text(".pf-c-modal-box:contains('Switch to administrative access')", "Password for admin:")
        b.set_input_text(".pf-c-modal-box:contains('Switch to administrative access') input", "foobar")
        b.click(".pf-c-modal-box button:contains('Authenticate')")
        b.wait_not_present(".pf-c-modal-box:contains('Switch to administrative access')")
        b.wait_not_visible(".pf-c-alert:contains('Web console is running in limited access mode.')")

        # Change the date
        b.click("#system_information_systime_button")
        b.wait_visible("#system_information_change_systime")
        self.set_change_time_dialog_mode("Manually")
        b.set_input_text("#systime-date-input", "2037-01-24")
        b.set_input_text("#systime-time-hours", "08")
        b.set_input_text("#systime-time-minutes", "03")
        b.click("#system_information_change_systime .apply")
        b.wait_not_present("#system_information_change_systime")

        b.wait_text("#system_information_systime_button", "Jan 24, 2037, 8:03 AM")

        self.assertFalse(ntp_enabled())
        self.assertIn("Sat Jan 24 08:03:", m.execute("date"))
        self.assertIn("EET 2037\n", m.execute("date"))

        # Set to NTP
        b.click("#system_information_systime_button")
        b.wait_visible("#system_information_change_systime")
        self.set_change_time_dialog_mode("Automatically using NTP")
        b.click("#system_information_change_systime .apply")
        b.wait_not_present("#system_information_change_systime")

        wait(ntp_enabled)

        # Change the date
        b.click("#system_information_systime_button")
        b.wait_visible("#system_information_change_systime")
        self.set_change_time_dialog_mode("Manually")
        b.set_input_text("#systime-date-input", "2018-06-04")
        b.set_input_text("#systime-time-hours", "06")
        b.set_input_text("#systime-time-minutes", "34")
        b.click("#system_information_change_systime .apply")
        b.wait_not_present("#system_information_change_systime")

        self.assertFalse(ntp_enabled())
        self.assertIn("Mon Jun  4 06:34:", m.execute("date"))
        self.assertIn("EEST 2018\n", m.execute("date"))

    def testTimeServers(self):
        m = self.machine
        b = self.browser

        # Fedora/RHEL/CentOS use chrony
        uses_timesyncd = m.image.startswith("debian") or m.image.startswith("ubuntu")

        conf = "/etc/systemd/timesyncd.conf.d/50-cockpit.conf"

        self.login_and_go("/system")

        # Wait until everything is ready to go...
        b.wait_attr("#system_information_systime_button", "data-timedated-initialized", "true")

        b.click("#system_information_systime_button")
        b.wait_visible("#system_information_change_systime")

        # when not using timesyncd, the "specific NTP servers" option should be disabled
        if not uses_timesyncd:
            b.click("#system_information_change_systime label:contains('Set time') + div button")
            b.wait_visible("#change_systime button:contains('Automatically using specific NTP servers').pf-m-disabled")
            return

        def get_timesyncd_start():
            return int(m.execute("systemctl show -p ExecMainStartTimestampMonotonic --value systemd-timesyncd").strip())

        prev_timesyncd_start = get_timesyncd_start()

        # Add two NTP servers.  We can't expect the servers to be used, so
        # we only test that they get added.
        self.set_change_time_dialog_mode("Automatically using specific NTP servers")
        b.set_input_text("#systime-ntp-servers tr:nth-child(1) input", "0.pool.ntp.org")
        b.click('#systime-ntp-servers tr:nth-child(1) .fa-plus')
        b.set_input_text("#systime-ntp-servers tr:nth-child(2) input", "1.pool.ntp.org")
        b.click("#system_information_change_systime .apply")
        b.wait_not_present("#system_information_change_systime")

        self.assertIn("0.pool.ntp.org", m.execute("grep '^NTP=' %s" % conf))
        self.assertIn("1.pool.ntp.org", m.execute("grep '^NTP=' %s" % conf))

        # restarts timesyncd to pick up the new config
        wait(lambda: get_timesyncd_start() > prev_timesyncd_start, delay=0.2)
        prev_timesyncd_start = get_timesyncd_start()

        # Set conf from the outside, check that we pick that up, and
        # switch to default servers.
        m.write(conf, "[Time]\nNTP=2.pool.ntp.org\n")
        b.wait_attr("#system_information_systime_button", "data-timedated-initialized", "true")
        b.click("#system_information_systime_button")
        b.wait_visible("#system_information_change_systime")
        b.wait_val("#systime-ntp-servers tr:nth-child(1) input", "2.pool.ntp.org")
        self.set_change_time_dialog_mode("Automatically using NTP")
        b.wait_not_present("#systime-ntp-servers")
        b.click("#system_information_change_systime .apply")
        b.wait_not_present("#system_information_change_systime")

        self.assertIn("2.pool.ntp.org", m.execute("grep '^#NTP=' %s" % conf))

        # restarts timesyncd to pick up the new config
        wait(lambda: get_timesyncd_start() > prev_timesyncd_start, delay=0.2)

    def testMotd(self):
        m = self.machine
        b = self.browser

        m.execute("rm -f /etc/motd")

        self.login_and_go("/system")
        b.wait_not_present('#motd-box')

        m.execute(r"printf '\n  \n  Hello\n  World\n\n' >/etc/motd")
        b.wait_visible('#motd-box')
        # strips empty lines, but not leading spaces
        b.wait_text('#motd', "  Hello\n  World")

        b.click('#motd-box button:not(#motd-box-edit)')
        b.wait_not_present('#motd-box')

        # motd should stay dismissed after a reload
        b.reload()
        b.enter_page("/system")
        b.wait_not_present('#motd-box')

        m.execute("echo Hello again >/etc/motd")
        b.wait_visible('#motd-box')
        b.wait_text('#motd', "Hello again")

        b.click("#motd-box-edit")
        b.set_input_text("#motd-box-edit-modal textarea", "Hello cockpit team")
        b.click("#motd-box-edit-modal button.pf-m-primary")
        b.wait_not_present("motd-box-edit-modal")
        b.wait_text('#motd', "Hello cockpit team")
        self.assertEqual("Hello cockpit team", self.machine.execute("cat /etc/motd").rstrip())

        # because of the reload
        self.allow_restart_journal_messages()

    @nondestructive
    def testHardwareInfo(self):
        b = self.browser
        m = self.machine

        self.login_and_go("/system")
        b.wait_in_text('#system_information_hardware_text', "QEMU")

        hardware_page_link = '.system-information a'
        b.click(hardware_page_link)
        b.enter_page("/system/hwinfo")

        # system info
        b.wait_in_text('#hwinfo-system-info-list', "CPU")
        # QEMU VM type
        b.wait_in_text('#hwinfo-system-info-list .hwinfo-system-info-list-item:nth-of-type(1) .pf-c-description-list__group:nth-of-type(1) dd', "Other")
        # Name
        b.wait_in_text('#hwinfo-system-info-list .hwinfo-system-info-list-item:nth-of-type(1) .pf-c-description-list__group:nth-of-type(2) dd', "Standard PC")
        # BIOS
        b.wait_in_text('#hwinfo-system-info-list .hwinfo-system-info-list-item:nth-of-type(2) .pf-c-description-list__group:nth-of-type(1) dd', "SeaBIOS")
        # BIOS date gets parsed
        parsed_bios_date = m.execute("date --date $(cat /sys/class/dmi/id/bios_date) '+%B %-d, %Y'").strip()
        b.wait_text('#hwinfo-system-info-list .hwinfo-system-info-list-item:nth-of-type(2) .pf-c-description-list__group:nth-of-type(3) dd', parsed_bios_date)

        pci_selector = '#hwinfo #pci-listing'
        heading_selector = ' .pf-c-card__title'
        # PCI
        b.wait_in_text(pci_selector + heading_selector, "PCI")

        b.wait_in_text(pci_selector + ' tr:first-of-type td[data-label=Slot]', "0000:00:00.0")

        # sorted by device class by default; this makes some assumptions about QEMU devices
        b.wait_in_text(pci_selector + ' tbody tr:first-of-type td[data-label=Class]', "Bridge")
        b.wait_in_text(pci_selector + ' tbody tr:last-of-type td[data-label=Class]', "Unclassified")

        # sort by model
        b.click(pci_selector + ' thead th[data-label=Model] button')
        b.wait_in_text(pci_selector + ' tbody tr:first-of-type td[data-label=Model]', "440")
        b.wait_in_text(pci_selector + ' tbody tr:last-of-type td[data-label=Model]', "Virtio SCSI")
        b.wait_not_in_text(pci_selector + ' tbody tr:last-of-type td[data-label=Model]', "Unclassified")

        # go back to system page
        b.click('.pf-c-breadcrumb li:first a')

        b.enter_page("/system")

        # now pretend this is a system without DMI
        b.logout()
        m.execute("mount -t tmpfs none /sys/class/dmi/id")
        self.addCleanup(m.execute, "umount /sys/class/dmi/id")
        self.login_and_go("/system")
        # asset tag should be hidden
        b.wait_not_present('#system_information_asset_tag_text')
        # Hardware should be hidden
        b.wait_not_present('#system_information_hardware_text')
        b.click(hardware_page_link)
        b.enter_page("/system/hwinfo")

        # CPU should still be shown, but not the DMI fields
        b.wait_in_text('#hwinfo-system-info-list', "CPU")
        self.assertNotIn('Type', b.text('#hwinfo-system-info-list'))
        self.assertNotIn('BIOS', b.text('#hwinfo-system-info-list'))

        # PCI should be shown
        b.wait_in_text(pci_selector + heading_selector, "PCI")
        b.wait_in_text(pci_selector + ' tr:first-of-type td[data-label=Slot]', "0000:00:00.0")

        # Check also variants when only some fields are present
        m.write("/sys/class/dmi/id/chassis_type", "10")
        b.go("/system")
        b.enter_page('/system')
        b.wait_not_present('#system_information_hardware_text')

        m.write("/sys/class/dmi/id/board_vendor", "VENDOR")
        m.write("/sys/class/dmi/id/board_name", "NAME")
        b.reload()
        b.enter_page('/system')
        b.wait_in_text('#system_information_hardware_text', "VENDOR NAME")
        b.click(hardware_page_link)
        b.enter_page("/system/hwinfo")
        b.wait_in_text('#hwinfo-system-info-list .hwinfo-system-info-list-item:nth-of-type(1) .pf-c-description-list__group:nth-of-type(2) dd', "NAME")
        b.wait_in_text('#hwinfo-system-info-list .hwinfo-system-info-list-item:nth-of-type(1) .pf-c-description-list__group:nth-of-type(3) dd', "VENDOR")

        # /proc/cpuinfo on x86; very incomplete, just what pkg/lib/machine-info.js looks at
        m.write("/tmp/cpuinfo", """processor\t: 0
vendor_id\t: GenuineIntel
model\t\t: 42
model name\t: Professor NumberCrunch

processor\t: 1
vendor_id\t: GenuineIntel
model\t\t: 42
model name\t: Professor NumberCrunch
""")
        m.execute("mount -o bind /tmp/cpuinfo /proc/cpuinfo")
        self.addCleanup(m.execute, "umount /proc/cpuinfo")

        b.reload()
        b.enter_page('/system/hwinfo')
        b.wait_in_text('#hwinfo-system-info-list .hwinfo-system-info-list-item:nth-of-type(2) .pf-c-description-list__group:nth-of-type(1) dd', "2x Professor NumberCrunch")

        # /proc/cpuinfo on PowerPC; complete info
        m.write("/tmp/cpuinfo", """processor\t: 0
cpu\t\t: POWER9 (architected), altivec supported
clock\t\t: 3000.000000MHz
revision\t: 2.3 (pvr 004e 1203)

processor\t: 1
cpu\t\t: POWER9 (architected), altivec supported
clock\t\t: 3000.000000MHz
revision\t: 2.3 (pvr 004e 1203)
""")

        b.reload()
        b.enter_page('/system/hwinfo')
        b.wait_in_text('#hwinfo-system-info-list .hwinfo-system-info-list-item:nth-of-type(2) .pf-c-description-list__group:nth-of-type(1) dd', "2x POWER9 (architected), altivec supported")

        # Memory details should be shown for generic QEMU memory
        # demidecode not available on certain images
        if not m.ostree_image:
            b.wait_in_text('#hwinfo #memory-listing' + heading_selector, "Memory")
            b.wait_in_text('#hwinfo #memory-listing table', "DIMM")
            b.wait_in_text('#hwinfo #memory-listing table', "RAM")

            # Test more specific memory data with a fake dmidecode
            m.write('/tmp/dmidecode', dmidecode)
            m.execute('chmod +x /tmp/dmidecode; mount -o bind /tmp/dmidecode $(which dmidecode)')
            self.addCleanup(m.execute, 'umount $(which dmidecode)')
            b.reload()
            b.enter_page('/system/hwinfo')
            # first DIMM has unknown technology and rank
            b.wait_in_text('#memory-listing tr:nth-of-type(1) td[data-label=ID]', "ChannelA-DIMM0")
            b.wait_in_text('#memory-listing tr:nth-of-type(1) td[data-label=Type]', "DDR3")
            b.wait_in_text('#memory-listing tr:nth-of-type(1) td[data-label=Size]', "8 GB")
            b.wait_in_text('#memory-listing tr:nth-of-type(1) td[data-label=State]', "Present")
            b.wait_text('#memory-listing tr:nth-of-type(1) td[data-label="Memory technology"]', "Unknown")
            b.wait_text('#memory-listing tr:nth-of-type(1) td[data-label=Rank]', "Unknown")
            b.wait_in_text('#memory-listing tr:nth-of-type(1) td[data-label=Speed]', "1600 MT/s")
            # second DIMM has known technology and rank
            b.wait_in_text('#memory-listing tr:nth-of-type(2) td[data-label=ID]', "ChannelB-DIMM0")
            b.wait_text('#memory-listing tr:nth-of-type(2) td[data-label="Memory technology"]', "Awesome")
            b.wait_text('#memory-listing tr:nth-of-type(2) td[data-label=Rank]', "Single rank")

    @nondestructive
    def testCPUSecurityMitigationsDetect(self):
        b = self.browser
        m = self.machine

        self.restore_dir("/usr/local/bin")
        m.start_cockpit()

        def spoof_threads(threads_per_core, expect_link_present, expect_smt_state=None, cmdline=None):
            m.write('/usr/local/bin/lscpu', lscpu.format(threads_per_core))
            m.execute('chmod +x /usr/local/bin/lscpu')
            if cmdline:
                m.write('/run/cmdline', cmdline)
                m.execute('if selinuxenabled 2>/dev/null; then chcon --reference /proc/cmdline /run/cmdline; fi')
                m.execute('mount --bind /run/cmdline /proc/cmdline && rm /run/cmdline')

            try:
                b.login_and_go('/system/hwinfo')

                if not expect_link_present:
                    b.wait_in_text('#hwinfo-system-info-list', "CPU")
                    b.wait_not_in_text('#hwinfo-system-info-list', "CPU security")
                else:
                    b.click('#hwinfo button:contains(Mitigations)')

                if expect_smt_state is not None:
                    b.wait_visible('#cpu-mitigations-dialog .nosmt-heading:contains(nosmt)')
                    b.wait_visible('#cpu-mitigations-dialog #nosmt-switch input' +
                                   (expect_smt_state and ":checked" or ":not(:checked)"))

                b.logout()
            finally:
                if cmdline:
                    m.execute('while ! umount /proc/cmdline; do sleep 1; done')

        spoof_threads(1, False)
        spoof_threads(2, True, True, 'param1 param2 nosmt param3=value3')
        spoof_threads(2, True, True, 'param1 param2 nosmt=force param3=value3')
        spoof_threads(2, True, True, 'param1 mitigations=auto,nosmt param3=value3')
        spoof_threads(2, True, True, 'param1 mitigations=nosmt,something param3=value3')
        spoof_threads(2, True, False, 'param1 mitigations=something param3=value3')
        spoof_threads(2, False, cmdline='param1 nosmt=someunknown param3=value3')
        spoof_threads(2, True, self.expect_smt_default, None)

    def testCPUSecurityMitigationsEnable(self):
        b = self.browser
        m = self.machine

        # spoof SMT
        m.write('/usr/local/bin/lscpu', lscpu.format(2))
        m.execute('chmod +x /usr/local/bin/lscpu')

        # Switch nosmt option
        self.login_and_go('/system/hwinfo')
        b.click('#hwinfo button:contains(Mitigations)')
        b.click('#cpu-mitigations-dialog #nosmt-switch input')
        b.wait_visible('#cpu-mitigations-dialog #nosmt-switch input' +
                       (self.expect_smt_default and ':not(:checked)' or ':checked'))
        b.click('#cpu-mitigations-dialog Button:contains(Save and reboot)')

        m.wait_reboot()
        if self.expect_smt_default:
            self.assertNotIn('nosmt', m.execute('cat /proc/cmdline'))
        else:
            self.assertIn('nosmt', m.execute('cat /proc/cmdline'))

        # Ensure that future kernel upgrades also retain the option; various
        # Fedora and RHEL version are in different stages of the BLS
        # transition, so there are three cases:
        # - no BLS, options go into /etc/default/grub and grub.cfg (oldest)
        # - BLS, options go directly into entries (RHEL 8.0)
        # - BLS, entries use $kernelopt, that is defined in grubenv (newest)
        if not m.ostree_image:
            m.execute(r"""set -e
. /etc/os-release
touch /boot/vmlinuz-42.0.0; mkdir -p /lib/modules/42.0.0/
if type update-grub >/dev/null 2>&1; then
    update-grub  # Debian/Ubuntu
else
    if [ "$ID" = rhel -o "$ID" = centos ] && [ "${VERSION_ID#7}" != "$VERSION_ID" ]; then
        new-kernel-pkg --package kernel --install 42.0.0  # RHEL/CentOS 7
    else
        kernel-install add 42.0.0 /boot/vmlinuz-42.0.0 2>/dev/null # Fedora/RHEL >= 8
    fi
fi
grep -q 'linux.*/vmlinuz-42.0.0.*nosmt' /boot/grub*/grub.cfg ||
  grep -q '^options.*\bnosmt\b' /boot/loader/entries/*42.0.0*.conf ||
  ( grub2-editenv list | grep -q kernelopts.*nosmt &&
    grep -q '^options.*$kernelopts' /boot/loader/entries/*42.0.0*.conf )
""")
            # clean up so that next reboot works
            m.execute(r"""set -e
. /etc/os-release
rm /boot/vmlinuz-42.0.0
if type update-grub >/dev/null 2>&1; then
    update-grub  # Debian/Ubuntu
else
    if [ "$ID" = rhel -o "$ID" = centos ] && [ "${VERSION_ID#7}" != "$VERSION_ID" ]; then
        new-kernel-pkg --package kernel --remove 42.0.0  # RHEL/CentOS 7
    else
        kernel-install remove 42.0.0 /boot/vmlinuz-42.0.0  # Fedora/RHEL >= 8
    fi
fi
""")

        # Switch back nosmt option
        self.login_and_go('/system/hwinfo')
        b.click('#hwinfo button:contains(Mitigations)')
        b.wait_visible('#cpu-mitigations-dialog .nosmt-heading:contains(nosmt)')
        b.wait_visible('#cpu-mitigations-dialog #nosmt-switch input' +
                       (self.expect_smt_default and ':not(:checked)' or ':checked'))
        b.click('#cpu-mitigations-dialog #nosmt-switch input')
        b.wait_visible('#cpu-mitigations-dialog #nosmt-switch input' +
                       (self.expect_smt_default and ':checked' or ':not(:checked)'))
        b.click('#cpu-mitigations-dialog Button:contains(Save and reboot)')
        m.wait_reboot()
        if self.expect_smt_default:
            self.assertIn('nosmt', m.execute('cat /proc/cmdline'))
        else:
            self.assertNotIn('nosmt', m.execute('cat /proc/cmdline'))

        # updates mitigations=nosmt when that is present
        m.upload(["../pkg/systemd/kernelopt.sh"], "/tmp/")
        m.execute("/tmp/kernelopt.sh remove nosmt && /tmp/kernelopt.sh set mitigations=auto,nosmt")
        m.spawn("sync && sleep 0.1 && reboot", "reboot")
        m.wait_reboot()
        self.login_and_go('/system/hwinfo')
        b.click('#hwinfo button:contains(Mitigations)')
        b.wait_visible('#cpu-mitigations-dialog .nosmt-heading:contains(nosmt)')
        b.wait_visible('#cpu-mitigations-dialog #nosmt-switch input:checked')
        b.click('#cpu-mitigations-dialog #nosmt-switch input')
        b.wait_visible('#cpu-mitigations-dialog #nosmt-switch input:not(:checked)')
        b.click('#cpu-mitigations-dialog Button:contains(Save and reboot)')
        m.wait_reboot()
        self.assertNotIn('nosmt', m.execute('cat /proc/cmdline'))
        self.assertIn('mitigations=auto', m.execute('cat /proc/cmdline'))

        # Behaviour for non-admins
        self.login_and_go('/system/hwinfo', superuser=False)
        b.wait_visible('#cpu_mitigations[disabled]')
        b.mouse('#tip-cpu-security', 'mouseenter')
        b.wait_text('.pf-c-tooltip', 'The user admin is not permitted to change cpu security mitigations')
        b.mouse('#tip-cpu-security', 'mouseleave')
        b.wait_not_present("div.pf-c-tooltip")

        # Behaviour if grub update tools are missing
        b.logout()
        m.execute('mv /etc/default/grub /etc/default/grub.bak || true')
        m.write('/tmp/grubby', '#!/bin/sh\necho 0')
        m.execute('[ ! -f /usr/sbin/grubby ] || mount --bind /tmp/grubby /usr/sbin/grubby')
        m.execute('systemctl stop rpm-ostreed.service || true; systemctl mask rpm-ostreed.service')
        self.login_and_go('/system/hwinfo')
        b.click('#hwinfo button:contains(Mitigations)')
        b.click('#cpu-mitigations-dialog #nosmt-switch input')
        b.wait_visible('#cpu-mitigations-dialog #nosmt-switch input:checked')
        b.click('#cpu-mitigations-dialog Button:contains(Save and reboot)')
        b.wait_visible('#cpu-mitigations-dialog .pf-c-alert__title:contains(No supported grub update mechanism found)')

        self.allow_journal_messages('Sourcing file `/etc/default/grub.*',
                                    'Generating grub configuration file.*',
                                    'Found linux image.*',
                                    'Found initrd image.*',
                                    '.*warning: setlocale: LC_ALL: cannot change locale.*',
                                    'done')
        self.allow_restart_journal_messages()

    @skipImage("Insights client not yet available on RHEL 9", "rhel-9-0")
    def testInsightsStatus(self):
        m = self.machine
        b = self.browser

        if not m.image.startswith("rhel"):
            self.skipTest("insights-client is only on RHEL")

        # Pretend that the Subscriptions page can do Insights stuff
        m.write("/usr/share/cockpit/subscription-manager/override.json", '{ "features": { "insights": true } }')

        # Run a mock version of the Insights API locally and configure
        # insights-client to access it. That requires a good enough
        # TLS mock insights server certificate
        m.upload(["verify/files/mock-insights", "../src/tls/ca/alice.key", "../src/tls/ca/alice.pem"], "/var/tmp")
        m.spawn("/var/tmp/mock-insights", "mock-insights")
        m.write("/etc/insights-client/insights-client.conf",
                """
[insights-client]
gpg=False
auto_config=False
base_url=localhost:8888/r/insights
# even if we would add tls/ca/ca.pem (the signer of alice.pem) to /etc/pki, some later part of insights still
# does not respect that; so just give in, and disable validation
cert_verify=False
username=admin
password=foobar
""")

        # Initially we are not registered
        self.login_and_go('/system')
        b.wait_text(".system-health-insights a", "Not connected to Insights")

        # Enable insights, results should appear automatically
        m.execute("insights-client --register")
        b.wait_in_text(".system-health-insights a", "3 hits, including important")
        self.assertIn("123-nice-id", b.attr(".system-health-insights a", "href"))

    def testOverview(self):
        m = self.machine
        b = self.browser

        # packagekit often eats a lot of CPU; silence it to not screw up the "system is idle" test
        m.execute("systemctl mask packagekit")

        def progressValue(number):
            sel = ".system-usage tr:nth-child(%i) .pf-c-progress__indicator" % number
            b.wait_visible(sel)
            b.wait_attr_contains(sel, "style", "width:")
            style = b.attr(sel, "style")
            m = re.search(r"width: (\d+)%;", style)
            return int(m.group(1))

        self.login_and_go("/system")

        # CPU
        # first wait until system settles down
        wait(lambda: progressValue(1) < 20)
        m.spawn("for i in $(seq $(nproc)); do cat /dev/urandom > /dev/null & done", "cpu_hog.log")
        wait(lambda: progressValue(1) > 75)
        m.execute("pkill -e -f cat.*urandom")
        # should go back to idle usage
        wait(lambda: progressValue(1) < 20)

        # memory: our test machines have ~ 1 GiB of memory, a reasonable chunk of it should be used
        b.wait_in_text(".system-usage tr:nth-child(2)", " GiB")
        initial_usage = progressValue(2)
        self.assertGreater(initial_usage, 10)
        self.assertLess(initial_usage, 80)
        # allocate an extra 300 MB; this may cause other stuff to get unmapped,
        # thus not exact addition, but usage should go up
        mem_hog = m.spawn("MEMBLOB=$(yes | dd bs=1M count=300 iflag=fullblock); touch /tmp/hogged; sleep infinity", "mem_hog.log")
        m.execute("while [ ! -e /tmp/hogged ]; do sleep 1; done")
        # bars update every 5s
        time.sleep(8)
        hog_usage = progressValue(2)
        self.assertGreater(hog_usage, initial_usage + 10)

        m.execute("kill %d" % mem_hog)
        # should go back to initial_usage; often below, due to paged out stuff
        wait(lambda: progressValue(2) <= initial_usage)
        self.assertGreater(progressValue(2), 10)


if __name__ == '__main__':
    test_main()
