#!/usr/share/ucs-test/runner python3
## desc: Test docker network isolation
## tags: [docker]
## exposure: dangerous
## packages:
##   - docker.io

import re
import subprocess

from univention.testing.utils import restart_firewall

from dockertest import App, Appcenter, get_app_name

DOCKER_COMPOSE = '''
version: '2.0'

services:
	test1:
		image: {image}
		ports:
			- "8000:8000"
		command: /sbin/init
		restart: always
	test2:
		image: {image}
		ports:
			- "9000:9000"
		command: /sbin/init
'''.replace('\t', '  ')

if __name__ == '__main__':
	# cleanup remnants from previous tests
	restart_firewall()
	with Appcenter() as appcenter:

		name = get_app_name()
		setup = '#!/bin/sh'
		store_data = '#!/bin/sh'

		app = App(name=name, version='1', build_package=False, call_join_scripts=False)
		try:
			app.set_ini_parameter(
				DockerMainService='test1'
			)
			app.add_script(compose=DOCKER_COMPOSE.format(image='docker-test.software-univention.de/alpine:3.7'))
			app.add_script(setup=setup)
			app.add_script(store_data=store_data)
			app.add_to_local_appcenter()
			appcenter.update()
			app.install()
			app.verify(joined=False)

			iptables_save_after_installation = subprocess.check_output(['iptables-save'], text=True)
			print(" iptables rules before firewall restart:\n" + iptables_save_after_installation)
			docker_iptables_rules = []
			for line in iptables_save_after_installation.split("\n"):
				if not re.match('^#.*', line) and not re.match('^:.*ACCEPT.*', line):
					docker_iptables_rules.append(line)

			restart_firewall()

			iptables_save_after_firewall_restart = subprocess.check_output(['iptables-save'], text=True)
			print(" iptables rules after firewall restart:\n" + iptables_save_after_firewall_restart)
			for rule in docker_iptables_rules:
				assert rule in iptables_save_after_firewall_restart, "iptables rules are inconsistent"
			print("=== iptables rules are consistent!")

		finally:
			app.uninstall()
			app.remove()
