# SPDX-License-Identifier: GPL-3.0-or-later
"""Post-install checks: security/system hardening archsetup applies.

Expansion coverage (P4) — these were not in the original shell sweep. They
assert the system-level changes archsetup makes in place: sshd root hardening,
quiet kernel console, an emptied /etc/issue, the console font, and the EFI
mount permission tightening.
"""

import pytest


@pytest.mark.smoke
@pytest.mark.attribution("archsetup")
def test_sshd_root_prohibit_password(host):
    conf = host.file("/etc/ssh/sshd_config.d/10-hardening.conf")
    assert conf.exists, "sshd hardening drop-in missing"
    assert "PermitRootLogin prohibit-password" in conf.content_string


@pytest.mark.attribution("archsetup")
def test_quiet_printk_sysctl(host):
    conf = host.file("/etc/sysctl.d/20-quiet-printk.conf")
    assert conf.exists
    assert "kernel.printk" in conf.content_string


@pytest.mark.attribution("archsetup")
def test_issue_emptied(host):
    # archsetup truncates /etc/issue to drop the distro/date banner.
    assert host.file("/etc/issue").size == 0


@pytest.mark.attribution("archsetup")
def test_console_font_configured(host):
    assert "ter-132n" in host.file("/etc/vconsole.conf").content_string


@pytest.mark.attribution("archsetup")
def test_efi_mount_permissions_tightened(host):
    # archsetup adds fmask/dmask to the /efi vfat line so it isn't world-readable.
    fstab = host.file("/etc/fstab").content_string
    efi_lines = [
        ln for ln in fstab.splitlines()
        if ln.strip() and not ln.lstrip().startswith("#")
        and " /efi " in ln and " vfat " in ln
    ]
    if not efi_lines:
        pytest.skip("no /efi vfat line in fstab")
    assert all("fmask=" in ln for ln in efi_lines), "/efi mount not permission-tightened"