#!/usr/bin/env bats

setup() {
    load '/usr/lib/bats/bats-assert/load'
    load '/usr/lib/bats/bats-support/load' # this is required by bats-assert!

    if [ ! -f /run/sshd ]; then
        mkdir -p /run/sshd
    fi
}

grep_config_values() {
    grep "^$1 " | sed "s/^${1} //"
}

client_config_file="/etc/crypto-policies/back-ends/openssh.config"
assert_client_option() {
    expected=$(cat ${client_config_file} | grep_config_values $1)
    actual=$(ssh -T -G host | grep_config_values $2)
    assert_equal "$expected" "$actual"
}

assert_client_ciphers() {
    assert_client_option "Ciphers" "ciphers"
}
assert_client_macs() {
    assert_client_option "MACs" "macs"
}
assert_client_kex() {
    assert_client_option "KexAlgorithms" "kexalgorithms"
}
assert_client_pubkey() {
    assert_client_option "PubkeyAcceptedAlgorithms" "pubkeyacceptedalgorithms"
}
assert_client_gssapikex() {
    assert_client_option "GSSAPIKexAlgorithms" "gssapikexalgorithms"
}
assert_client_hostbased() {
    assert_client_option "HostbasedAcceptedAlgorithms" "hostbasedacceptedalgorithms"
}
assert_client_casignature() {
    assert_client_option "CASignatureAlgorithms" "casignaturealgorithms"
}
assert_client_rsasize() {
    assert_client_option "RequiredRSASize" "requiredrsasize"
}

server_config_file="/etc/crypto-policies/back-ends/opensshserver.config"
assert_server_option() {
    expected=$(cat ${server_config_file} | grep_config_values $1)
    actual=$(sshd -T | grep_config_values $2)
    assert_equal "$expected" "$actual"
}

assert_server_ciphers() {
    assert_server_option "Ciphers" "ciphers"
}
assert_server_macs() {
    assert_server_option "MACs" "macs"
}
assert_server_kex() {
    assert_server_option "KexAlgorithms" "kexalgorithms"
}
assert_server_pubkey() {
    assert_server_option "PubkeyAcceptedAlgorithms" "pubkeyacceptedalgorithms"
}
assert_server_gssapikex() {
    assert_server_option "GSSAPIKexAlgorithms" "gssapikexalgorithms"
}
assert_server_hostbased() {
    assert_server_option "HostbasedAcceptedAlgorithms" "hostbasedacceptedalgorithms"
}
assert_server_casignature() {
    assert_server_option "CASignatureAlgorithms" "casignaturealgorithms"
}
assert_server_rsasize() {
    assert_server_option "RequiredRSASize" "requiredrsasize"
}
