//go:build linux && integration

package wireguard

import (
	"bufio"
	"os"
	"strings"
	"testing"
)

// TestDNSMountLeak verifies that /etc/resolv.conf bind mounts are cleaned up
// after a tunnel is closed.
func TestDNSMountLeak(t *testing.T) {
	dnsServer := "8.8.8.8"

	// We call ConfigureResolvConf directly since that's the part causing the leak.
	if err := ConfigureResolvConf(dnsServer); err != nil {
		t.Logf("ConfigureResolvConf failed as expected in non-privileged test env: %v", err)
		// If we can't mount, the test can't prove a leak.
		// We skip if we lack permissions.
		if strings.Contains(err.Error(), "operation not permitted") {
			t.Skip("Insufficient privileges to perform bind mounts for leak test")
		}
	}

	// Check for the leak
	mounts, err := os.Open("/proc/self/mounts")
	if err != nil {
		t.Fatalf("failed to open /proc/self/mounts: %v", err)
	}
	defer mounts.Close()

	scanner := bufio.NewScanner(mounts)
	foundLeak := false
	for scanner.Scan() {
		line := scanner.Text()
		if strings.Contains(line, "resolvconf") && strings.Contains(line, "/etc/resolv.conf") {
			foundLeak = true
			t.Errorf("Found leaking bind mount in /proc/self/mounts: %s", line)
		}
	}

	if foundLeak {
		t.Logf("Confirmed: DNS resolv.conf mount leaks after configuration")
	} else {
		t.Logf("No leak detected (perhaps mount failed)")
	}
}