package e2e

import (
	"bufio"
	"fmt"
	"os"
	"os/exec"
	"path/filepath"
	"strings"
	"testing"
)

// TestDNSMountLeak verifies that /etc/resolv.conf bind mounts are cleaned up
// after a profile is stopped.
func TestDNSMountLeak(t *testing.T) {
	bin := EnsureBinary(t)

	profile := "leak-test"
	dnsServer := "8.8.8.8"

	// Pre-create a dummy config for the profile
	configDir := t.TempDir()
	if err := os.MkdirAll(filepath.Join(configDir, "profiles"), 0755); err != nil {
		t.Fatalf("failed to create profiles dir: %v", err)
	}
	configPath := filepath.Join(configDir, "profiles", profile+".conf")
	if err := os.WriteFile(configPath, []byte("[Interface]\nAddress = 10.0.0.1/24\nPrivateKey = aAAA\n"), 0644); err != nil {
		t.Fatalf("failed to write config file: %v", err)
	}

	// Run the binary with the custom config dir override.
	// We use a short-lived command ('true') to trigger the deferred cleanup.
	fullCmd := fmt.Sprintf("WG_WRAP_CONFIG_DIR=%s %s -profile %s -dns-server %s -- true", configDir, bin, profile, dnsServer)

	cmd := exec.Command("bash", "-c", fullCmd)
	if err := cmd.Run(); err != nil {
		t.Logf("Command exited with error (might be normal in some test envs): %v", err)
	}

	// 2. Inspect /proc/self/mounts for any remnants of "resolvconf"
	// Note: In a real scenario, we might need to inspect mounts from a privileged
	// perspective or check the target's namespace mounts if we had a way to keep it open.
	// But since we are checking the host's mount table for leaked bind mounts
	// that weren't unmounted, we check /proc/self/mounts.
	mounts, err := os.Open("/proc/self/mounts")
	if err != nil {
		t.Fatalf("failed to open /proc/self/mounts: %v", err)
	}
	defer func() {
		if err := mounts.Close(); err != nil {
			t.Errorf("failed to close mounts file: %v", err)
		}
	}()

	scanner := bufio.NewScanner(mounts)
	foundLeak := false
	for scanner.Scan() {
		line := scanner.Text()
		if strings.Contains(line, "resolvconf") && strings.Contains(line, "/etc/resolv.conf") {
			foundLeak = true
			t.Errorf("Found leaking bind mount in /proc/self/mounts: %s", line)
		}
	}

	if foundLeak {
		t.Errorf("Detected a DNS resolv.conf mount leak after profile exit")
	}
}