"""Audit the script→sudoers contract.

The sudoers file in `deploy/files/etc/sudoers.d/left4me` is a reference
example; ckn-bw ships its own verbatim copy under
`bundles/left4me/files/etc/sudoers.d/left4me`. The two are expected to
match. This test lives under `scripts/tests/` because the contract being
audited is about *scripts* (which paths the `left4me` uid can sudo into)
even though the file it reads is in `deploy/`.
"""
from conftest import DEPLOY


SUDOERS = DEPLOY / "files/etc/sudoers.d/left4me"


def test_sudoers_allows_only_left4me_helpers_not_raw_system_tools():
    sudoers = SUDOERS.read_text()

    assert (
        "left4me ALL=(root) NOPASSWD: "
        "/usr/local/libexec/left4me/left4me-systemctl *"
    ) in sudoers
    assert (
        "left4me ALL=(root) NOPASSWD: "
        "/usr/local/libexec/left4me/left4me-journalctl *"
    ) in sudoers
    assert "/usr/local/libexec/left4me/left4me-overlay mount *" in sudoers
    assert "/usr/local/libexec/left4me/left4me-overlay umount *" in sudoers
    assert (
        "left4me ALL=(root) NOPASSWD: "
        "/usr/local/libexec/left4me/left4me-script-sandbox"
    ) in sudoers
    assert "/bin/systemctl" not in sudoers
    assert "/usr/bin/systemctl" not in sudoers
    assert "/bin/journalctl" not in sudoers
    assert "/usr/bin/journalctl" not in sudoers
    assert "/bin/mount" not in sudoers
    assert "/bin/umount" not in sudoers