-- This file is part of the Wire Server implementation.
--
-- Copyright (C) 2025 Wire Swiss GmbH <opensource@wire.com>
--
-- This program is free software: you can redistribute it and/or modify it under
-- the terms of the GNU Affero General Public License as published by the Free
-- Software Foundation, either version 3 of the License, or (at your option) any
-- later version.
--
-- This program is distributed in the hope that it will be useful, but WITHOUT
-- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
-- details.
--
-- You should have received a copy of the GNU Affero General Public License along
-- with this program. If not, see <https://www.gnu.org/licenses/>.

module Test.BlockedDomains where

import API.Brig as Brig
import API.Brig as BrigAddUser (AddUser (..))
import API.Common
import Data.Yaml (array)
import SetupHelpers
import Testlib.Prelude

testCannotSendActivationCodeToBlockedDomain :: (HasCallStack) => App ()
testCannotSendActivationCodeToBlockedDomain :: HasCallStack => App ()
testCannotSendActivationCodeToBlockedDomain = do
  let blockedDomain :: String
blockedDomain = String
"blocked.example.com"
      validDomain :: String
validDomain = String
"valid.example.com"
  ServiceOverrides -> (HasCallStack => String -> App ()) -> App ()
forall a.
HasCallStack =>
ServiceOverrides -> (HasCallStack => String -> App a) -> App a
withModifiedBackend
    ServiceOverrides
forall a. Default a => a
def
      { brigCfg =
          setField
            "optSettings.setCustomerExtensions.domainsBlockedForRegistration"
            (array [fromString blockedDomain])
      }
    ((HasCallStack => String -> App ()) -> App ())
-> (HasCallStack => String -> App ()) -> App ()
forall a b. (a -> b) -> a -> b
$ \String
domain -> do
      username <- App String
randomName
      let validEmail = String
username String -> String -> String
forall a. Semigroup a => a -> a -> a
<> String
"@" String -> String -> String
forall a. Semigroup a => a -> a -> a
<> String
validDomain
      addUser domain def {BrigAddUser.email = Just validEmail} `bindResponse` \Response
resp -> do
        Response
resp.status Int -> Int -> App ()
forall a. (MakesValue a, HasCallStack) => a -> Int -> App ()
`shouldMatchInt` Int
201

      let blockedEmail = String
username String -> String -> String
forall a. Semigroup a => a -> a -> a
<> String
"@" String -> String -> String
forall a. Semigroup a => a -> a -> a
<> String
blockedDomain
      bindResponse (activateSend domain blockedEmail Nothing) $ \Response
resp -> do
        Response
resp.status Int -> Int -> App ()
forall a. (MakesValue a, HasCallStack) => a -> Int -> App ()
`shouldMatchInt` Int
451
        Response
resp.json App Value -> String -> App Value
forall a. (HasCallStack, MakesValue a) => a -> String -> App Value
%. String
"label" App Value -> String -> App ()
forall a b.
(MakesValue a, MakesValue b, HasCallStack) =>
a -> b -> App ()
`shouldMatch` String
"domain-blocked-for-registration"

      let otherValidEmail = String
username String -> String -> String
forall a. Semigroup a => a -> a -> a
<> String
"-1@" String -> String -> String
forall a. Semigroup a => a -> a -> a
<> String
validDomain
      activateSend domain otherValidEmail Nothing >>= assertSuccess

testCannotChangeOwnEmailWithBlockedDomain :: (HasCallStack) => App ()
testCannotChangeOwnEmailWithBlockedDomain :: HasCallStack => App ()
testCannotChangeOwnEmailWithBlockedDomain = do
  let blockedDomain :: String
blockedDomain = String
"blocked.example.com"
      validDomain :: String
validDomain = String
"valid.example.com"
  ServiceOverrides -> (HasCallStack => String -> App ()) -> App ()
forall a.
HasCallStack =>
ServiceOverrides -> (HasCallStack => String -> App a) -> App a
withModifiedBackend
    ServiceOverrides
forall a. Default a => a
def
      { brigCfg =
          setField
            "optSettings.setCustomerExtensions.domainsBlockedForRegistration"
            (array [fromString blockedDomain])
      }
    ((HasCallStack => String -> App ()) -> App ())
-> (HasCallStack => String -> App ()) -> App ()
forall a b. (a -> b) -> a -> b
$ \String
domain -> do
      validUser <- String -> CreateUser -> App Value
forall domain.
(HasCallStack, MakesValue domain) =>
domain -> CreateUser -> App Value
randomUser String
domain CreateUser
forall a. Default a => a
def
      validUserEmail <- validUser %. "email" & asString
      (cookie, token) <-
        login domain validUserEmail defPassword `bindResponse` \Response
resp -> do
          Response
resp.status Int -> Int -> App ()
forall a. (MakesValue a, HasCallStack) => a -> Int -> App ()
`shouldMatchInt` Int
200
          token <- Response
resp.json App Value -> String -> App Value
forall a. (HasCallStack, MakesValue a) => a -> String -> App Value
%. String
"access_token" App Value -> (App Value -> App String) -> App String
forall a b. a -> (a -> b) -> b
& App Value -> App String
forall a. (HasCallStack, MakesValue a) => a -> App String
asString
          let cookie = Maybe String -> String
forall a. HasCallStack => Maybe a -> a
fromJust (Maybe String -> String) -> Maybe String -> String
forall a b. (a -> b) -> a -> b
$ String -> Response -> Maybe String
getCookie String
"zuid" Response
resp
          pure ("zuid=" <> cookie, token)

      username2 <- randomName
      bindResponse (updateEmail validUser (username2 <> "@" <> blockedDomain) cookie token) $ \Response
resp -> do
        Response
resp.status Int -> Int -> App ()
forall a. (MakesValue a, HasCallStack) => a -> Int -> App ()
`shouldMatchInt` Int
451
        Response
resp.json App Value -> String -> App Value
forall a. (HasCallStack, MakesValue a) => a -> String -> App Value
%. String
"label" App Value -> String -> App ()
forall a b.
(MakesValue a, MakesValue b, HasCallStack) =>
a -> b -> App ()
`shouldMatch` String
"domain-blocked-for-registration"

      updateEmail validUser (username2 <> "@" <> validDomain) cookie token >>= assertSuccess

testCannotChangeTeamMemberEmailWithBlockedDomain :: (HasCallStack) => App ()
testCannotChangeTeamMemberEmailWithBlockedDomain :: HasCallStack => App ()
testCannotChangeTeamMemberEmailWithBlockedDomain = do
  let blockedDomain :: String
blockedDomain = String
"blocked.example.com"
      validDomain :: String
validDomain = String
"valid.example.com"
  ServiceOverrides -> (HasCallStack => String -> App ()) -> App ()
forall a.
HasCallStack =>
ServiceOverrides -> (HasCallStack => String -> App a) -> App a
withModifiedBackend
    ServiceOverrides
forall a. Default a => a
def
      { brigCfg =
          setField
            "optSettings.setCustomerExtensions.domainsBlockedForRegistration"
            (array [fromString blockedDomain])
      }
    ((HasCallStack => String -> App ()) -> App ())
-> (HasCallStack => String -> App ()) -> App ()
forall a b. (a -> b) -> a -> b
$ \String
domain -> do
      (owner, _team, [mem1]) <- String -> Int -> App (Value, String, [Value])
forall domain.
(HasCallStack, MakesValue domain) =>
domain -> Int -> App (Value, String, [Value])
createTeam String
domain Int
2

      username <- randomName
      bindResponse (putUserEmail owner mem1 (username <> "@" <> blockedDomain)) $ \Response
resp -> do
        Response
resp.status Int -> Int -> App ()
forall a. (MakesValue a, HasCallStack) => a -> Int -> App ()
`shouldMatchInt` Int
451
        Response
resp.json App Value -> String -> App Value
forall a. (HasCallStack, MakesValue a) => a -> String -> App Value
%. String
"label" App Value -> String -> App ()
forall a b.
(MakesValue a, MakesValue b, HasCallStack) =>
a -> b -> App ()
`shouldMatch` String
"domain-blocked-for-registration"

      putUserEmail owner mem1 (username <> "@" <> validDomain) >>= assertSuccess

      ownerUsername <- randomName
      bindResponse (putUserEmail owner owner (ownerUsername <> "@" <> blockedDomain)) $ \Response
resp -> do
        Response
resp.status Int -> Int -> App ()
forall a. (MakesValue a, HasCallStack) => a -> Int -> App ()
`shouldMatchInt` Int
451
        Response
resp.json App Value -> String -> App Value
forall a. (HasCallStack, MakesValue a) => a -> String -> App Value
%. String
"label" App Value -> String -> App ()
forall a b.
(MakesValue a, MakesValue b, HasCallStack) =>
a -> b -> App ()
`shouldMatch` String
"domain-blocked-for-registration"

      putUserEmail owner owner (ownerUsername <> "@" <> validDomain) >>= assertSuccess

testCannotCreateTeamInvitationWithBlockedDomain :: (HasCallStack) => App ()
testCannotCreateTeamInvitationWithBlockedDomain :: HasCallStack => App ()
testCannotCreateTeamInvitationWithBlockedDomain = do
  let blockedDomain :: String
blockedDomain = String
"blocked.example.com"
      validDomain :: String
validDomain = String
"valid.example.com"
  ServiceOverrides -> (HasCallStack => String -> App ()) -> App ()
forall a.
HasCallStack =>
ServiceOverrides -> (HasCallStack => String -> App a) -> App a
withModifiedBackend
    ServiceOverrides
forall a. Default a => a
def
      { brigCfg =
          setField
            "optSettings.setCustomerExtensions.domainsBlockedForRegistration"
            (array [fromString blockedDomain])
      }
    ((HasCallStack => String -> App ()) -> App ())
-> (HasCallStack => String -> App ()) -> App ()
forall a b. (a -> b) -> a -> b
$ \String
domain -> do
      (owner, _team, []) <- String -> Int -> App (Value, String, [Value])
forall domain.
(HasCallStack, MakesValue domain) =>
domain -> Int -> App (Value, String, [Value])
createTeam String
domain Int
1

      username <- randomName
      bindResponse (postInvitation owner (PostInvitation (Just (username <> "@" <> blockedDomain)) Nothing))
        $ \Response
resp -> do
          Response
resp.status Int -> Int -> App ()
forall a. (MakesValue a, HasCallStack) => a -> Int -> App ()
`shouldMatchInt` Int
451
          Response
resp.json App Value -> String -> App Value
forall a. (HasCallStack, MakesValue a) => a -> String -> App Value
%. String
"label" App Value -> String -> App ()
forall a b.
(MakesValue a, MakesValue b, HasCallStack) =>
a -> b -> App ()
`shouldMatch` String
"domain-blocked-for-registration"

      void $ postInvitation owner (PostInvitation (Just (username <> "@" <> validDomain)) Nothing) >>= getJSON 201