import pytest
import subprocess

pytestmark = pytest.mark.wg


def _get_dns_ip(admin_client) -> str:
    """Return the CoreDNS IP from the config, falling back to the default Docker IP."""
    r = admin_client.get('/api/config')
    if r.status_code == 200:
        sips = r.json().get('service_ips', {})
        dns_ip = sips.get('dns', '')
        if dns_ip:
            return dns_ip
    return '172.20.0.3'


def test_dns_resolves_via_vpn(connected_peer, admin_client):
    """Scenario 27: DNS queries for cell domain resolve via the PIC CoreDNS server."""
    r = admin_client.get('/api/config')
    domain = r.json().get('domain', 'cell') if r.status_code == 200 else 'cell'

    # CoreDNS is at the Docker bridge IP (172.20.0.3 by default).
    # The VPN tunnel routes 10.0.0.0/24 — CoreDNS is reachable via Docker bridge directly.
    dns_ip = _get_dns_ip(admin_client)
    result = subprocess.run(
        ['dig', f'@{dns_ip}', f'mail.{domain}', '+short', '+time=5'],
        capture_output=True, text=True, timeout=10
    )
    assert result.returncode == 0, f"DNS query to {dns_ip} failed: {result.stderr}"


def test_dns_server_reachable_via_vpn(connected_peer, admin_client):
    """CoreDNS port 53 is reachable from the test environment."""
    dns_ip = _get_dns_ip(admin_client)
    result = subprocess.run(
        ['dig', f'@{dns_ip}', 'health.check', '+time=2'],
        capture_output=True, text=True, timeout=5
    )
    # Even a NXDOMAIN response means DNS is up — we just need a response not a timeout
    assert 'status:' in result.stdout or result.returncode == 0, (
        f"CoreDNS at {dns_ip} did not respond: {result.stdout[:200]}"
    )