import pytest
import subprocess

pytestmark = pytest.mark.wg


def test_dns_resolves_via_vpn(connected_peer, admin_client):
    """Scenario 27: DNS queries for cell domain resolve via 10.0.0.1 (CoreDNS)."""
    # Get the configured domain
    r = admin_client.get('/api/config')
    domain = r.json().get('domain', 'cell') if r.status_code == 200 else 'cell'

    # Query CoreDNS at the server VPN IP
    result = subprocess.run(
        ['dig', f'@10.0.0.1', f'mail.{domain}', '+short', '+time=5'],
        capture_output=True, text=True, timeout=10
    )
    # CoreDNS should respond (not necessarily with an IP — just not SERVFAIL)
    assert result.returncode == 0, f"DNS query failed: {result.stderr}"


def test_dns_server_reachable_via_vpn(connected_peer):
    """CoreDNS port 53 is reachable from within the VPN."""
    result = subprocess.run(
        ['dig', '@10.0.0.1', 'health.check', '+time=2'],
        capture_output=True, text=True, timeout=5
    )
    # Even a NXDOMAIN response means DNS is up
    assert 'SERVFAIL' not in result.stdout or result.returncode == 0 or 'status:' in result.stdout