module SystemCheck
  module App
    class GitUserDefaultSSHConfigCheck < SystemCheck::BaseCheck
      # These files are allowed in the .ssh directory. The `config` file is not
      # whitelisted as it may change the SSH client's behaviour dramatically.
      WHITELIST = %w[
        authorized_keys
        authorized_keys.lock
        authorized_keys2
        known_hosts
      ].freeze

      set_name 'Git user has default SSH configuration?'
      set_skip_reason 'skipped (git user is not present / configured)'

      def skip?
        !home_dir || !File.directory?(home_dir)
      end

      def check?
        forbidden_files.empty?
      end

      def show_error
        backup_dir = "~/gitlab-check-backup-#{Time.now.to_i}"

        instructions = forbidden_files.map do |filename|
          "sudo mv #{Shellwords.escape(filename)} #{backup_dir}"
        end

        try_fixing_it("mkdir #{backup_dir}", *instructions)
        for_more_information('doc/ssh/README.md in section "SSH on the GitLab server"')
        fix_and_rerun
      end

      private

      def git_user
        Gitlab.config.gitlab.user
      end

      def home_dir
        return @home_dir if defined?(@home_dir)

        @home_dir =
          begin
            File.expand_path("~#{git_user}")
          rescue ArgumentError
            nil
          end
      end

      def ssh_dir
        return nil unless home_dir

        File.join(home_dir, '.ssh')
      end

      def forbidden_files
        @forbidden_files ||=
          begin
            present = Dir[File.join(ssh_dir, '*')]
            whitelisted = WHITELIST.map { |basename| File.join(ssh_dir, basename) }

            present - whitelisted
          end
      end
    end
  end
end