#!/bin/bash

# white_black_list_test.sh - Whitelist/Blacklist Rules Test Suite
# Tests the auth_rules table functionality for pubkey and MIME type filtering

# Configuration
SERVER_URL="http://localhost:9001"
UPLOAD_ENDPOINT="${SERVER_URL}/upload"
DB_PATH="db/ginxsom.db"
TEST_DIR="tests/auth_test_tmp"

# Test results tracking
TESTS_PASSED=0
TESTS_FAILED=0
TOTAL_TESTS=0

# Test keys for different scenarios
# Generated using: nak key public <privkey>
TEST_USER1_PRIVKEY="5c0c523f52a5b6fad39ed2403092df8cebc36318b39383bca6c00808626fab3a"
TEST_USER1_PUBKEY="87d3561f19b74adbe8bf840682992466068830a9d8c36b4a0c99d36f826cb6cb"

TEST_USER2_PRIVKEY="182c3a5e3b7a1b7e4f5c6b7c8b4a5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2"
TEST_USER2_PUBKEY="0396b426090284a28294078dce53fe73791ab623c3fc46ab4409fea05109a6db"

TEST_USER3_PRIVKEY="abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234"
TEST_USER3_PUBKEY="769a740386211c76f81bb235de50a5e6fa463cb4fae25e62625607fc2cfc0f28"

# Helper function to record test results
record_test_result() {
    local test_name="$1"
    local expected="$2"
    local actual="$3"
    
    TOTAL_TESTS=$((TOTAL_TESTS + 1))
    
    if [[ "$actual" == "$expected" ]]; then
        echo "✅ $test_name - PASSED"
        TESTS_PASSED=$((TESTS_PASSED + 1))
    else
        echo "❌ $test_name - FAILED (Expected: $expected, Got: $actual)"
        TESTS_FAILED=$((TESTS_FAILED + 1))
    fi
}

# Check prerequisites
for cmd in nak curl jq sqlite3; do
    if ! command -v $cmd &> /dev/null; then
        echo "❌ $cmd command not found"
        exit 1
    fi
done

# Check if server is running
if ! curl -s -f "${SERVER_URL}/" > /dev/null 2>&1; then
    echo "❌ Server not running at $SERVER_URL"
    echo "Start with: ./restart-all.sh"
    exit 1
fi

# Check if database exists
if [[ ! -f "$DB_PATH" ]]; then
    echo "❌ Database not found at $DB_PATH"
    exit 1
fi

# Setup test environment
mkdir -p "$TEST_DIR"

echo "=========================================="
echo "  WHITELIST/BLACKLIST RULES TEST SUITE"
echo "=========================================="
echo

# Helper functions
create_test_file() {
    local filename="$1"
    local content="${2:-test content for $filename}"
    local filepath="$TEST_DIR/$filename"
    echo "$content" > "$filepath"
    echo "$filepath"
}

create_auth_event() {
    local privkey="$1" 
    local operation="$2"
    local hash="$3"
    local expiration_offset="${4:-3600}"  # 1 hour default
    
    local expiration=$(date -d "+${expiration_offset} seconds" +%s)
    
    local event_args=(-k 24242 -c "" --tag "t=$operation" --tag "expiration=$expiration" --sec "$privkey")
    
    if [[ -n "$hash" ]]; then
        event_args+=(--tag "x=$hash")
    fi
    
    nak event "${event_args[@]}"
}

test_upload() {
    local test_name="$1"
    local privkey="$2"
    local file_path="$3"
    local expected_status="${4:-200}"
    
    local file_hash=$(sha256sum "$file_path" | cut -d' ' -f1)
    
    # Create auth event
    local event=$(create_auth_event "$privkey" "upload" "$file_hash")
    local auth_header="Nostr $(echo "$event" | base64 -w 0)"
    
    # Make upload request
    local response_file=$(mktemp)
    local http_status=$(curl -s -w "%{http_code}" \
        -H "Authorization: $auth_header" \
        -H "Content-Type: text/plain" \
        --data-binary "@$file_path" \
        -X PUT "$UPLOAD_ENDPOINT" \
        -o "$response_file" 2>/dev/null)
    
    # Show response if test fails
    if [[ "$http_status" != "$expected_status" ]]; then
        echo "  Response: $(cat "$response_file")"
    fi
    
    rm -f "$response_file"
    
    # Record result
    record_test_result "$test_name" "$expected_status" "$http_status"
}

# Clean up any existing rules from previous tests
echo "Cleaning up existing auth rules..."
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;" 2>/dev/null

# Enable authentication rules
echo "Enabling authentication rules..."
sqlite3 "$DB_PATH" "UPDATE config SET value = 'true' WHERE key = 'auth_rules_enabled';"

echo
echo "=== SECTION 1: PUBKEY BLACKLIST TESTS ==="
echo

# Test 1: Add pubkey blacklist rule
echo "Adding blacklist rule for TEST_USER3..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_blacklist', '$TEST_USER3_PUBKEY', 'upload', 10, 'Test blacklist');"

# Test 1a: Blacklisted user should be denied
test_file1=$(create_test_file "blacklist_test1.txt" "Content from blacklisted user")
test_upload "Test 1a: Blacklisted Pubkey Upload" "$TEST_USER3_PRIVKEY" "$test_file1" "403"

# Test 1b: Non-blacklisted user should succeed
test_file2=$(create_test_file "blacklist_test2.txt" "Content from allowed user")
test_upload "Test 1b: Non-Blacklisted Pubkey Upload" "$TEST_USER1_PRIVKEY" "$test_file2" "200"

echo
echo "=== SECTION 2: PUBKEY WHITELIST TESTS ==="
echo

# Clean rules
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"

# Test 2: Add pubkey whitelist rule
echo "Adding whitelist rule for TEST_USER1..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_whitelist', '$TEST_USER1_PUBKEY', 'upload', 300, 'Test whitelist');"

# Test 2a: Whitelisted user should succeed
test_file3=$(create_test_file "whitelist_test1.txt" "Content from whitelisted user")
test_upload "Test 2a: Whitelisted Pubkey Upload" "$TEST_USER1_PRIVKEY" "$test_file3" "200"

# Test 2b: Non-whitelisted user should be denied (whitelist default-deny)
test_file4=$(create_test_file "whitelist_test2.txt" "Content from non-whitelisted user")
test_upload "Test 2b: Non-Whitelisted Pubkey Upload" "$TEST_USER2_PRIVKEY" "$test_file4" "403"

echo
echo "=== SECTION 3: HASH BLACKLIST TESTS ==="
echo

# Clean rules
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"

# Test 3: Create a file and blacklist its hash
test_file5=$(create_test_file "hash_blacklist_test.txt" "This specific file is blacklisted")
BLACKLISTED_HASH=$(sha256sum "$test_file5" | cut -d' ' -f1)

echo "Adding hash blacklist rule for $BLACKLISTED_HASH..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('hash_blacklist', '$BLACKLISTED_HASH', 'upload', 100, 'Test hash blacklist');"

# Test 3a: Blacklisted hash should be denied
test_upload "Test 3a: Blacklisted Hash Upload" "$TEST_USER1_PRIVKEY" "$test_file5" "403"

# Test 3b: Different file should succeed
test_file6=$(create_test_file "hash_blacklist_test2.txt" "This file is allowed")
test_upload "Test 3b: Non-Blacklisted Hash Upload" "$TEST_USER1_PRIVKEY" "$test_file6" "200"

echo
echo "=== SECTION 4: MIME TYPE BLACKLIST TESTS ==="
echo

# Clean rules
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"

# Test 4: Blacklist executable MIME types
echo "Adding MIME type blacklist rules..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('mime_blacklist', 'application/x-executable', 'upload', 200, 'Block executables');"

# Note: This test would require the server to detect MIME types from file content
# For now, we'll test with text/plain which should be allowed
test_file7=$(create_test_file "mime_test1.txt" "Plain text file")
test_upload "Test 4a: Allowed MIME Type Upload" "$TEST_USER1_PRIVKEY" "$test_file7" "200"

echo
echo "=== SECTION 5: MIME TYPE WHITELIST TESTS ==="
echo

# Clean rules
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"

# Test 5: Whitelist only image MIME types
echo "Adding MIME type whitelist rules..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('mime_whitelist', 'image/jpeg', 'upload', 400, 'Allow JPEG');"
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('mime_whitelist', 'image/png', 'upload', 400, 'Allow PNG');"

# Note: MIME type detection would need to be implemented in the server
# For now, text/plain should be denied if whitelist exists
test_file8=$(create_test_file "mime_whitelist_test.txt" "Text file with whitelist active")
test_upload "Test 5a: Non-Whitelisted MIME Type Upload" "$TEST_USER1_PRIVKEY" "$test_file8" "403"

echo
echo "=== SECTION 6: PRIORITY ORDERING TESTS ==="
echo

# Clean rules
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"

# Test 6: Blacklist should override whitelist (priority ordering)
echo "Adding both blacklist (priority 10) and whitelist (priority 300) for same pubkey..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_blacklist', '$TEST_USER1_PUBKEY', 'upload', 10, 'Blacklist priority test');"
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_whitelist', '$TEST_USER1_PUBKEY', 'upload', 300, 'Whitelist priority test');"

# Test 6a: Blacklist should win (lower priority number = higher priority)
test_file9=$(create_test_file "priority_test.txt" "Testing priority ordering")
test_upload "Test 6a: Blacklist Priority Over Whitelist" "$TEST_USER1_PRIVKEY" "$test_file9" "403"

echo
echo "=== SECTION 7: OPERATION-SPECIFIC RULES ==="
echo

# Clean rules
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"

# Test 7: Blacklist only for upload operation
echo "Adding blacklist rule for upload operation only..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_blacklist', '$TEST_USER2_PUBKEY', 'upload', 10, 'Upload-only blacklist');"

# Test 7a: Upload should be denied
test_file10=$(create_test_file "operation_test.txt" "Testing operation-specific rules")
test_upload "Test 7a: Operation-Specific Blacklist" "$TEST_USER2_PRIVKEY" "$test_file10" "403"

echo
echo "=== SECTION 8: WILDCARD OPERATION TESTS ==="
echo

# Clean rules
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"

# Test 8: Blacklist for all operations using wildcard
echo "Adding blacklist rule for all operations (*)..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_blacklist', '$TEST_USER3_PUBKEY', '*', 10, 'All operations blacklist');"

# Test 8a: Upload should be denied
test_file11=$(create_test_file "wildcard_test.txt" "Testing wildcard operation")
test_upload "Test 8a: Wildcard Operation Blacklist" "$TEST_USER3_PRIVKEY" "$test_file11" "403"

echo
echo "=== SECTION 9: ENABLED/DISABLED RULES ==="
echo

# Clean rules
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"

# Test 9: Disabled rule should not be enforced
echo "Adding disabled blacklist rule..."
sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, enabled, description) VALUES ('pubkey_blacklist', '$TEST_USER1_PUBKEY', 'upload', 10, 0, 'Disabled blacklist');"

# Test 9a: Upload should succeed (rule is disabled)
test_file12=$(create_test_file "disabled_rule_test.txt" "Testing disabled rule")
test_upload "Test 9a: Disabled Rule Not Enforced" "$TEST_USER1_PRIVKEY" "$test_file12" "200"

# Test 9b: Enable the rule
echo "Enabling the blacklist rule..."
sqlite3 "$DB_PATH" "UPDATE auth_rules SET enabled = 1 WHERE rule_target = '$TEST_USER1_PUBKEY';"

# Test 9c: Upload should now be denied
test_file13=$(create_test_file "enabled_rule_test.txt" "Testing enabled rule")
test_upload "Test 9c: Enabled Rule Enforced" "$TEST_USER1_PRIVKEY" "$test_file13" "403"


echo
echo "=== SECTION 11: CLEANUP AND RESET ==="
echo

# Clean up all test rules
echo "Cleaning up test rules..."
sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"

# Verify cleanup
RULE_COUNT=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM auth_rules;" 2>/dev/null)
if [[ "$RULE_COUNT" -eq 0 ]]; then
    record_test_result "Test 10a: Rules Cleanup" "0" "0"
else
    record_test_result "Test 10a: Rules Cleanup" "0" "$RULE_COUNT"
fi

# Test that uploads work again after cleanup
test_file16=$(create_test_file "cleanup_test.txt" "Testing after cleanup")
test_upload "Test 10b: Upload After Cleanup" "$TEST_USER1_PRIVKEY" "$test_file16" "200"

echo
echo "=========================================="
echo "         TEST SUITE RESULTS"
echo "=========================================="
echo
echo "Total Tests: $TOTAL_TESTS"
echo "✅ Passed: $TESTS_PASSED"
echo "❌ Failed: $TESTS_FAILED"
echo
if [[ $TESTS_FAILED -eq 0 ]]; then
    echo "🎉 ALL TESTS PASSED!"
    echo
    echo "Whitelist/Blacklist functionality verified:"
    echo "- Pubkey blacklist: Working"
    echo "- Pubkey whitelist: Working"
    echo "- Hash blacklist: Working"
    echo "- MIME type rules: Working"
    echo "- Priority ordering: Working"
    echo "- Operation-specific rules: Working"
    echo "- Wildcard operations: Working"
    echo "- Enable/disable rules: Working"
else
    echo "⚠️  Some tests failed. Check output above for details."
    echo "Success rate: $(( (TESTS_PASSED * 100) / TOTAL_TESTS ))%"
fi
echo
echo "To clean up test data: rm -rf $TEST_DIR"
echo "=========================================="