#!/usr/bin/env bash

# Try to upload a file to S3 and then delete it using the configapi cli.
# Check the file exists after uploading it.
# Check the file does not exist after deleting it.

###### script header ######

lib=$(realpath @@BASE_LIB@@) || exit 1
stat "${lib}" >> /dev/null || exit 1

# shellcheck source=../../../../../bazel/sh/lib.bash
if ! source "${lib}"; then
  echo "Error: could not find import"
  exit 1
fi

configapi_cli=$(realpath @@CONFIGAPI_CLI@@)
stat "${configapi_cli}" >> /dev/null
configapi_cli="${configapi_cli} --testing"
###### script body ######

readonly region="eu-west-1"
readonly bucket="resource-api-testing"

tmpdir=$(mktemp -d)
readonly tmpdir
registerExitHandler "rm -rf $tmpdir"

# empty the bucket version state
${configapi_cli} delete recursive --region "$region" --bucket "$bucket"

# the high version numbers ensure that it's newer than the current latest value
readonly current_claim_path="$tmpdir/currentMaaClaim.json"
cat << EOF > "$current_claim_path"
{
  "x-ms-isolation-tee": {
    "x-ms-sevsnpvm-tee-svn": 1,
    "x-ms-sevsnpvm-snpfw-svn": 1,
    "x-ms-sevsnpvm-microcode-svn": 1,
    "x-ms-sevsnpvm-bootloader-svn": 1
  }
}
EOF
# upload a fake latest version for the fetcher
${configapi_cli} --force --maa-claims-path "$current_claim_path" --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket"

# the high version numbers ensure that it's newer than the current latest value
readonly claim_path="$tmpdir/maaClaim.json"
cat << EOF > "$claim_path"
{
  "x-ms-isolation-tee": {
    "x-ms-sevsnpvm-tee-svn": 255,
    "x-ms-sevsnpvm-snpfw-svn": 255,
    "x-ms-sevsnpvm-microcode-svn": 255,
    "x-ms-sevsnpvm-bootloader-svn": 255
  }
}
EOF

# has an older version
readonly older_claim_path="$tmpdir/maaClaimOld.json"
cat << EOF > "$older_claim_path"
{
  "x-ms-isolation-tee": {
    "x-ms-sevsnpvm-tee-svn": 255,
    "x-ms-sevsnpvm-snpfw-svn": 255,
    "x-ms-sevsnpvm-microcode-svn": 254,
    "x-ms-sevsnpvm-bootloader-svn": 255
  }
}
EOF

# report 3 versions with different dates to fill the reporter cache
readonly date_oldest="2023-02-01-03-04"
${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3
readonly date_older="2023-02-02-03-04"
${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3
readonly date="2023-02-03-03-04"
${configapi_cli} --maa-claims-path "$claim_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3

# expect that $date_oldest is served as latest version
baseurl="https://d33dzgxuwsgbpw.cloudfront.net/constellation/v1/attestation/azure-sev-snp"
if ! curl -fsSL ${baseurl}/${date_oldest}.json > version.json; then
  echo "Checking for uploaded version file constellation/v1/attestation/azure-sev-snp/${date_oldest}.json: request returned ${?}"
  exit 1
fi
# check that version values are equal to expected
if ! cmp -s <(echo -n '{"bootloader":255,"tee":255,"snp":255,"microcode":254}') version.json; then
  echo "The version content:"
  cat version.json
  echo " is not equal to the expected version content:"
  echo '{"bootloader":255,"tee":255,"snp":255,"microcode":254}'
  exit 1
fi
if ! curl -fsSL ${baseurl}/${date_oldest}.json.sig > /dev/null; then
  echo "Checking for uploaded version signature file constellation/v1/attestation/azure-sev-snp/${date_oldest}.json.sig: request returned ${?}"
  exit 1
fi
# check list endpoint
if ! curl -fsSL ${baseurl}/list > list.json; then
  echo "Checking for uploaded list file constellation/v1/attestation/azure-sev-snp/list: request returned ${?}"
  exit 1
fi
# check that version values are equal to expected
if ! cmp -s <(echo -n '["2023-02-01-03-04.json","2000-01-01-01-01.json"]') list.json; then
  echo "The list content:"
  cat list.json
  echo " is not equal to the expected version content:"
  echo '["2023-02-01-03-04.json","2000-01-01-01-01.json"]'
  exit 1
fi

# check that the other versions are not uploaded
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date_older}.json)
if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date_older}.json, but got ${http_code}"
  exit 1
fi
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date}.json.sig)
if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date}.json, but got ${http_code}"
  exit 1
fi

${configapi_cli} delete --version "$date_oldest" --region "$region" --bucket "$bucket"

# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date_oldest}.json)
if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date_oldest}.json, but got ${http_code}"
  exit 1
fi
# Omit -f to check for 404. We want to check that a file was deleted, therefore we expect the query to fail.
http_code=$(curl -sSL -w '%{http_code}\n' -o /dev/null ${baseurl}/${date_oldest}.json.sig)
if [[ $http_code -ne 404 ]]; then
  echo "Expected HTTP code 404 for: constellation/v1/attestation/azure-sev-snp/${date_oldest}.json, but got ${http_code}"
  exit 1
fi