#!/bin/bash -x
# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
#
# Copyright (c) 2016 Red Hat, Inc.
# Author: Nathaniel McCallum <npmccallum@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

function on_exit() {
    if [ "$PID" ]; then kill $PID; wait $PID || true; fi
    [ -d "$TMP" ] && rm -rf $TMP
}

trap 'on_exit' EXIT
trap 'exit' ERR

export TMP=`mktemp -d`
mkdir -p $TMP/db
mkdir -p $TMP/cache

tangd-keygen $TMP/db sig exc
jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
tangd-update $TMP/db $TMP/cache

for addr in "127.0.0.1" "[::1]"; do
  port=`shuf -i 1024-65536 -n 1`
  $SD_ACTIVATE -l "$addr:$port" -a $VALGRIND tangd $TMP/cache &
  export PID=$!
  sleep 0.5

  # Make sure requests on the root fail
  ! curl -sfg http://$addr:$port/

  # The request should fail (404) for non-signature key IDs
  ! curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/exc.jwk`
  ! curl -sfg http://$addr:$port/adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk`

  # The default advertisement fetch should succeed and pass verification
  curl -sfg http://$addr:$port/adv
  curl -sfg http://$addr:$port/adv | jose jws ver -i- -k $TMP/db/sig.jwk
  curl -sfg http://$addr:$port/adv/ | jose jws ver -i- -k $TMP/db/sig.jwk

  # Fetching by any thumbprint should work
  curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/sig.jwk` | jose jws ver -i- -k $TMP/db/sig.jwk
  curl -sfg http://$addr:$port/adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | jose jws ver -i- -k $TMP/db/sig.jwk

  # Requesting an adv by an advertised key ID should't be signed by hidden keys
  ! curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/sig.jwk` | jose jws ver -i- -k $TMP/db/.sig.jwk
  ! curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/sig.jwk` | jose jws ver -i- -k $TMP/db/.oth.jwk

  # Verify that the default advertisement is not signed with hidden signature keys
  ! curl -sfg http://$addr:$port/adv/ | jose jws ver -i- -k $TMP/db/.oth.jwk
  ! curl -sfg http://$addr:$port/adv/ | jose jws ver -i- -k $TMP/db/.sig.jwk

  # A private key advertisement is signed by all advertised keys and the requested private key
  curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | jose jws ver -i- -k $TMP/db/sig.jwk
  curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | jose jws ver -i- -k $TMP/db/.sig.jwk
  ! curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | jose jws ver -i- -k $TMP/db/.oth.jwk

  # Verify that the advertisements contain the cty parameter
  curl -sfg http://$addr:$port/adv \
      | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
  curl -sfg http://$addr:$port/adv/`jose jwk thp -i $TMP/db/.sig.jwk` \
      | jose fmt -j- -Og signatures -A \
                 -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
                 -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU

  kill $PID
  wait $PID || true
  unset PID
done
