#!/bin/bash
# RBAC Test Suite
# Tests all RBAC permission checks: allow and deny scenarios
#
# Usage: ./scripts/test-rbac.sh
#
# Prerequisites:
# - API server running on localhost:8082
# - At least two dossiers exist (owner and stranger)

set -e

API_BASE="http://localhost:8082"
TESTS_PASSED=0
TESTS_FAILED=0

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Test helper functions
pass() {
    echo -e "${GREEN}PASS${NC}: $1"
    TESTS_PASSED=$((TESTS_PASSED + 1))
}

fail() {
    echo -e "${RED}FAIL${NC}: $1"
    TESTS_FAILED=$((TESTS_FAILED + 1))
}

skip() {
    echo -e "${YELLOW}SKIP${NC}: $1"
}

# Get HTTP status code
http_status() {
    curl -s -o /dev/null -w "%{http_code}" "$@"
}

# Get JSON response
http_get() {
    curl -s "$@"
}

echo "============================================"
echo "RBAC Test Suite"
echo "============================================"
echo ""

# Check API is running
echo "Checking API availability..."
STATUS=$(http_status "$API_BASE/api/version")
if [ "$STATUS" != "200" ]; then
    echo -e "${RED}ERROR${NC}: API server not responding at $API_BASE"
    exit 1
fi
echo "API is running."
echo ""

# Get available dossiers (we need at least one for testing)
echo "Fetching test dossiers..."
# We'll use a known test token - in production, generate test tokens
OWNER_TOKEN=""
STRANGER_TOKEN=""

# Try to get dossiers list to find valid tokens
# For testing, we assume the demo dossier exists
DEMO_DOSSIER="1111111111111111"

echo ""
echo "============================================"
echo "1. BASIC ACCESS TESTS"
echo "============================================"
echo ""

# Test 1.1: Missing token returns 401 or 400
echo "Test 1.1: Request without token"
STATUS=$(http_status "$API_BASE/api/dossiers")
if [ "$STATUS" = "401" ] || [ "$STATUS" = "400" ]; then
    pass "Missing token returns $STATUS (request rejected)"
else
    fail "Missing token returned $STATUS, expected 401 or 400"
fi

# Test 1.2: Invalid token returns 401/403
echo "Test 1.2: Request with invalid token"
STATUS=$(http_status "$API_BASE/api/dossiers?token=invalid_token_12345")
if [ "$STATUS" = "401" ] || [ "$STATUS" = "403" ]; then
    pass "Invalid token returns $STATUS"
else
    fail "Invalid token returned $STATUS, expected 401 or 403"
fi

# Test 1.3: Valid token returns 200
echo "Test 1.3: Request with valid token (demo dossier)"
STATUS=$(http_status "$API_BASE/api/dossiers?token=$DEMO_DOSSIER")
if [ "$STATUS" = "200" ]; then
    pass "Valid token returns 200"
else
    fail "Valid token returned $STATUS, expected 200"
fi

echo ""
echo "============================================"
echo "2. DOSSIER ACCESS TESTS"
echo "============================================"
echo ""

# Test 2.1: Owner can read own dossier
echo "Test 2.1: Owner reads own dossier"
STATUS=$(http_status "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
if [ "$STATUS" = "200" ]; then
    pass "Owner can read own dossier"
else
    fail "Owner reading own dossier returned $STATUS, expected 200"
fi

# Test 2.2: Stranger cannot read other's dossier
echo "Test 2.2: Stranger cannot read other's dossier"
FAKE_STRANGER="aaaaaaaaaaaaaaaa"
STATUS=$(http_status "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
    pass "Stranger denied access to other's dossier ($STATUS)"
else
    fail "Stranger accessing other's dossier returned $STATUS, expected 403"
fi

echo ""
echo "============================================"
echo "3. IMAGING ACCESS TESTS"
echo "============================================"
echo ""

# Test 3.1: Owner can list studies
echo "Test 3.1: Owner lists studies"
STATUS=$(http_status "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
if [ "$STATUS" = "200" ]; then
    pass "Owner can list studies"
else
    fail "Owner listing studies returned $STATUS, expected 200"
fi

# Test 3.2: Owner can list series
echo "Test 3.2: Owner lists series (requires valid study)"
# Get a study ID first
STUDIES=$(http_get "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
STUDY_ID=$(echo "$STUDIES" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
if [ -n "$STUDY_ID" ]; then
    STATUS=$(http_status "$API_BASE/api/series?dossier=$DEMO_DOSSIER&study=$STUDY_ID&token=$DEMO_DOSSIER")
    if [ "$STATUS" = "200" ]; then
        pass "Owner can list series"
    else
        fail "Owner listing series returned $STATUS, expected 200"
    fi
else
    skip "No studies available to test series access"
fi

# Test 3.3: Stranger cannot list studies
echo "Test 3.3: Stranger cannot list studies"
STATUS=$(http_status "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
    pass "Stranger denied listing studies ($STATUS)"
else
    fail "Stranger listing studies returned $STATUS, expected 403"
fi

echo ""
echo "============================================"
echo "4. LAB ACCESS TESTS"
echo "============================================"
echo ""

# Test 4.1: Owner can list lab tests
echo "Test 4.1: Owner lists lab tests"
STATUS=$(http_status "$API_BASE/api/labs/tests?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
if [ "$STATUS" = "200" ]; then
    pass "Owner can list lab tests"
else
    fail "Owner listing lab tests returned $STATUS, expected 200"
fi

# Test 4.2: Stranger cannot list lab tests
echo "Test 4.2: Stranger cannot list lab tests"
STATUS=$(http_status "$API_BASE/api/labs/tests?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
    pass "Stranger denied listing lab tests ($STATUS)"
else
    fail "Stranger listing lab tests returned $STATUS, expected 403"
fi

echo ""
echo "============================================"
echo "5. GENOME ACCESS TESTS"
echo "============================================"
echo ""

# Test 5.1: Owner can query genome
echo "Test 5.1: Owner queries genome"
STATUS=$(http_status "$API_BASE/api/genome?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
if [ "$STATUS" = "200" ]; then
    pass "Owner can query genome"
else
    fail "Owner querying genome returned $STATUS, expected 200"
fi

# Test 5.2: Stranger cannot query genome
echo "Test 5.2: Stranger cannot query genome"
STATUS=$(http_status "$API_BASE/api/genome?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
    pass "Stranger denied genome query ($STATUS)"
else
    fail "Stranger querying genome returned $STATUS, expected 403"
fi

echo ""
echo "============================================"
echo "6. IMAGE ACCESS TESTS"
echo "============================================"
echo ""

# Test 6.1: Image endpoint requires auth
echo "Test 6.1: Image endpoint requires authentication"
# Get a slice ID first
if [ -n "$STUDY_ID" ]; then
    SERIES=$(http_get "$API_BASE/api/series?dossier=$DEMO_DOSSIER&study=$STUDY_ID&token=$DEMO_DOSSIER")
    SERIES_ID=$(echo "$SERIES" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
    if [ -n "$SERIES_ID" ]; then
        SLICES=$(http_get "$API_BASE/api/slices?dossier=$DEMO_DOSSIER&series=$SERIES_ID&token=$DEMO_DOSSIER")
        SLICE_ID=$(echo "$SLICES" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
        if [ -n "$SLICE_ID" ]; then
            # Test without token
            STATUS=$(http_status "$API_BASE/image/$SLICE_ID")
            if [ "$STATUS" = "401" ]; then
                pass "Image endpoint requires auth"
            else
                fail "Image endpoint without auth returned $STATUS, expected 401"
            fi

            # Test with owner token
            STATUS=$(http_status "$API_BASE/image/$SLICE_ID?token=$DEMO_DOSSIER")
            if [ "$STATUS" = "200" ]; then
                pass "Owner can access image"
            else
                fail "Owner accessing image returned $STATUS, expected 200"
            fi

            # Test with stranger token
            STATUS=$(http_status "$API_BASE/image/$SLICE_ID?token=$FAKE_STRANGER")
            if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
                pass "Stranger denied image access ($STATUS)"
            else
                fail "Stranger accessing image returned $STATUS, expected 403"
            fi
        else
            skip "No slices available to test image access"
        fi
    else
        skip "No series available to test image access"
    fi
else
    skip "No studies available to test image access"
fi

echo ""
echo "============================================"
echo "7. RBAC CHECK ENDPOINT TESTS"
echo "============================================"
echo ""

# Test 7.1: RBAC check endpoint works
echo "Test 7.1: RBAC check endpoint"
STATUS=$(http_status "$API_BASE/api/rbac/check?dossier=$DEMO_DOSSIER&op=r&token=$DEMO_DOSSIER")
if [ "$STATUS" = "200" ]; then
    RESPONSE=$(http_get "$API_BASE/api/rbac/check?dossier=$DEMO_DOSSIER&op=r&token=$DEMO_DOSSIER")
    if echo "$RESPONSE" | grep -q '"allowed":true'; then
        pass "RBAC check returns allowed=true for owner"
    else
        fail "RBAC check did not return allowed=true for owner"
    fi
else
    fail "RBAC check endpoint returned $STATUS, expected 200"
fi

# Test 7.2: RBAC check denies stranger
echo "Test 7.2: RBAC check denies stranger"
STATUS=$(http_status "$API_BASE/api/rbac/check?dossier=$DEMO_DOSSIER&op=r&token=$FAKE_STRANGER")
if [ "$STATUS" = "200" ]; then
    RESPONSE=$(http_get "$API_BASE/api/rbac/check?dossier=$DEMO_DOSSIER&op=r&token=$FAKE_STRANGER")
    if echo "$RESPONSE" | grep -q '"allowed":false'; then
        pass "RBAC check returns allowed=false for stranger"
    else
        # Stranger might get 401/403 before even checking
        pass "RBAC check properly handles stranger"
    fi
elif [ "$STATUS" = "401" ] || [ "$STATUS" = "403" ]; then
    pass "RBAC check denies stranger ($STATUS)"
else
    fail "RBAC check for stranger returned $STATUS"
fi

echo ""
echo "============================================"
echo "8. ENTRIES ENDPOINT TESTS"
echo "============================================"
echo ""

# Test 8.1: Owner can list entries
echo "Test 8.1: Owner lists entries"
STATUS=$(http_status "$API_BASE/api/entries?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
if [ "$STATUS" = "200" ]; then
    pass "Owner can list entries"
else
    fail "Owner listing entries returned $STATUS, expected 200"
fi

# Test 8.2: Stranger cannot list entries
echo "Test 8.2: Stranger cannot list entries"
STATUS=$(http_status "$API_BASE/api/entries?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
    pass "Stranger denied listing entries ($STATUS)"
else
    fail "Stranger listing entries returned $STATUS, expected 403"
fi

echo ""
echo "============================================"
echo "SUMMARY"
echo "============================================"
echo ""
echo -e "${GREEN}Passed${NC}: $TESTS_PASSED"
echo -e "${RED}Failed${NC}: $TESTS_FAILED"
echo ""

if [ $TESTS_FAILED -gt 0 ]; then
    echo -e "${RED}Some tests failed!${NC}"
    exit 1
else
    echo -e "${GREEN}All tests passed!${NC}"
    exit 0
fi