#!/bin/bash

API_URL="http://localhost:8080/api/v1"
EXPORT_DIR="/tmp/pki_complete_test"
mkdir -p "$EXPORT_DIR"

echo "=== PKI Complete Feature Test ==="
echo "Date: $(date)"
echo ""

# 1. Login
TOKEN=$(curl -s -X POST "$API_URL/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin"}' | jq -r '.token')
echo "[✓] Login successful"

# 2. Create Root CA
ROOT_CA=$(curl -s -X POST "$API_URL/ca" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"subject":"CN=Root CA,O=Example,C=FR","validity_days":3650}')
ROOT_CA_ID=$(echo $ROOT_CA | jq -r '.ca.id')
echo "[✓] Root CA created: $ROOT_CA_ID"

# 3. Create Sub-CA
SUB_CA=$(curl -s -X POST "$API_URL/ca/sign" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"parent_ca_id\":\"$ROOT_CA_ID\",\"subject\":\"CN=Intermediate CA,O=Example,C=FR\",\"validity_days\":1825}")
SUB_CA_ID=$(echo $SUB_CA | jq -r '.ca.id')
echo "[✓] Sub-CA created: $SUB_CA_ID"

# 4. Create standard certificate (non-CA)
CERT=$(curl -s -X POST "$API_URL/certificates/sign" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"ca_id\":\"$SUB_CA_ID\",\"subject\":\"CN=app.example.com,O=Example,C=FR\",\"validity_days\":365}")
CERT_ID=$(echo $CERT | jq -r '.certificate.id')
echo "[✓] Standard certificate created: $CERT_ID"

# 5. Test PEM export
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/pem" \
  -o "$EXPORT_DIR/cert.pem"
echo "[✓] PEM export: $(stat -c%s "$EXPORT_DIR/cert.pem") bytes"

# 6. Test DER export
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/der" \
  -o "$EXPORT_DIR/cert.der"
echo "[✓] DER export: $(stat -c%s "$EXPORT_DIR/cert.der") bytes"

# 7. Test PEM with private key (for standard cert)
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/pem-with-key" \
  -o "$EXPORT_DIR/cert_with_key.pem"
KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" "$EXPORT_DIR/cert_with_key.pem" 2>/dev/null || echo "0")
echo "[✓] PEM with key export: $(stat -c%s "$EXPORT_DIR/cert_with_key.pem") bytes ($KEY_COUNT private keys)"

# 8. Test chain export
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/chain" \
  -o "$EXPORT_DIR/cert_chain.pem"
CHAIN_COUNT=$(grep -c "BEGIN CERTIFICATE" "$EXPORT_DIR/cert_chain.pem" 2>/dev/null || echo "0")
echo "[✓] Chain export: $(stat -c%s "$EXPORT_DIR/cert_chain.pem") bytes ($CHAIN_COUNT certificates)"

# 9. Test revocation
REV=$(curl -s -X POST "$API_URL/revoke" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"certificate_id\":\"$CERT_ID\",\"reason\":\"Test\"}")
echo "[✓] Certificate revoked"

# 10. Test CRL
CRL=$(curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/crl" | jq '.crl | length')
echo "[✓] CRL contains $CRL revoked certificates"

# 11. Test MongoDB private key storage
MONGO_CHECK=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.count({private_key: {\$exists: true, \$ne: ''}})" 2>/dev/null | tail -1)
echo "[✓] MongoDB: $MONGO_CHECK certificates with stored private keys"

echo ""
echo "=== All tests passed! ==="