#!/bin/bash

# Test complet des fonctionnalités PKI
# Teste: création CA, sous-CA, certificats, exports, révocation, CRL

API_URL="http://localhost:8080/api/v1"
EXPORT_DIR="/tmp/pki_exports_test"
mkdir -p "$EXPORT_DIR"

echo "=== PKI Complete Feature Test ==="
echo "Date: $(date)"
echo ""

# 1. Login
echo "[1] Login..."
TOKEN=$(curl -s -X POST "$API_URL/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin"}' | jq -r '.token')

if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
  echo "❌ Login failed"
  exit 1
fi
echo "✓ Login successful"
echo ""

# 2. Create Root CA
echo "[2] Creating Root CA..."
ROOT_CA=$(curl -s -X POST "$API_URL/ca" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"subject":"CN=Root CA,O=Example,C=FR","validity_days":3650}')
ROOT_CA_ID=$(echo $ROOT_CA | jq -r '.ca.id')
echo "✓ Root CA created: $ROOT_CA_ID"
echo ""

# 3. Create Sub-CA
echo "[3] Creating Sub-CA..."
SUB_CA=$(curl -s -X POST "$API_URL/ca/sign" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"parent_ca_id\":\"$ROOT_CA_ID\",\"subject\":\"CN=Intermediate CA,O=Example,C=FR\",\"validity_days\":1825}")
SUB_CA_ID=$(echo $SUB_CA | jq -r '.ca.id')
echo "✓ Sub-CA created: $SUB_CA_ID"
echo ""

# 4. Create standard certificate
echo "[4] Creating standard certificate..."
CERT=$(curl -s -X POST "$API_URL/certificates/sign" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"ca_id\":\"$SUB_CA_ID\",\"subject\":\"CN=app.example.com,O=Example,C=FR\",\"validity_days\":365}")
CERT_ID=$(echo $CERT | jq -r '.certificate.id')
echo "✓ Standard certificate created: $CERT_ID"
echo ""

# 5. Test PEM export
echo "[5] Testing exports..."
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/pem" \
  -o "$EXPORT_DIR/cert.pem"
PEM_SIZE=$(stat -c%s "$EXPORT_DIR/cert.pem")
echo "✓ PEM export: $PEM_SIZE bytes"

# 6. Test DER export
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/der" \
  -o "$EXPORT_DIR/cert.der"
DER_SIZE=$(stat -c%s "$EXPORT_DIR/cert.der")
echo "✓ DER export: $DER_SIZE bytes"

# 7. Test PEM with private key
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/pem-with-key" \
  -o "$EXPORT_DIR/cert_with_key.pem"
KEY_SIZE=$(stat -c%s "$EXPORT_DIR/cert_with_key.pem")
KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" "$EXPORT_DIR/cert_with_key.pem" 2>/dev/null || echo "0")
echo "✓ PEM with private key export: $KEY_SIZE bytes ($KEY_COUNT private keys)"

# 8. Test chain export
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/chain" \
  -o "$EXPORT_DIR/cert_chain.pem"
CHAIN_SIZE=$(stat -c%s "$EXPORT_DIR/cert_chain.pem")
CHAIN_COUNT=$(grep -c "BEGIN CERTIFICATE" "$EXPORT_DIR/cert_chain.pem" 2>/dev/null || echo "0")
echo "✓ Chain export: $CHAIN_SIZE bytes ($CHAIN_COUNT certificates)"
echo ""

# 9. Test revocation
echo "[6] Revoking certificate..."
REV=$(curl -s -X POST "$API_URL/revoke" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"certificate_id\":\"$CERT_ID\",\"reason\":\"Test\"}")
echo "✓ Certificate revoked"
echo ""

# 10. Test CRL
echo "[7] Checking CRL..."
CRL=$(curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/crl" | jq '.crl | length')
echo "✓ CRL contains $CRL revoked certificates"
echo ""

# 11. Test MongoDB private key storage
echo "[8] Verifying MongoDB storage..."
MONGO_CERT_COUNT=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.count({private_key: {\$exists: true, \$ne: ''}})" 2>/dev/null | tail -1)
echo "✓ MongoDB: $MONGO_CERT_COUNT certificates with stored private keys"
echo ""

echo "=== All tests passed! ==="