#!/bin/bash

API_URL="http://localhost:8080/api/v1"
EXPORT_DIR="/tmp/pki_privkey_test"
mkdir -p "$EXPORT_DIR"

echo "=== Test: Private Key Storage for All Certificates ==="
echo ""

# 1. Login
TOKEN=$(curl -s -X POST "$API_URL/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin"}' | jq -r '.token')
echo "[1] Token obtenu"
echo ""

# 2. Créer un certificat standard (non-CA)
CERT_RESP=$(curl -s -X POST "$API_URL/certificates" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "subject":"CN=test-standard.example.com,O=Test,C=FR",
    "validity_days":365
  }')

CERT_ID=$(echo $CERT_RESP | jq -r '.certificate.id')
echo "[2] Certificat standard créé: $CERT_ID"
echo ""

# 3. Exporter avec clé privée
echo "[3] Test export PEM+clé pour certificat standard..."
curl -s -H "Authorization: Bearer $TOKEN" \
  "$API_URL/certificates/$CERT_ID/export/pem-with-key" \
  -o "$EXPORT_DIR/standard_cert_with_key.pem"

if [ -f "$EXPORT_DIR/standard_cert_with_key.pem" ]; then
  FILE_SIZE=$(stat -c%s "$EXPORT_DIR/standard_cert_with_key.pem")
  CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$EXPORT_DIR/standard_cert_with_key.pem" 2>/dev/null || echo "0")
  KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" "$EXPORT_DIR/standard_cert_with_key.pem" 2>/dev/null || echo "0")
  
  if [ "$FILE_SIZE" -gt 100 ] && [ "$KEY_COUNT" -gt 0 ]; then
    echo "✓ SUCCESS: Clé privée présente dans l'export!"
    echo "  - Taille du fichier: $FILE_SIZE bytes"
    echo "  - Certificats trouvés: $CERT_COUNT"
    echo "  - Clés privées trouvées: $KEY_COUNT"
    echo ""
    echo "  Aperçu:"
    head -3 "$EXPORT_DIR/standard_cert_with_key.pem"
    echo "  ..."
  else
    echo "❌ FAILED: Pas de clé privée trouvée"
    cat "$EXPORT_DIR/standard_cert_with_key.pem"
  fi
else
  echo "❌ FAILED: Fichier non créé"
fi
echo ""

# 4. Vérifier directement dans MongoDB
echo "[4] Vérification directe dans MongoDB..."
MONGO_COUNT=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.findOne({_id: '$CERT_ID'}).private_key ? 'HAS_KEY' : 'NO_KEY'" 2>/dev/null | tail -1)

if [ "$MONGO_COUNT" = "HAS_KEY" ]; then
  echo "✓ Clé privée présente dans MongoDB pour le certificat standard"
else
  echo "❌ Clé privée absente dans MongoDB"
fi
echo ""

# 5. Créer une CA et vérifier aussi
CA_RESP=$(curl -s -X POST "$API_URL/ca" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"subject":"CN=Test Root CA,O=Test,C=FR","validity_days":3650}')

CA_ID=$(echo $CA_RESP | jq -r '.ca.id')
echo "[5] CA créée: $CA_ID"

MONGO_CA_COUNT=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.findOne({_id: '$CA_ID'}).private_key ? 'HAS_KEY' : 'NO_KEY'" 2>/dev/null | tail -1)

if [ "$MONGO_CA_COUNT" = "HAS_KEY" ]; then
  echo "✓ Clé privée présente dans MongoDB pour la CA"
else
  echo "❌ Clé privée absente pour la CA"
fi
echo ""

echo "=== Test complété ==="