#! /bin/sh

set -e

./bin/sigsum-key generate -o test.log.key
./bin/sigsum-key generate -o test.submit.key
./bin/sigsum-key generate -o test.other.key

# Reading private key files still supports raw hex.
printf '%064x' 1 > test.token.key

# Start sigsum log server
rm -f test.log.sth
echo "startup=empty" > test.log.sth.startup
./bin/sigsum-log-primary --key-file test.log.key \
    --interval=1s --log-level=error --backend=ephemeral --sth-file test.log.sth &

SIGSUM_PID=$!
MONITOR_PID=

TMP_POLICY_DIR=$(mktemp -d)

cleanup () {
    kill ${SIGSUM_PID}
    [ -z ${MONITOR_PID} ] || kill ${MONITOR_PID}
    rm -f "${TMP_POLICY_DIR}"/testpolicy123.sigsum-policy
    rmdir "${TMP_POLICY_DIR}"
}

trap cleanup EXIT

# Give log server some time to get ready.
sleep 2

echo "log $(./bin/sigsum-key to-hex -k test.log.key.pub) http://localhost:6965" > test.policy
echo "quorum none" >> test.policy
cp test.policy "${TMP_POLICY_DIR}"/testpolicy123.sigsum-policy

SIGSUM_POLICY_DIR=${TMP_POLICY_DIR} ./bin/sigsum-monitor -P testpolicy123 --interval=2s test.submit.key.pub > test.monitor.out &

MONITOR_PID=$!

die() {
    echo "$@" >&2
    exit 1
}

search_output() {
    for _ in $(seq 10) ; do
	if grep -- "$1" test.monitor.out >/dev/null ; then
	    return 0
	fi
	sleep 2
    done
    return 1
}
for x in $(seq 1 3); do
    echo >&2 "submit $x"
    echo "msg $x" | ./bin/sigsum-submit --diagnostics=warning --token-domain test.sigsum.org --token-signing-key test.token.key -o tmp-proof -k test.submit.key --policy test.policy
    rm tmp-proof
    echo >&2 "waiting on monitor $x"
    search_output "$(echo "msg $x" | go run ./sha256-n/sha256-n.go 2)" || die "Monitor not finding leaf $x"
done

# Do the same test again, but this time specifying policy inside the pubkey file

kill ${MONITOR_PID}

# Create pubkey with policy
echo "sigsum-policy=\"testpolicy123\" $(cat test.submit.key.pub)" > test.submit.key.withpolicy.pub

SIGSUM_POLICY_DIR=${TMP_POLICY_DIR} ./bin/sigsum-monitor --interval=2s test.submit.key.withpolicy.pub > test.monitor.out &
MONITOR_PID=$!

for x in $(seq 4 6); do
    echo >&2 "submit $x"
    echo "msg $x" | ./bin/sigsum-submit --diagnostics=warning --token-domain test.sigsum.org --token-signing-key test.token.key -o tmp-proof -k test.submit.key --policy test.policy
    rm tmp-proof
    echo >&2 "waiting on monitor $x"
    search_output "$(echo "msg $x" | go run ./sha256-n/sha256-n.go 2)" || die "Monitor not finding leaf $x"
done

# Do the same test again, but this time specifying policy both using -P and inside the pubkey file -- then -P should be used

kill ${MONITOR_PID}

# Create pubkey with nonextistent dummy policy
echo "sigsum-policy=\"dummypolicy\" $(cat test.submit.key.pub)" > test.submit.key.withdummypolicy.pub

SIGSUM_POLICY_DIR=${TMP_POLICY_DIR} ./bin/sigsum-monitor -P testpolicy123 --interval=2s test.submit.key.withdummypolicy.pub > test.monitor.out &
MONITOR_PID=$!

for x in $(seq 7 9); do
    echo >&2 "submit $x"
    echo "msg $x" | ./bin/sigsum-submit --diagnostics=warning --token-domain test.sigsum.org --token-signing-key test.token.key -o tmp-proof -k test.submit.key --policy test.policy
    rm tmp-proof
    echo >&2 "waiting on monitor $x"
    search_output "$(echo "msg $x" | go run ./sha256-n/sha256-n.go 2)" || die "Monitor not finding leaf $x"
done

# Do the same test again, this time specifying policy both using --named-policy and inside the pubkey file -- then --named-policy should be used

kill ${MONITOR_PID}

SIGSUM_POLICY_DIR=${TMP_POLICY_DIR} ./bin/sigsum-monitor --named-policy testpolicy123 --interval=2s test.submit.key.withdummypolicy.pub > test.monitor.out &
MONITOR_PID=$!

for x in $(seq 10 12); do
    echo >&2 "submit $x"
    echo "msg $x" | ./bin/sigsum-submit --diagnostics=warning --token-domain test.sigsum.org --token-signing-key test.token.key -o tmp-proof -k test.submit.key --policy test.policy
    rm tmp-proof
    echo >&2 "waiting on monitor $x"
    search_output "$(echo "msg $x" | go run ./sha256-n/sha256-n.go 2)" || die "Monitor not finding leaf $x"
done

# Do the same test again, this time specifying policy using --named-policy and having two different policy names in pubkey files -- then --named-policy should be used and the inconsistency should be ignored

kill ${MONITOR_PID}

# Create another pubkey with a different nonextistent dummy policy
echo "sigsum-policy=\"dummypolicy-2\" $(cat test.other.key.pub)" > test.other.key.withdummypolicy2.pub

SIGSUM_POLICY_DIR=${TMP_POLICY_DIR} ./bin/sigsum-monitor --named-policy testpolicy123 --interval=2s test.submit.key.withdummypolicy.pub test.other.key.withdummypolicy2.pub > test.monitor.out &
MONITOR_PID=$!

for x in $(seq 13 15); do
    echo >&2 "submit $x"
    echo "msg $x" | ./bin/sigsum-submit --diagnostics=warning --token-domain test.sigsum.org --token-signing-key test.token.key -o tmp-proof -k test.submit.key --policy test.policy
    rm tmp-proof
    echo >&2 "waiting on monitor $x"
    search_output "$(echo "msg $x" | go run ./sha256-n/sha256-n.go 2)" || die "Monitor not finding leaf $x"
done
