#!/usr/bin/env bash
#
# End-to-end OAuth2 flow against tests/mock_oidc_server.py. Exercises
# forge_login.sh, forge_auth.py, the credential helper, and the
# username-mismatch guard in a sandboxed $HOME. Never touches a real
# Gitea.

set -euo pipefail

here="$(cd "$(dirname "$0")" && pwd -P)"
root="$here/.."

# Disable every interactive credential fallback so git fails loudly
# rather than prompting (VSCode, X11/Wayland askpass, terminal).
export GIT_TERMINAL_PROMPT=0
export GCM_INTERACTIVE=Never
unset GIT_ASKPASS SSH_ASKPASS \
      VSCODE_GIT_ASKPASS_MAIN VSCODE_GIT_ASKPASS_NODE \
      VSCODE_GIT_ASKPASS_EXTRA_ARGS VSCODE_GIT_IPC_HANDLE \
      DISPLAY WAYLAND_DISPLAY

tmp="$(mktemp -d)"
cleanup() {
    [ -n "${mock_pid:-}" ]    && kill "$mock_pid"    2>/dev/null || true
    [ -n "${browser_pid:-}" ] && kill "$browser_pid" 2>/dev/null || true
    [ -n "${login_pid:-}" ]   && kill "$login_pid"   2>/dev/null || true
    rm -rf "$tmp"
}
trap cleanup EXIT INT TERM

export HOME="$tmp/home"
mkdir -p "$HOME/.local/bin" "$HOME/.config"
export GIT_CONFIG_GLOBAL="$HOME/.gitconfig"
export GIT_CONFIG_SYSTEM=/dev/null
touch "$GIT_CONFIG_GLOBAL"
export FSDGG_AUTH_STORE_PATH="$HOME/.forge-stack-devpi-gateway-gitea/client-auth.json"

pass=0
fail=0
assert() {
    local msg="$1"; shift
    if "$@"; then
        printf '[ok]   %s\n' "$msg"
        pass=$((pass + 1))
    else
        printf '[FAIL] %s\n' "$msg"
        fail=$((fail + 1))
    fi
}

# --- Start the mock Gitea ------------------------------------------
MOCK_OIDC_USERNAME=integration-user \
    python3 -u "$here/mock_oidc_server.py" >"$tmp/mock.url" 2>"$tmp/mock.log" &
mock_pid=$!
# Wait for the server to announce its URL.
for _ in $(seq 1 40); do
    mock_url="$(head -1 "$tmp/mock.url" 2>/dev/null || true)"
    [ -n "$mock_url" ] && break
    sleep 0.1
done
[ -n "$mock_url" ] || { cat "$tmp/mock.log"; echo 'mock server never came up' >&2; exit 1; }
printf '[info] mock Gitea: %s\n' "$mock_url"

# --- Pick an unused loopback port for the callback -----------------
loopback_port="$(python3 -c '
import socket
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.bind(("127.0.0.1", 0))
    print(s.getsockname()[1])
')"
redirect_uri="http://127.0.0.1:${loopback_port}/callback"

# --- Synthesize .env inside the welcome repo root ------------------
env_file="$tmp/env"
cat >"$env_file" <<EOF
FORGE_GITEA_URL=$mock_url
FORGE_GITEA_USERNAME=integration-user
FSDGG_CLI_CLIENT_ID=integration-client
FSDGG_CLI_REDIRECT_URI=$redirect_uri
FORGE_INSECURE_TLS=0
EOF

# Export mock env; scripts pick these up via load_env.
set -a
# shellcheck disable=SC1090
. "$env_file"
set +a

# Fake browser: once the loopback listener is up, GET the authorise
# URL printed to the login log; the mock 302-redirects to the callback.
(
    # Wait for the loopback listener to come up, then drive it.
    for _ in $(seq 1 50); do
        if ss -tln 2>/dev/null | grep -q ":${loopback_port} " \
           || netstat -tln 2>/dev/null | grep -q ":${loopback_port} "; then
            break
        fi
        sleep 0.1
    done
    url="$(cat "$tmp/authorize.url" 2>/dev/null || true)"
    if [ -n "$url" ]; then
        curl -fsSL --max-time 10 "$url" >/dev/null 2>"$tmp/browser.log" || true
    fi
) &
browser_pid=$!

python3 "$root/scripts/forge_auth.py" login --no-browser 2> >(tee "$tmp/login.log" >&2) \
    < <(printf '') &
login_pid=$!

for _ in $(seq 1 80); do
    if grep -qE 'https?://.*authorize\?' "$tmp/login.log" 2>/dev/null; then
        grep -oE 'https?://[^ ]+authorize\?[^ ]+' "$tmp/login.log" | head -1 >"$tmp/authorize.url"
        break
    fi
    sleep 0.1
done

wait "$login_pid" || { echo 'forge_auth login failed'; cat "$tmp/login.log"; exit 1; }
wait "$browser_pid" 2>/dev/null || true

assert 'client-auth.json was written' test -f "$FSDGG_AUTH_STORE_PATH"
assert 'client-auth.json is mode 0600' \
    bash -c '[ "$(stat -c %a "$FSDGG_AUTH_STORE_PATH" 2>/dev/null || stat -f %A "$FSDGG_AUTH_STORE_PATH")" = "600" ]'

user="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))["username"])' "$FSDGG_AUTH_STORE_PATH")"
assert 'username captured from userinfo' test "$user" = 'integration-user'

token="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))["gitea_access_token"])' "$FSDGG_AUTH_STORE_PATH")"
assert 'gitea_access_token captured' bash -c "[ -n \"$token\" ] && [[ '$token' == access-* ]]"

refresh="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))["_forge_refresh_token"])' "$FSDGG_AUTH_STORE_PATH")"
assert 'refresh token captured' bash -c "[ -n \"$refresh\" ] && [[ '$refresh' == refresh-* ]]"

# --- Install the git credential helper -----------------------------
bash "$root/scripts/install-git-credential-helper.sh" >"$tmp/inst.log" 2>&1 \
    || { cat "$tmp/inst.log"; echo 'helper install failed' >&2; exit 1; }

mock_host="$(python3 -c 'import sys,urllib.parse as u; p=u.urlsplit(sys.argv[1]); print(f"{p.hostname}:{p.port}")' "$mock_url")"

# --- Drive `git credential fill` -----------------------------------
credfill_out="$(
    printf 'protocol=http\nhost=%s\npath=someorg/somerepo.git\n\n' "$mock_host" \
    | PATH="$HOME/.local/bin:$PATH" git credential fill 2>"$tmp/credfill.err"
)" || { echo 'git credential fill failed'; cat "$tmp/credfill.err"; exit 1; }

got_pass="$(printf '%s\n' "$credfill_out" | awk -F= '/^password=/ {print $2}')"
got_user="$(printf '%s\n' "$credfill_out" | awk -F= '/^username=/ {print $2}')"
assert 'git credential fill returns username from OAuth' test "$got_user" = 'integration-user'
assert 'git credential fill returns the OAuth access token as password' test "$got_pass" = "$token"

# --- Unrelated-host probe: must NOT leak credentials ---------------
other_out="$(
    printf 'protocol=https\nhost=github.com\npath=x/y.git\n\n' \
    | "$HOME/.local/bin/git-credential-forge" get
)"
assert 'unrelated host gets no username' bash -c "! printf '%s\n' \"$other_out\" | grep -q '^username='"
assert 'unrelated host gets no password' bash -c "! printf '%s\n' \"$other_out\" | grep -q '^password='"

# --- Refresh path: force a refresh and re-run credential fill ------
python3 "$root/scripts/forge_auth.py" refresh --force >"$tmp/refresh.log" 2>&1 \
    || { cat "$tmp/refresh.log"; echo 'refresh failed' >&2; exit 1; }

new_token="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))["gitea_access_token"])' "$FSDGG_AUTH_STORE_PATH")"
assert 'refresh rotates the access token' bash -c "[ \"$new_token\" != \"$token\" ]"

credfill_out2="$(
    printf 'protocol=http\nhost=%s\n\n' "$mock_host" \
    | PATH="$HOME/.local/bin:$PATH" git credential fill 2>>"$tmp/credfill.err"
)"
got_pass2="$(printf '%s\n' "$credfill_out2" | awk -F= '/^password=/ {print $2}')"
assert 'git credential fill picks up the rotated token' test "$got_pass2" = "$new_token"

# --- Logout removes the file ---------------------------------------
python3 "$root/scripts/forge_auth.py" logout >"$tmp/logout.log" 2>&1
assert 'logout removes client-auth.json' bash -c "[ ! -f \"$FSDGG_AUTH_STORE_PATH\" ]"

# --- Username-mismatch guard ---------------------------------------
loopback_port2="$(python3 -c '
import socket
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.bind(("127.0.0.1", 0))
    print(s.getsockname()[1])
')"
export FSDGG_CLI_REDIRECT_URI="http://127.0.0.1:${loopback_port2}/callback"
export FORGE_GITEA_USERNAME="not-the-right-user"

rm -f "$tmp/authorize.url"
(
    for _ in $(seq 1 50); do
        if ss -tln 2>/dev/null | grep -q ":${loopback_port2} " \
           || netstat -tln 2>/dev/null | grep -q ":${loopback_port2} "; then
            break
        fi
        sleep 0.1
    done
    url="$(cat "$tmp/authorize.url" 2>/dev/null || true)"
    if [ -n "$url" ]; then
        curl -fsSL --max-time 10 "$url" >/dev/null 2>"$tmp/browser2.log" || true
    fi
) &
browser_pid=$!

set +e
python3 "$root/scripts/forge_auth.py" login --no-browser \
    2> >(tee "$tmp/mismatch.log" >&2) &
mismatch_pid=$!
for _ in $(seq 1 80); do
    if grep -qE 'https?://.*authorize\?' "$tmp/mismatch.log" 2>/dev/null; then
        grep -oE 'https?://[^ ]+authorize\?[^ ]+' "$tmp/mismatch.log" | head -1 >"$tmp/authorize.url"
        break
    fi
    sleep 0.1
done
wait "$mismatch_pid"
mismatch_rc=$?
wait "$browser_pid" 2>/dev/null || true
set -e

assert 'login fails when username mismatches FORGE_GITEA_USERNAME' bash -c "[ $mismatch_rc -ne 0 ]"
assert 'mismatch error references the actual Gitea username' \
    grep -q 'integration-user' "$tmp/mismatch.log"
assert 'mismatch error references the expected username' \
    grep -q 'not-the-right-user' "$tmp/mismatch.log"
assert 'mismatch error points at Gitea logout URL' \
    grep -qE '/user/logout\?redirect_to=%2Fuser%2Flogin' "$tmp/mismatch.log"
assert 'mismatch does NOT create client-auth.json' \
    bash -c "[ ! -f \"$FSDGG_AUTH_STORE_PATH\" ]"

auth_url="$(cat "$tmp/authorize.url" 2>/dev/null || true)"
assert 'authorize URL includes prompt=login' \
    bash -c "printf '%s\n' \"$auth_url\" | grep -q 'prompt=login'"
assert 'authorize URL carries login_hint' \
    bash -c "printf '%s\n' \"$auth_url\" | grep -q 'login_hint=not-the-right-user'"

printf '\n%d pass / %d fail\n' "$pass" "$fail"
[ "$fail" -eq 0 ]