#!/usr/bin/env bash
# ---------------------------------------------------------------
# Integration test for the download-cert client operation.
#
# Starts a secure ServerLDS, downloads its certificate via the
# client's download-cert operation, and compares the downloaded
# file with the original certificate on disk.
#
# Usage:  tests/run_download_cert_test.sh <config_dir>
#
# Exit: 0 when all checks pass, 1 on any failure.
# ---------------------------------------------------------------
set -uo pipefail

CONFIG_DIR="${1:?Usage: $0 <config_dir>}"

LDS_PORT=14840
LDS_PID=""
TMPFILE=""
DOWNLOADED_CERT=""
FAILURES=0

# ── cleanup ────────────────────────────────────────────────────
cleanup() {
  [ -n "$LDS_PID" ] && kill "$LDS_PID" 2>/dev/null && wait "$LDS_PID" 2>/dev/null
  [ -n "$TMPFILE" ] && rm -f "$TMPFILE"
  [ -n "$DOWNLOADED_CERT" ] && rm -f "$DOWNLOADED_CERT"
}
trap cleanup EXIT

# ── helpers ────────────────────────────────────────────────────
wait_for_port() {
  local port="$1" pid="$2" label="$3" i=0
  while [ $i -lt 50 ]; do
    if ! kill -0 "$pid" 2>/dev/null; then
      echo "FAIL: $label exited prematurely"
      exit 1
    fi
    if ss -tlnp 2>/dev/null | grep -q ":${port} "; then
      return 0
    fi
    sleep 0.1
    i=$((i + 1))
  done
  echo "FAIL: $label did not listen on port $port within 5 s"
  exit 1
}

check() {
  local label="$1" result="$2"
  if [ "$result" -eq 0 ]; then
    echo "PASS: $label"
  else
    echo "FAIL: $label"
    FAILURES=$((FAILURES + 1))
  fi
}

# ── port check ─────────────────────────────────────────────────
if ss -tlnp 2>/dev/null | grep -q ":${LDS_PORT} "; then
  echo "FAIL: port $LDS_PORT is already in use"
  exit 1
fi

# ── start LDS ──────────────────────────────────────────────────
build/bobink_opcua_discovery_server "$CONFIG_DIR/server_lds.conf" >/dev/null 2>&1 &
LDS_PID=$!
wait_for_port "$LDS_PORT" "$LDS_PID" "bobink_opcua_discovery_server"

# ── download certificate ───────────────────────────────────────
TMPFILE=$(mktemp)
DOWNLOADED_CERT=$(mktemp --suffix=.der)

build/client "$CONFIG_DIR/client.conf" download-cert "opc.tcp://localhost:$LDS_PORT" "$DOWNLOADED_CERT" >"$TMPFILE" 2>&1
DC_RC=$?
DC_OUTPUT=$(<"$TMPFILE")

[ "$DC_RC" -eq 0 ]
check "download-cert exit code is 0 (got $DC_RC)" $?

echo "$DC_OUTPUT" | grep -q "Certificate saved to"
check "download-cert output contains 'Certificate saved to'" $?

# ── compare with original ─────────────────────────────────────
cmp -s "$DOWNLOADED_CERT" "$CONFIG_DIR/certs/ServerLDS/cert.der"
check "downloaded certificate matches $CONFIG_DIR/certs/ServerLDS/cert.der" $?

# ── result ─────────────────────────────────────────────────────
if [ "$FAILURES" -ne 0 ]; then
  echo ""
  echo "--- download-cert output ---"
  echo "$DC_OUTPUT"
  echo "--- end ---"
  exit 1
fi
exit 0