#!/bin/bash
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
################################################################################

set -euo pipefail

#############################################################################
##### Tests for digital signature example.

SIGN_CLI="$1"
GEN_PUBLIC_JWK_SET_CLI="$2"
VERIFY_CLI="$3"
PRIVATE_KEYSET_PATH="$4"
PUBLIC_KEYSET_PATH="$5"

AUDIENCE="audience"
TOKEN_PATH="${TEST_TMPDIR}/token.txt"
PUBLIC_JWK_SET_PATH="${TEST_TMPDIR}/public_jwk_set.json"

#############################################################################

# A helper function for getting the return code of a command that may fail
# Temporarily disables error safety and stores return value in $TEST_STATUS
# Usage:
# % test_command somecommand some args
# % echo $TEST_STATUS
test_command() {
  set +e
  "$@"
  TEST_STATUS=$?
  set -e
}

print_test() {
  echo "+++ Starting test $1..."
}


#############################################################################

print_test "generate_token"

# Generate a signed token
test_command ${SIGN_CLI} \
  --private_keyset_path "${PRIVATE_KEYSET_PATH}" \
  --audience "${AUDIENCE}" \
  --token_path "${TOKEN_PATH}"

if (( TEST_STATUS == 0 )); then
  echo "+++ Success: Generating the token succeeded."
else
  echo "--- Failure: Generating the token failed."
  exit 1
fi

#############################################################################

print_test "generate_public_jwk_set"

# Generate the public keyset in JWK format
test_command ${GEN_PUBLIC_JWK_SET_CLI} \
  --public_keyset_path "${PUBLIC_KEYSET_PATH}" \
  --public_jwk_set_path "${PUBLIC_JWK_SET_PATH}"

if (( TEST_STATUS == 0 )); then
  echo "+++ Success: Generating the public JWK set succeeded."
else
  echo "--- Failure: Generating the public JWK set failed."
  exit 1
fi

#############################################################################

print_test "verification_with_public_jwt_set"

# Verify the token
test_command ${VERIFY_CLI} \
  --public_jwk_set_path "${PUBLIC_JWK_SET_PATH}" \
  --audience "${AUDIENCE}" \
  --token_path "${TOKEN_PATH}"

if (( TEST_STATUS == 0 )); then
  echo "+++ Success: Verification passed for a valid token."
else
  echo "--- Failure: Verification failed for a valid token."
  exit 1
fi


#############################################################################

print_test "verification_fails_with_invalid_token"

# Create an invalid token.
INVALID_TOKEN_PATH="${TEST_TMPDIR}/invalid_token.txt"
echo "ABCABCABCD" > $INVALID_TOKEN_PATH

# Verify the invalid token
test_command ${VERIFY_CLI} \
  --public_jwk_set_path "${PUBLIC_JWK_SET_PATH}" \
  --audience "${AUDIENCE}" \
  --token_path "${INVALID_TOKEN_PATH}"

if (( TEST_STATUS != 0 )); then
  echo "+++ Success: Verification failed for an invalid token."
else
  echo "--- Failure: Verification passed for an invalid token."
  exit 1
fi


#############################################################################

print_test "verification_fails_with_incorrect_audience"

# Verify the token with an invalid audience
test_command ${VERIFY_CLI} \
  --public_jwk_set_path "${PUBLIC_JWK_SET_PATH}" \
  --audience "invalid audience" \
  --token_path "${TOKEN_PATH}"

if (( TEST_STATUS != 0 )); then
  echo "+++ Success: Verification failed with an invalid audience."
else
  echo "--- Failure: Verification passed with an invalid audience."
  exit 1
fi


#############################################################################

print_test "generating_token_fails_with_invalid_keyset"

# Use a different token path
TOKEN2_PATH="${TEST_TMPDIR}/token2.txt"

# Try to generate a signed token using the public keyset
test_command ${SIGN_CLI} \
  --private_keyset_path "${PUBLIC_JWK_SET_PATH}" \
  --audience "${AUDIENCE}" \
  --token_path "${TOKEN2_PATH} "

if (( TEST_STATUS != 0 )); then
  echo "+++ Success: Generating a token failed with invalid keyset."
else
  echo "--- Failure: Generating a token did not fail with invalid keyset."
  exit 1
fi


#############################################################################

print_test "verify_fails_with_a_invalid_keyset"

# Try to verify the token using the private key
test_command ${VERIFY_CLI} \
  --public_jwk_set_path "${PRIVATE_KEYSET_PATH}" \
  --audience "${AUDIENCE}" \
  --token_path "${TOKEN_PATH}"

if (( TEST_STATUS != 0 )); then
  echo "+++ Success: Verification failed with invalid keyset."
else
  echo "--- Failure: Verification did not fail with invalid keyset."
  exit 1
fi