#!/bin/bash
# shellcheck disable=SC2164

PATH=/sbin:/usr/sbin:$PATH
# this script implements the TAP protocol (https://testanything.org)
echo 1..6

# copy to /tmp to keep commandline arguments to exim calls under 256 chars (prevent problems on Ubuntu)
install -t /tmp src/libexim-encrypt-dlfunc.so

LIB=/tmp/libexim-encrypt-dlfunc.so
CLEARTEXT="127.88.99.23" # keep short; see above
PASSWORD="$(openssl rand -base64 32)"

CIPHERTEXT=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_secretbox_encrypt_password}{${PASSWORD}}{${CLEARTEXT}}}")
DECRYPTED=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_secretbox_decrypt_password}{${PASSWORD}}{${CIPHERTEXT}}}")

if [ "${CLEARTEXT}" == "${DECRYPTED}" ] ; then
	echo "ok 1 - secretbox test successful"
else
	echo "not ok 1 - secretbox test unsuccessful"
fi

PK="tgFFIJ9VBnQpcXteqWhgXoEaVGvJgJd4QcYgrmaf2VM="
SK="lY1F70Vqwe+uCn4czGdwyGdr0WLUWdkj/Gq39m2k3P0="

CIPHERTEXT=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal}{${PK}}{${CLEARTEXT}}}")
DECRYPTED=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal_open}{${SK}}{${PK}}{${CIPHERTEXT}}}")

if [ "${CLEARTEXT}" == "${DECRYPTED}" ] ; then
	echo "ok 2 - sealed_box test with pre-generated key pair successful"
else
	echo "not ok 2 - sealed_box test with pre-generated key pair unsuccessful"
fi

# skip test on Ubuntu
#[ "$(lsb_release --id --short)" == "Ubuntu" ] && echo "not ok 3 # skip Ubuntu has patches against long commandline arguments, bailing out"

### Test libexim-encrypt-dlfunc-genkeys

TEMPDIR01="$(mktemp --directory --quiet)"
TEMPDIR02="$(mktemp --directory --quiet)"
cleanup() {
  rm -rf "${TEMPDIR01}" "${TEMPDIR02}"
}
trap cleanup EXIT INT TERM

CURDIR="$(pwd)"

pushd "${TEMPDIR01}" > /dev/null
"${CURDIR}/src/libexim-encrypt-dlfunc-genkeys" 2> /dev/null # TAP parser seems to hate the output
PK="$(base64 cryptobox_recipient_pk.raw)"
SK="$(base64 cryptobox_recipient_sk.raw)"
popd > /dev/null

CIPHERTEXT=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal}{${PK}}{${CLEARTEXT}}}")
DECRYPTED=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal_open}{${SK}}{${PK}}{${CIPHERTEXT}}}")

if [ "${CLEARTEXT}" == "${DECRYPTED}" ] ; then
	echo "ok 3 - sealed_box test with newly generated key pair successful"
else
	echo "not ok 3 - sealed_box test with newly generated key pair unsuccessful"
fi

### Check if --help works

if src/libexim-encrypt-dlfunc-decrypt-secretbox --help > /dev/null ; then
  echo "ok 4 - secretbox --help argument works"
else
  echo "not ok 4 - secretbox --help argument does not work"
fi

if src/libexim-encrypt-dlfunc-decrypt-sealedbox --help > /dev/null ; then
  echo "ok 5 - sealedbox --help argument works"
else
  echo "not ok 5 - sealedbox --help argument does not work"
fi

### Code coverage for genkeys file access failures
pushd "${TEMPDIR02}" > /dev/null
KEYFILES=(cryptobox_recipient_pk.raw cryptobox_recipient_pk_exim.conf cryptobox_recipient_sk.raw cryptobox_recipient_sk_exim.conf)
for KF in "${KEYFILES[@]}"; do
  rm -f "${KF}"
  touch "${KF}"
done
FS_ACCESS_FAILURE=0
for KF in "${KEYFILES[@]}"; do
  su -s /bin/bash -c "${CURDIR}/src/libexim-encrypt-dlfunc-genkeys" - nobody 2> /dev/null && FS_ACCESS_FAILURE=1
  rm -f "${KF}"
  touch "${KF}"
  chown nobody: "${KF}"
done

if [ ${FS_ACCESS_FAILURE} -eq 0 ]; then
  echo "ok 6 - genkeys should fail without filesystem access"
else
  echo "not ok 6 - genkeys should fail without filesystem access"
fi
popd > /dev/null