#!/bin/sh -ex
# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
#
# Copyright (c) 2016 Red Hat, Inc.
# Author: Nathaniel McCallum <npmccallum@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

. helpers

trap 'on_exit' EXIT
export TMP=`mktemp -d`
mkdir -p $TMP/db

rec_startup () {
    # Generate the server keys
    tangd-keygen $TMP/db sig exc
    # Make sure keys generated by tangd-keygen have proper permissions.
    valid_key_perm "${TMP}/db/sig.jwk"
    valid_key_perm "${TMP}/db/exc.jwk"

    # Generate the client keys
    exc_kid=`jose jwk thp -i $TMP/db/exc.jwk`
    tmp=`jose fmt -j $TMP/db/exc.jwk -Od x -d y -d d -o-`
    jose jwk gen -i "$tmp" -o $TMP/exc.jwk
    jose jwk pub -i $TMP/exc.jwk -o $TMP/exc.pub.jwk
}

rec_second_phase () {
    # Make sure that GET fails
    curl -sf http://127.0.0.1:$PORT/rec && expected_fail
    curl -sf http://127.0.0.1:$PORT/rec/ && expected_fail

    # Make a recovery request (NOTE: this is insecure! Don't do this in real code!)
    good=`jose jwk exc -i '{"alg":"ECMR","key_ops":["deriveKey"]}' -l $TMP/exc.jwk -r $TMP/db/exc.jwk`
    test=`curl -sf -X POST \
           -H "Content-Type: application/jwk+json" \
           --data-binary @- \
           http://127.0.0.1:$PORT/rec/${exc_kid} < $TMP/exc.pub.jwk`
    [ "$good" = "$test" ]
}

rec_second_phase_endpoint () {
    # Make sure that GET fails
    curl -sf http://127.0.0.1:$PORT/$ENDPOINT/rec && expected_fail
    curl -sf http://127.0.0.1:$PORT/$ENDPOINT/rec/ && expected_fail

    # Make a recovery request (NOTE: this is insecure! Don't do this in real code!)
    good=`jose jwk exc -i '{"alg":"ECMR","key_ops":["deriveKey"]}' -l $TMP/exc.jwk -r $TMP/db/exc.jwk`
    test=`curl -sf -X POST \
           -H "Content-Type: application/jwk+json" \
           --data-binary @- \
           http://127.0.0.1:$PORT/$ENDPOINT/rec/${exc_kid} < $TMP/exc.pub.jwk`
    [ "$good" = "$test" ]
}
