#!/bin/bash
set -euo pipefail

# Portable root detection - works anywhere
ROOT="${PRUVA_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
LOGS="$ROOT/logs/vuln_variant"
mkdir -p "$LOGS"

NOMAD_DIR="$ROOT/external/nomad"
VULN_WORKTREE="$ROOT/external/nomad-vuln"
FIXED_WORKTREE="$ROOT/external/nomad-fixed"
TEST_NAME="variant_test_test.go"
TEST_SRC="$ROOT/vuln_variant/variant_test.go"

cd "$ROOT"

# --- Clean up any stale worktrees ---
if [ -d "$VULN_WORKTREE" ] && [ ! -e "$VULN_WORKTREE/.git" ]; then
    rm -rf "$VULN_WORKTREE"
fi
if [ -d "$FIXED_WORKTREE" ] && [ ! -e "$FIXED_WORKTREE/.git" ]; then
    rm -rf "$FIXED_WORKTREE"
fi
git -C "$NOMAD_DIR" worktree prune 2>/dev/null || true

# --- Ensure worktrees exist ---
if [ ! -e "$VULN_WORKTREE/.git" ]; then
    mkdir -p "$ROOT/external"
    git -C "$NOMAD_DIR" worktree add "$VULN_WORKTREE" v2.0.0
fi
if [ ! -e "$FIXED_WORKTREE/.git" ]; then
    mkdir -p "$ROOT/external"
    git -C "$NOMAD_DIR" worktree add "$FIXED_WORKTREE" v2.0.1
fi

# --- Copy test into both worktrees ---
mkdir -p "$VULN_WORKTREE/client/hostvolumemanager"
mkdir -p "$FIXED_WORKTREE/client/hostvolumemanager"
cp "$TEST_SRC" "$VULN_WORKTREE/client/hostvolumemanager/$TEST_NAME"
cp "$TEST_SRC" "$FIXED_WORKTREE/client/hostvolumemanager/$TEST_NAME"

# --- Run variant tests on vulnerable ref ---
echo "=== Running variant tests on v2.0.0 (vulnerable) ===" >&2
VULN_LOG="$LOGS/variant_vuln.txt"
cd "$VULN_WORKTREE/client/hostvolumemanager"
go test -v -run TestVariantAttempts > "$VULN_LOG" 2>&1 || true
cat "$VULN_LOG" >&2

# --- Run variant tests on fixed ref ---
echo "=== Running variant tests on v2.0.1 (fixed) ===" >&2
FIXED_LOG="$LOGS/variant_fixed.txt"
cd "$FIXED_WORKTREE/client/hostvolumemanager"
go test -v -run TestVariantAttempts > "$FIXED_LOG" 2>&1 || true
cat "$FIXED_LOG" >&2

# --- Evaluate results ---
echo "=== Evaluating results ===" >&2

# On vulnerable: both traversal and symlink should be allowed (err = <nil>)
VULN_TRAVERSAL_OK=$(grep -c 'Variant 1 (traversal): err = <nil>' "$VULN_LOG" || true)
VULN_SYMLINK_OK=$(grep -c 'Variant 2 (symlink): err = <nil>' "$VULN_LOG" || true)
VULN_REGISTER_OK=$(grep -c 'Variant 3 (Register PluginID update): err = <nil>' "$VULN_LOG" || true)

# On fixed: both should be blocked (err != <nil>)
FIXED_TRAVERSAL_BLOCKED=$(grep -c 'Variant 1 (traversal): err = no such plugin' "$FIXED_LOG" || true)
FIXED_SYMLINK_BLOCKED=$(grep -c 'Variant 2 (symlink): err = no such plugin' "$FIXED_LOG" || true)
FIXED_REGISTER_OK=$(grep -c 'Variant 3 (Register PluginID update): err = <nil>' "$FIXED_LOG" || true)

echo "Vulnerable v2.0.0: traversal_allowed=$VULN_TRAVERSAL_OK symlink_allowed=$VULN_SYMLINK_OK register_update_allowed=$VULN_REGISTER_OK" >&2
echo "Fixed v2.0.1: traversal_blocked=$FIXED_TRAVERSAL_BLOCKED symlink_blocked=$FIXED_SYMLINK_BLOCKED register_update_allowed=$FIXED_REGISTER_OK" >&2

# A true bypass requires the variant to work on the FIXED version.
# None of our variants bypass os.OpenRoot on the fixed version.
if [ "$FIXED_TRAVERSAL_BLOCKED" -gt 0 ] && [ "$FIXED_SYMLINK_BLOCKED" -gt 0 ]; then
    echo "VERDICT: No bypass found. Client-side os.OpenRoot successfully blocks all tested variants on v2.0.1." >&2
    exit 1
else
    echo "VERDICT: A variant bypassed the fix!" >&2
    exit 0
fi