#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"

cleanup() {
    docker compose -f "$PROJECT_ROOT/docker-compose.yml" -f "$PROJECT_ROOT/docker-compose.tests.yml" down --remove-orphans || true
}
trap cleanup EXIT

# AZ-505 AC-5: HTTP/2 via ALPN requires TLS on the API listener. The cert is
# self-signed for dev/test only — gitignored under certs/ and regenerated on
# demand. PFX is mounted into the API container as the Kestrel cert; the public
# PEM is mounted into the integration-tests container's CA trust store so every
# HttpClient transparently trusts it without per-test handler shims.
ensure_dev_cert() {
    local certs_dir="$PROJECT_ROOT/certs"
    local pfx="$certs_dir/api.pfx"
    local crt="$certs_dir/api.crt"
    if [[ -f "$pfx" && -f "$crt" ]]; then
        echo "Step 0a: Dev cert present (./certs/api.pfx)"
        return 0
    fi
    echo "Step 0a: Generating dev TLS cert (./certs/api.pfx + api.crt) for HTTP/2 ALPN (AZ-505 AC-5)"
    mkdir -p "$certs_dir"
    docker run --rm -v "$certs_dir:/work" -w /work alpine:3.20 sh -c '
        set -e
        apk add --no-cache openssl >/dev/null
        cat > /tmp/openssl.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions    = v3_req
prompt             = no

[req_distinguished_name]
CN = satellite-provider-dev

[v3_req]
keyUsage         = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName   = @alt_names

[alt_names]
DNS.1 = api
DNS.2 = localhost
IP.1  = 127.0.0.1
EOF
        openssl req -x509 -newkey rsa:2048 -nodes \
            -keyout api.key -out api.crt \
            -days 365 -config /tmp/openssl.cnf
        openssl pkcs12 -export -out api.pfx -inkey api.key -in api.crt \
            -passout pass:satellite-dev-cert
        chmod 644 api.pfx api.crt
    '
    echo "  ✓ Dev cert written (passphrase: satellite-dev-cert — dev-only)"
}
ensure_dev_cert

usage() {
    cat <<EOF
Usage: $(basename "$0") [--unit-only | --smoke | --full] [--skip-format] [--keep-state]

Modes:
  --unit-only   Run only the .NET unit test project (no Docker Compose, no integration tests)
  --smoke       Run unit tests + a fast integration subset (~2 min target, tightened timeouts)
  --full        Run unit tests + the full integration suite (default if no flag is provided)

Flags:
  --skip-format Skip the dotnet format --verify-no-changes check (use only for emergency runs)
  --keep-state  Skip the AZ-493 integration test DB-reset hook so leftover rows from the
                previous run remain in Postgres. Useful for debugging a failed run.

Environment:
  GOOGLE_MAPS_API_KEY  Required for any integration test mode (loaded from .env or shell env).
  JWT_SECRET           Required for any integration test mode. Shared HMAC secret used by the
                       API and the integration test runner; must be at least 32 bytes (UTF-8).
                       Loaded from .env or shell env.
  JWT_ISSUER           Required for any integration test mode (AZ-494). Must match the value
                       the API container validates. May be a DEV-ONLY value for local runs.
  JWT_AUDIENCE         Required for any integration test mode (AZ-494). Same contract as
                       JWT_ISSUER — must match what the API container validates.
EOF
}

mode="full"
skip_format="false"
keep_state="false"
for arg in "$@"; do
    case "$arg" in
        --unit-only)   mode="unit"; ;;
        --smoke)       mode="smoke"; ;;
        --full)        mode="full"; ;;
        --skip-format) skip_format="true"; ;;
        --keep-state)  keep_state="true"; ;;
        -h|--help)     usage; exit 0; ;;
        "")            ;;
        *)             echo "Unknown argument: $arg"; usage; exit 2; ;;
    esac
done

echo "=== Satellite Provider Test Suite ==="
echo "Mode: $mode"
echo ""

if [[ "$skip_format" == "true" ]]; then
    echo "Step 0: Skipping dotnet format check (--skip-format)"
else
    echo "Step 0: dotnet format whitespace --verify-no-changes"
    if ! docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:10.0 \
        dotnet format whitespace SatelliteProvider.sln --verify-no-changes; then
        echo ""
        echo "ERROR: Whitespace violations detected. Run 'dotnet format whitespace SatelliteProvider.sln' to fix."
        exit 4
    fi
    echo ""
fi

if [[ "$mode" == "unit" ]]; then
    echo "Running unit tests only..."
    docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:10.0 \
        sh -c "dotnet restore SatelliteProvider.sln && dotnet test SatelliteProvider.Tests/SatelliteProvider.Tests.csproj --no-restore --configuration Release --collect:'XPlat Code Coverage' --results-directory /src/TestResults --logger 'console;verbosity=normal'"
    echo ""
    echo "=== Unit tests complete (coverage written to ./TestResults/) ==="
    exit 0
fi

if { [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]] || [[ -z "${JWT_SECRET:-}" ]] || [[ -z "${JWT_ISSUER:-}" ]] || [[ -z "${JWT_AUDIENCE:-}" ]]; } && [[ -f "$PROJECT_ROOT/.env" ]]; then
    set -o allexport
    # shellcheck disable=SC1091
    source "$PROJECT_ROOT/.env"
    set +o allexport
fi

if [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]]; then
    echo "ERROR: GOOGLE_MAPS_API_KEY is not set (export it or add to .env). Integration tests will fail."
    exit 3
fi

if [[ -z "${JWT_SECRET:-}" ]]; then
    echo "ERROR: JWT_SECRET is not set (export it or add to .env). API will fail to start without it."
    exit 3
fi

jwt_secret_bytes=${#JWT_SECRET}
if (( jwt_secret_bytes < 32 )); then
    echo "ERROR: JWT_SECRET is ${jwt_secret_bytes} bytes; HMAC-SHA256 requires at least 32 bytes."
    exit 3
fi
export JWT_SECRET

if [[ -z "${JWT_ISSUER:-}" ]]; then
    echo "ERROR: JWT_ISSUER is not set (export it or add to .env). API + integration tests require it (AZ-494)."
    exit 3
fi
if [[ -z "${JWT_AUDIENCE:-}" ]]; then
    echo "ERROR: JWT_AUDIENCE is not set (export it or add to .env). API + integration tests require it (AZ-494)."
    exit 3
fi
export JWT_ISSUER
export JWT_AUDIENCE

echo "Step 1: Unit tests"
docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:10.0 \
    sh -c "dotnet restore SatelliteProvider.sln && dotnet test SatelliteProvider.Tests/SatelliteProvider.Tests.csproj --no-restore --configuration Release --collect:'XPlat Code Coverage' --results-directory /src/TestResults --logger 'console;verbosity=normal'"

echo ""
echo "Step 2: Integration tests (Docker Compose, mode=$mode, keep_state=$keep_state)"
INTEGRATION_KEEP_STATE_VALUE=""
if [[ "$keep_state" == "true" ]]; then
    INTEGRATION_KEEP_STATE_VALUE="1"
fi
INTEGRATION_TESTS_MODE="$mode" \
INTEGRATION_KEEP_STATE="$INTEGRATION_KEEP_STATE_VALUE" \
    docker compose \
    -f "$PROJECT_ROOT/docker-compose.yml" \
    -f "$PROJECT_ROOT/docker-compose.tests.yml" \
    up --build --abort-on-container-exit --exit-code-from integration-tests

echo ""
echo "=== All tests passed (mode=$mode) ==="