#!/bin/bash

# clean what was left from previous tests

rm -f ./.pt.db
rm -rf ./protected
mkdir protected
touch ./protected/do-not-remove ./protected/should-be-removed ./protected/truth ./protected/perm000 ./protected/perm777 ./protected/should-be-renamed ./protected/do-not-rename
chmod 777 ./protected/perm777 ./protected/perm000
echo "Free code, free world." >./protected/motto

mkdir protected/haystack
for i in {1..10}; do
  touch "./protected/haystack/hay$i"
done
touch ./protected/haystack/needle
echo "Liberty in every line." >./protected/haystack/needle

rm -rf ./openers
mkdir openers
make -C ./opener || (
  echo "Could not make the opener program."
  exit 1
)
for i in {1..10}; do
  cp ./opener/opener "./openers/opener$i"
  ln --symbolic "$(realpath "./openers/opener$i")" "./openers/symlinked_opener$i"
done

# set up the fake-zenity

PATH="$(realpath ./mock/):$PATH"

# mount the filesystem

echo "Run $(date -u +%Y-%m-%dT%H:%M:%S) "
if [[ $1 == "--setuid" ]]; then
  echo "Setting the setuid bit..."
  echo "root privilieges are required to create a special user and set correct ownership of the executable."
  id -u icfs &>/dev/null || sudo useradd --system --user-group icfs
  sudo chown icfs: ../build/icfs && sudo chmod 4777 ../build/icfs
  chmod g+w . # needed for icfs to be able to create the database
  echo "Valgrind will not be used due to setuid compatibility issues."
  ../build/icfs -o default_permissions ./protected ./.pt.db &
  sleep 1
else
  echo "Database protection will not be tested due to the lack of setuid capabilites."
  echo "To test it, run this script with '--setuid'."
  #valgrind --leak-check=full -s ../build/icfs -o default_permissions -o debug ./protected ./.pt.db 2>&1 | grep "==\|zenity\|Permission\|column\|callback\|SQLite" &
  valgrind --leak-check=full --show-leak-kinds=all -s ../build/icfs -o default_permissions ./protected ./.pt.db &
  sleep 5
fi

#valgrind -s ../build/icfs -o default_permissions ./protected &

# WARN: please don't use `>` or `>>` operators. They force **this script** to open the file, **not the program you are trying to run**. This is probably not what you mean when you want to test a specific program's access.
# WARN: avoid using touch, since it generates errors because setting times is not implemented in icfs **yet**.

# create files

icfs_dialogue --set-fake-response no
truncate -s 0 ./protected/should-exist-anyway 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: truncate cannot create protected/should-exist despite access being permitted!" # OK

icfs_dialogue --set-fake-response yes
truncate -s 0 ./protected/should-exist 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: truncate cannot create protected/should-exist despite access being permitted!" # OK

# write to files

icfs_dialogue --set-fake-response no
sed -e 'a\'"Linux is a cancer that attaches itself in an intellectual property sense to everything it touches." "./protected/truth" 2>/dev/null &&
  echo "[ICFS-TEST]: echo can write to protected/lie despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

icfs_dialogue --set-fake-response yes
sed -e 'a\'"Sharing knowledge is the most fundamental act of friendship. Because it is a way you can give something without loosing something." "./protected/truth" 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: echo cannot write to protected/truth despite access being permitted!" # OK

# Read files

icfs_dialogue --set-fake-response no
cat ./protected/motto >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: cat can read protected/this-only despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

icfs_dialogue --set-fake-response yes
cat ./protected/motto >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: echo cannot create protected/this-only despite access being permitted!" # "Free code, free world."

# remove files

icfs_dialogue --set-fake-response no
rm ./protected/do-not-remove >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: rm can unlink protected/do-not-remove despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

icfs_dialogue --set-fake-response yes
rm ./protected/should-be-removed >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: rm cannot unlink protected/should-be-removed despite access being permitted!" # OK

# rename files

icfs_dialogue --set-fake-response no
mv ./protected/do-not-rename ./protected/terrible-name 2>/dev/null &&
  echo "[ICFS-TEST]: mv can rename protected/truth despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS
icfs_dialogue --set-fake-response yes
mv ./protected/should-be-renamed ./protected/great-name 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: mv cannot rename should-be-removed to renamed-file despite access being permitted!" # OK

# change permissions

icfs_dialogue --set-fake-response no
chmod 000 ./protected/perm777 2>/dev/null &&
  echo "[ICFS-TEST]: chmod can change permissions of protected/perm777 despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS
icfs_dialogue --set-fake-response yes
chmod 000 ./protected/perm000 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: chmod cannot change permissions of protected/perm000 despite access being permitted!" # OK

# test permanent permissions

icfs_dialogue --set-fake-response yes_perm
openers/opener1 ./protected/motto >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: openers/opener1 cannot read protected/motto despite access being permitted!" # OK

icfs_dialogue --set-fake-response no # this should be ignored
openers/opener1 ./protected/motto >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: openers/opener1 cannot read protected/motto despite access being permitted!" # OK

icfs_dialogue --set-fake-response no # this should be ignored
openers/symlinked_opener1 ./protected/motto >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: openers/symlinked_opener1 cannot read protected/motto despite access being permitted!" # OK

icfs_dialogue --set-fake-response no_perm
openers/opener2 ./protected/motto >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: openers/opener2 can read protected/motto despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

icfs_dialogue --set-fake-response yes # this should be ignored
openers/opener2 ./protected/motto >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: openers/opener2 can read protected/motto despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

icfs_dialogue --set-fake-response yes # this should be ignored
openers/symlinked_opener2 ./protected/motto >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: openers/symlinked_opener2 can read protected/motto despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

# test permission globbing

icfs_dialogue --set-fake-response yes
icfs_dialogue --set-fake-response-filename "/"
openers/opener3 ./protected/haystack >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: openers/opener3 cannot read protected/haystack/needle despite access being permitted!" # OK

icfs_dialogue --set-fake-response no
icfs_dialogue --set-fake-response-filename "/"
openers/opener4 ./protected/haystack >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: openers/opener4 can read files in protected/haystack despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

icfs_dialogue --set-fake-response yes_perm
icfs_dialogue --set-fake-response-filename "/"
openers/opener5 ./protected/haystack/needle >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: openers/opener5 cannot read protected/haystack/needle despite access being permitted!" # OK

icfs_dialogue --set-fake-response no # this should be ignored
openers/opener5 ./protected/haystack >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: OK" ||
  echo "[ICFS-TEST]: openers/opener5 cannot read files in protected/haystack despite access being permitted!" # OK

icfs_dialogue --set-fake-response no_perm
icfs_dialogue --set-fake-response-filename "/"
openers/opener6 ./protected/haystack/needle >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: openers/opener6 can read protected/haystack/needle despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

icfs_dialogue --set-fake-response yes # this should be ignored
openers/opener6 ./protected/haystack >/dev/null 2>/dev/null &&
  echo "[ICFS-TEST]: openers/opener6 can read files in protected/haystack despite access being denied!" ||
  echo "[ICFS-TEST]: OK" # EACCESS

# test database access
if [[ $1 == '--setuid' ]]; then
  if [[ -r "./.pt.db" || -w "./.pt.db" ]]; then
    echo "[ICFS-TEST]: permanent permissions database is accessible!"
  else
    echo "[ICFS-TEST]: OK"
  fi
else
  echo "[ICFS-TEST]: permanent permissions database access was not tested due to the lack of seuid bit setting capabilites. To test this, run the script with '--setuid' flag"
fi

# unmount

sleep 0.5
#lsof +f -- $(realpath ./protected)
umount "$(realpath ./protected)"
sleep 2