#!/bin/bash

# Colors for better readability
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[0;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Base URLs to test
DEV_URL="http://localhost:5005"
PROD_URL="https://ploughshares.nixc.us"

# Default to development URL unless specified
URL=${1:-$DEV_URL}

echo -e "${BLUE}Testing API Security Headers for ${URL}${NC}"
echo "=================================================="

# Function to test an endpoint's headers
test_headers() {
    local endpoint=$1
    local description=$2
    local full_url="${URL}${endpoint}"
    
    echo -e "\n${YELLOW}Testing headers for ${description} (${endpoint})${NC}"
    echo "------------------------------------------------"
    
    # Get headers only with curl
    headers=$(curl -s -I "${full_url}")
    
    # Display all headers for reference
    echo -e "${BLUE}All Headers:${NC}"
    echo "$headers" | grep -v "Date:" | grep -v "Server:"
    
    echo -e "\n${BLUE}Security Header Analysis:${NC}"
    
    # Check for Content-Security-Policy
    if echo "$headers" | grep -q "Content-Security-Policy"; then
        csp=$(echo "$headers" | grep "Content-Security-Policy" | sed "s/Content-Security-Policy: //")
        echo -e "${GREEN}✓ Content-Security-Policy:${NC}"
        
        # Check for unsafe-inline and unsafe-eval in script-src
        if echo "$csp" | grep -q "script-src.*'unsafe-inline'"; then
            echo -e "  ${YELLOW}⚠ script-src contains 'unsafe-inline' - needed for API clients${NC}"
        else
            echo -e "  ${RED}✗ script-src missing 'unsafe-inline' - may cause issues with some clients${NC}"
        fi
        
        if echo "$csp" | grep -q "script-src.*'unsafe-eval'"; then
            echo -e "  ${YELLOW}⚠ script-src contains 'unsafe-eval' - needed for API clients${NC}"
        else
            echo -e "  ${RED}✗ script-src missing 'unsafe-eval' - may cause issues with some clients${NC}"
        fi
        
        # Check for connect-src
        if echo "$csp" | grep -q "connect-src.*\\*"; then
            echo -e "  ${GREEN}✓ connect-src includes * - good for API access${NC}"
        else
            echo -e "  ${RED}✗ connect-src restrictive - may block API access${NC}"
        fi
    else
        echo -e "${RED}✗ Content-Security-Policy header not found${NC}"
    fi
    
    # Check for CORS headers for API endpoints
    if [[ "$endpoint" == "/api/"* ]]; then
        echo -e "\n${BLUE}CORS Headers (critical for API):${NC}"
        
        if echo "$headers" | grep -q "Access-Control-Allow-Origin"; then
            origin=$(echo "$headers" | grep "Access-Control-Allow-Origin" | sed "s/Access-Control-Allow-Origin: //")
            echo -e "${GREEN}✓ Access-Control-Allow-Origin: $origin${NC}"
        else
            echo -e "${RED}✗ Access-Control-Allow-Origin header not found - CORS will fail${NC}"
        fi
        
        if echo "$headers" | grep -q "Access-Control-Allow-Methods"; then
            methods=$(echo "$headers" | grep "Access-Control-Allow-Methods" | sed "s/Access-Control-Allow-Methods: //")
            echo -e "${GREEN}✓ Access-Control-Allow-Methods: $methods${NC}"
        else
            echo -e "${RED}✗ Access-Control-Allow-Methods header not found - CORS will fail${NC}"
        fi
        
        if echo "$headers" | grep -q "Access-Control-Allow-Headers"; then
            allowed_headers=$(echo "$headers" | grep "Access-Control-Allow-Headers" | sed "s/Access-Control-Allow-Headers: //")
            echo -e "${GREEN}✓ Access-Control-Allow-Headers: $allowed_headers${NC}"
        else
            echo -e "${RED}✗ Access-Control-Allow-Headers header not found - CORS will fail${NC}"
        fi
    fi
    
    # Check for Cross-Origin-Resource-Policy
    if echo "$headers" | grep -q "Cross-Origin-Resource-Policy"; then
        corp=$(echo "$headers" | grep "Cross-Origin-Resource-Policy" | sed "s/Cross-Origin-Resource-Policy: //")
        echo -e "\n${BLUE}Resource Policy:${NC}"
        
        if [[ "$endpoint" == "/api/"* ]]; then
            if [[ "$corp" == "cross-origin" ]]; then
                echo -e "${GREEN}✓ Cross-Origin-Resource-Policy: $corp - correct for API${NC}"
            else
                echo -e "${RED}✗ Cross-Origin-Resource-Policy: $corp - should be 'cross-origin' for API endpoints${NC}"
            fi
        else
            if [[ "$corp" == "same-origin" ]]; then
                echo -e "${GREEN}✓ Cross-Origin-Resource-Policy: $corp - correct for UI${NC}"
            else
                echo -e "${YELLOW}⚠ Cross-Origin-Resource-Policy: $corp - should be 'same-origin' for UI endpoints${NC}"
            fi
        fi
    else
        echo -e "${YELLOW}⚠ Cross-Origin-Resource-Policy header not found${NC}"
    fi
    
    echo "------------------------------------------------"
}

# Test UI endpoint
test_headers "/" "Main UI page"

# Test API endpoints
test_headers "/api/test" "API test endpoint"

# Test OPTIONS request for CORS preflight
echo -e "\n${YELLOW}Testing OPTIONS request for CORS preflight${NC}"
echo "------------------------------------------------"
curl -s -X OPTIONS -H "Origin: http://example.com" -I "${URL}/api/test" | grep -v "Date:" | grep -v "Server:"
echo "------------------------------------------------"

# Test with a real-world API client simulation
echo -e "\n${YELLOW}Testing with a simulated API client${NC}"
echo "------------------------------------------------"
echo -e "${BLUE}Command:${NC} curl -s -X GET -H \"Origin: http://example.com\" -H \"Accept: application/json\" \"${URL}/api/test\""
response=$(curl -s -X GET -H "Origin: http://example.com" -H "Accept: application/json" "${URL}/api/test")
echo -e "${BLUE}Response:${NC}"
echo "$response" | jq 2>/dev/null || echo "$response"
echo "------------------------------------------------"

echo -e "\n${GREEN}All header tests completed.${NC}"