#!/usr/bin/env bash

# Test that core:python generates lockfile URLs from python-build-standalone
export MISE_LOCKFILE=1
export MISE_PYTHON_GITHUB_ATTESTATIONS=0

detect_platform

cat <<EOF >mise.toml
[tools]
python = "3.13.5"
EOF

rm -f mise.lock

output=$(mise lock --platform "$MISE_PLATFORM" 2>&1)
assert_contains "echo '$output'" "Processing 1 tool(s)"

# Verify lockfile has URL and checksum for python
assert_contains "cat mise.lock" "\"platforms.$MISE_PLATFORM\""
assert_contains "cat mise.lock" "github.com/astral-sh/python-build-standalone/releases/download"
assert_contains "cat mise.lock" "sha256:"

echo "Lockfile content after mise lock:"
cat mise.lock

echo "=== Testing that mise install verifies checksum against existing lockfile ==="
rm -rf "$MISE_DATA_DIR/installs/python"
mise install python -f
assert_contains "cat mise.lock" "github.com/astral-sh/python-build-standalone/releases/download"
assert_contains "cat mise.lock" "sha256:"

echo "Lockfile content after mise install:"
cat mise.lock

echo "=== Testing that install obeys the lockfile URL (not recomputed) ==="
# Replace the URL in the lockfile with a deliberately wrong URL.
# If install obeys the lockfile URL, it will try to download from
# this fake URL and fail. If it recomputes the URL, it would succeed.
awk '
    /^url = "https:\/\/github.com\/astral-sh\/python-build-standalone/ {
        print "url = \"https://github.com/astral-sh/python-build-standalone/releases/download/fake-tag/fake-python.tar.gz\""
        next
    }
    { print }
' mise.lock >mise.lock.tmp && mv mise.lock.tmp mise.lock

assert_contains "cat mise.lock" "fake-tag/fake-python.tar.gz"

rm -rf "$MISE_DATA_DIR/installs/python"
assert_fail_contains "mise install python -f" "fake-tag/fake-python.tar.gz"

# Regenerate a fresh lockfile for subsequent tests
rm -f mise.lock
mise lock --platform "$MISE_PLATFORM"

echo "=== Testing checksum verification rejects corrupted checksums ==="
# Corrupt the checksum in the lockfile to verify that install catches it.
# Replace the real sha256 hash with a bogus value using awk.
awk '
    /^checksum = "sha256:/ { print "checksum = \"sha256:0000000000000000000000000000000000000000000000000000000000000000\""; next }
    { print }
' mise.lock >mise.lock.tmp && mv mise.lock.tmp mise.lock

assert_contains "cat mise.lock" "sha256:0000000000000000000000000000000000000000000000000000000000000000"

# Install with corrupted checksum should fail with a checksum mismatch error
rm -rf "$MISE_DATA_DIR/installs/python"
assert_fail "mise install python -f" "Checksum mismatch"

rm -f mise.lock mise.toml

echo "Python lockfile URL test passed!"

echo "=== Testing provenance recorded in lockfile when enabled ==="
export MISE_PYTHON_GITHUB_ATTESTATIONS=1

cat <<EOF >mise.toml
[tools]
python = "3.13.5"
EOF

mise lock --platform "$MISE_PLATFORM"
assert "test -f mise.lock"
assert_contains "cat mise.lock" 'provenance = "github-attestations"'

echo "Lockfile with provenance:"
cat mise.lock

rm -f mise.lock mise.toml
unset MISE_PYTHON_GITHUB_ATTESTATIONS

echo "Python provenance lockfile test passed!"

echo "=== Testing provenance NOT recorded when disabled ==="
export MISE_PYTHON_GITHUB_ATTESTATIONS=0
export MISE_GITHUB_ATTESTATIONS=0

cat <<EOF >mise.toml
[tools]
python = "3.13.5"
EOF

mise lock --platform "$MISE_PLATFORM"
assert "test -f mise.lock"
# provenance should not appear in lockfile when disabled
assert_fail "grep -q 'provenance' mise.lock"

rm -f mise.lock mise.toml
unset MISE_PYTHON_GITHUB_ATTESTATIONS
unset MISE_GITHUB_ATTESTATIONS

echo "Python provenance disabled test passed!"

echo "=== Testing provenance downgrade attack detection ==="
cat <<EOF >mise.toml
[tools]
python = "3.13.5"
EOF

# Generate lockfile with all platforms (so the current platform is included)
mise lock
assert "test -f mise.lock"

# Inject provenance into ALL platform sections (simulating a previously-verified install)
awk '
    /^provenance/ && in_section { next }
    { print }
    /^\[tools\.python\."platforms\./ { in_section=1; print "provenance = \"github-attestations\"" }
    /^\[/ && !/^\[tools\.python\."platforms\./ { in_section=0 }
' mise.lock >mise.lock.tmp && mv mise.lock.tmp mise.lock
assert_contains "cat mise.lock" 'provenance = "github-attestations"'

# Attempt install with provenance verification disabled.
# The lockfile says provenance was verified, but settings are off,
# so mise should refuse to install (downgrade/stripping attack).
rm -rf "$MISE_DATA_DIR/installs/python"
export MISE_PYTHON_GITHUB_ATTESTATIONS=0
export MISE_GITHUB_ATTESTATIONS=0
assert_fail_contains "mise install 2>&1" "downgrade attack"

echo "=== Cleanup ==="
unset MISE_PYTHON_GITHUB_ATTESTATIONS
unset MISE_GITHUB_ATTESTATIONS
rm -f mise.lock mise.toml

echo "Python provenance downgrade attack test passed!"
