# start witness
exec witnessctl add-log -origin example.com
exec witnessctl add-key -origin example.com -key example.com+5800330c+ARPRGiaIwfx6xka5nXhdD/rqojPMjrjhm7OCuy+03Ymz
env SSH_AUTH_SOCK=$WORK/sock
! exec ssh-agent -a $SSH_AUTH_SOCK -D & # ssh-agent always exits 2
waitfor $SSH_AUTH_SOCK
chmod 600 witness_key.pem
exec ssh-add witness_key.pem
exec litewitness -ssh-agent=$SSH_AUTH_SOCK -listen localhost:7390 -name=example.com/witness -key=e933707e0e36c30f01d94b5d81e742da373679d88eb0f85f959ccd80b83b992a &
waitfor localhost:7390

# start age-keyserver with test hCaptcha secret
env HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000
env LOG_KEY=PRIVATE+KEY+example.com+5800330c+AaAoObvamoDOmN6c30Xh9pH1e/xqKcsU+fNmthQ8qmvM
env LOG_WITNESS_POLICY=witness_policy.txt
env VRF_KEY=vni5C6++aVMFR5tg3bwvLamWlhJEmVrtNT7uNeyo6gQ=
exec age-keyserver -db=$WORK/test.sqlite3 -listen=localhost:13892 &srv&
waitfor http://localhost:13892/

# test basic pages are accessible
exec hurl --test --error-format long pages.hurl

# test tlog endpoints
exec hurl --test --error-format long tlog.hurl

# test lookup endpoints
exec hurl --test --error-format long lookup.hurl

# test login endpoint
exec hurl --test --error-format long login.hurl

# test API endpoints with invalid auth
exec hurl --test --error-format long api-invalid-auth.hurl

# check that age-keyserver shut down cleanly
killall
wait srv
stderr 'shutting down'


-- witness_key.pem --
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtz
c2gtZWQyNTUxOQAAACBkhIrYq+1uhZgbOzh1slK4dn67SwL3A6yjsecbvWqOUAAA
AIgN5+09DeftPQAAAAtzc2gtZWQyNTUxOQAAACBkhIrYq+1uhZgbOzh1slK4dn67
SwL3A6yjsecbvWqOUAAAAEAx/8IRbsvgA6yqgAq3B1e9fVMgbj/r72ptB5bZVTCz
T2SEitir7W6FmBs7OHWyUrh2frtLAvcDrKOx5xu9ao5QAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----


-- witness_policy.txt --
witness W example.com/witness+10a1c019+BGSEitir7W6FmBs7OHWyUrh2frtLAvcDrKOx5xu9ao5Q http://localhost:7390
quorum W


-- pages.hurl --
# Test home page
GET http://localhost:13892/
HTTP 200

# Test manage page
GET http://localhost:13892/manage
HTTP 200

# Test static files are accessible
GET http://localhost:13892/static/style.css
HTTP 200


-- tlog.hurl --
GET http://localhost:13892/tlog/checkpoint
HTTP 200
[Asserts]
body contains "— example.com "
body contains "— example.com/witness "


-- lookup.hurl --
# Test lookup - missing email parameter
GET http://localhost:13892/api/lookup
HTTP 400
[Asserts]
body contains "Email parameter required"

# Test lookup - key not found
GET http://localhost:13892/api/lookup?email=nonexistent@example.com
HTTP 404
[Asserts]
body contains "No key found"


-- login.hurl --
# Test login - missing email
POST http://localhost:13892/login
[FormParams]
h-captcha-response: 10000000-aaaa-bbbb-cccc-000000000001
HTTP 400
[Asserts]
body contains "Email is required"

# Test login - missing captcha
POST http://localhost:13892/login
[FormParams]
email: test@example.com
HTTP 400
[Asserts]
body contains "Captcha verification failed"

# Test login - invalid captcha
POST http://localhost:13892/login
[FormParams]
email: test@example.com
h-captcha-response: invalid-captcha-token
HTTP 400
[Asserts]
body contains "Captcha verification failed"

# Test login - valid request with test hCaptcha response
POST http://localhost:13892/login
[FormParams]
email: test@example.com
h-captcha-response: 10000000-aaaa-bbbb-cccc-000000000001
HTTP 200
[Asserts]
body contains "test@example.com"


-- api-invalid-auth.hurl --
# Test verify-token with invalid token
POST http://localhost:13892/api/verify-token
Content-Type: application/json
{
  "email": "test@example.com",
  "sig": "invalid-sig",
  "ts": "123456789"
}
HTTP 401
[Asserts]
body contains "Invalid or expired"

# Test setkey with invalid auth
POST http://localhost:13892/setkey
[FormParams]
email: test@example.com
sig: invalid-sig
ts: 123456789
pubkey: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
HTTP 401
[Asserts]
body contains "Invalid or expired"

# Test setkey with expired token (timestamp from 2020)
POST http://localhost:13892/setkey
[FormParams]
email: test@example.com
sig: somevalidsig
ts: 1577836800
pubkey: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
HTTP 401
[Asserts]
body contains "Invalid or expired"
