#!/bin/bash
# test-network-policy.sh — Basic network policy enforcement test
# Usage: ./test/integration/test-network-policy.sh <iso-path>
# Verifies that NetworkPolicy resources can be created and traffic is filtered.
# Requires: kubectl on host, QEMU
set -euo pipefail

ISO="${1:?Usage: $0 <path-to-iso>}"
TIMEOUT_K8S=${TIMEOUT_K8S:-300}
TIMEOUT_POD=${TIMEOUT_POD:-120}
API_PORT=6443
KC_PORT=8080

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
. "$SCRIPT_DIR/../lib/qemu-helpers.sh"

DATA_DISK=$(mktemp /tmp/kubesolo-data-XXXXXX.img)
dd if=/dev/zero of="$DATA_DISK" bs=1M count=2048 2>/dev/null
mkfs.ext4 -q -L KSOLODATA "$DATA_DISK" 2>/dev/null

SERIAL_LOG=$(mktemp /tmp/kubesolo-netpol-XXXXXX.log)

QEMU_PID=""
EXTRACT_DIR=""
KUBECONFIG_FILE=""

cleanup() {
    [ -n "$KUBECONFIG_FILE" ] && [ -f "$KUBECONFIG_FILE" ] && {
        kubectl --kubeconfig="$KUBECONFIG_FILE" --insecure-skip-tls-verify \
            delete namespace netpol-test 2>/dev/null || true
    }
    [ -n "$QEMU_PID" ] && kill "$QEMU_PID" 2>/dev/null || true
    rm -f "$DATA_DISK" "$SERIAL_LOG"
    [ -n "$KUBECONFIG_FILE" ] && rm -f "$KUBECONFIG_FILE"
    [ -n "$EXTRACT_DIR" ] && rm -rf "$EXTRACT_DIR"
}
trap cleanup EXIT

echo "==> Network policy test: $ISO"

# Extract kernel from ISO
EXTRACT_DIR="$(mktemp -d /tmp/kubesolo-extract-XXXXXX)"
extract_kernel_from_iso "$ISO" "$EXTRACT_DIR"

KVM_FLAG=$(detect_kvm)

# Launch QEMU
# shellcheck disable=SC2086
qemu-system-x86_64 \
    -m 2048 -smp 2 \
    -nographic \
    $KVM_FLAG \
    -kernel "$VMLINUZ" \
    -initrd "$INITRAMFS" \
    -drive "file=$DATA_DISK,format=raw,if=virtio" \
    -net "nic,model=virtio" \
    -net "user,hostfwd=tcp::${API_PORT}-:6443,hostfwd=tcp::${KC_PORT}-:8080" \
    -serial "file:$SERIAL_LOG" \
    -append "console=ttyS0,115200n8 kubesolo.data=/dev/vda kubesolo.debug" \
    &
QEMU_PID=$!

# Wait for boot + fetch kubeconfig
echo "    Waiting for boot..."
wait_for_boot "$SERIAL_LOG" "$QEMU_PID" 180 || exit 1

KUBECONFIG_FILE=$(mktemp /tmp/kubesolo-kubeconfig-XXXXXX.yaml)
fetch_kubeconfig "$KC_PORT" "$KUBECONFIG_FILE" || exit 1

KUBECTL="kubectl --kubeconfig=$KUBECONFIG_FILE --insecure-skip-tls-verify"

# Wait for K8s
echo "    Waiting for K8s node Ready..."
ELAPSED=0
while [ "$ELAPSED" -lt "$TIMEOUT_K8S" ]; do
    if $KUBECTL get nodes 2>/dev/null | grep -q "Ready"; then
        break
    fi
    sleep 5
    ELAPSED=$((ELAPSED + 5))
done

if [ "$ELAPSED" -ge "$TIMEOUT_K8S" ]; then
    echo "==> FAIL: K8s not ready within ${TIMEOUT_K8S}s"
    exit 1
fi
echo "    K8s ready (${ELAPSED}s)"

# Create test namespace
$KUBECTL create namespace netpol-test 2>/dev/null || true

# Create a web server pod
echo "==> Creating web server pod..."
$KUBECTL apply -n netpol-test -f - << 'YAML'
apiVersion: v1
kind: Pod
metadata:
  name: web
  labels:
    app: web
spec:
  containers:
    - name: web
      image: busybox:latest
      command: ["sh", "-c", "echo 'hello' | nc -l -p 80; sleep 3600"]
      ports:
        - containerPort: 80
YAML

# Wait for pod
ELAPSED=0
STATUS=""
while [ "$ELAPSED" -lt "$TIMEOUT_POD" ]; do
    STATUS=$($KUBECTL get pod -n netpol-test web -o jsonpath='{.status.phase}' 2>/dev/null || echo "")
    [ "$STATUS" = "Running" ] && break
    sleep 5
    ELAPSED=$((ELAPSED + 5))
done

if [ "$STATUS" != "Running" ]; then
    echo "==> FAIL: Web pod not running (status: $STATUS)"
    exit 1
fi
echo "    Web pod running"

# Create a deny-all NetworkPolicy
echo "==> Applying deny-all NetworkPolicy..."
$KUBECTL apply -n netpol-test -f - << 'YAML'
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
YAML

# Verify the NetworkPolicy was created
if $KUBECTL get networkpolicy -n netpol-test deny-all >/dev/null 2>&1; then
    echo "==> PASS: NetworkPolicy created successfully"
    echo "    NetworkPolicy resources are supported by the cluster"
    exit 0
else
    echo "==> FAIL: NetworkPolicy creation failed"
    exit 1
fi