#!/bin/bash

###
# basic install and run test for atomic registry quickstart image
# run with "uninstall" argument to test tear down after test
###

# $1 is optional hostname override

set -o errexit
set -o pipefail
set -x

# we're going to use this for testing
# node ports aren't working with boxes default hostname localdomain.localhost
MASTER_CONTAINER=${1:-atomic-registry-master}
HOST=${2:-`hostname`}
CMD="docker exec -i ${MASTER_CONTAINER}"

USER=mary
PROJ=mary-project

function test_push() {
  # login as $USER and do a basic docker workflow
  $CMD oc login -u ${USER} -p test
  $CMD oc new-project ${PROJ}
  $CMD oc policy add-role-to-group registry-viewer system:authenticated
  TOKEN=$($CMD oc whoami -t)
  docker login -p ${TOKEN} -u unused -e test@example.com ${HOST}:5000
  docker pull busybox
  docker tag busybox ${HOST}:5000/${PROJ}/busybox
  docker push ${HOST}:5000/${PROJ}/busybox
  docker rmi busybox ${HOST}:5000/${PROJ}/busybox
  docker logout
}

function test_cannot_push() {
  # in shared mode...
  # we pull $USERS's image, tag and try to push
  # bob shouldn't be able to push
  $CMD oc login -u bob -p test
  TOKEN=$($CMD oc whoami -t)
  docker login -p ${TOKEN} -u unused -e test@example.com ${HOST}:5000
  docker pull ${HOST}:5000/${PROJ}/busybox
  docker tag ${HOST}:5000/${PROJ}/busybox ${HOST}:5000/${PROJ}/busybox:evil
  if docker push ${HOST}:5000/${PROJ}/busybox:evil; then
    echo "registry-viewer user should not have been able to push to repo"
    docker logout
    exit 1
  fi
  docker rmi ${HOST}:5000/${PROJ}/busybox ${HOST}:5000/${PROJ}/busybox:evil
  docker logout
}

# first we need to patch for the vagrant port mapping 443 -> 1443
$CMD oc login -u system:admin
$CMD oc patch oauthclient cockpit-oauth-client -p '{ "redirectURIs": [ "https://'"${HOST}"':1443" ] }'

test_push
test_cannot_push