#!/usr/bin/env sh
set -eu

repo_root="$(cd "$(dirname "$0")/.." && pwd)"
verify_script="$repo_root/scripts/docker-image/verify_archive.sh"
tmp_root="$(mktemp -d)"

cleanup() {
  rm -rf "$tmp_root"
}
trap cleanup EXIT INT TERM

require_command() {
  command -v "$1" >/dev/null 2>&1 || {
    echo "required command not found: $1" >&2
    exit 1
  }
}

assert_fails() {
  if "$@" >/dev/null 2>&1; then
    echo "expected command to fail: $*" >&2
    exit 1
  fi
}

require_command jq
require_command sha256sum
require_command zstd

artifact_dir="$tmp_root/baron_sso/backend/v1.2606.ab12"
mkdir -p "$artifact_dir"

printf 'docker image archive smoke\n' >"$artifact_dir/image.tar"
zstd -q -f -o "$artifact_dir/image.tar.zst" "$artifact_dir/image.tar"
rm -f "$artifact_dir/image.tar"

archive_sha256="$(sha256sum "$artifact_dir/image.tar.zst" | awk '{print $1}')"
archive_size="$(wc -c <"$artifact_dir/image.tar.zst" | tr -d ' ')"
printf '%s  image.tar.zst\n' "$archive_sha256" >"$artifact_dir/image.tar.zst.sha256"

jq -n \
  --arg remotePath "docker-build-image/baron_sso/backend/v1.2606.ab12" \
  --arg archiveSha256 "$archive_sha256" \
  --argjson archiveSize "$archive_size" \
  '{
    schema_version: 1,
    format: "docker-save-zstd",
    image_ref: "reg.hmac.kr/baron_sso/backend:v1.2606.ab12",
    repository: "baron_sso/backend",
    tag: "v1.2606.ab12",
    remote_path: $remotePath,
    archive: {
      file_name: "image.tar.zst",
      size_bytes: $archiveSize,
      sha256: $archiveSha256
    }
  }' >"$artifact_dir/manifest.json"

"$verify_script" "$artifact_dir" >/dev/null

bad_checksum_dir="$tmp_root/bad-checksum"
cp -R "$artifact_dir" "$bad_checksum_dir"
printf '0000000000000000000000000000000000000000000000000000000000000000  image.tar.zst\n' >"$bad_checksum_dir/image.tar.zst.sha256"
assert_fails "$verify_script" "$bad_checksum_dir"

bad_manifest_dir="$tmp_root/bad-manifest"
cp -R "$artifact_dir" "$bad_manifest_dir"
jq '.archive.sha256 = "1111111111111111111111111111111111111111111111111111111111111111"' \
  "$bad_manifest_dir/manifest.json" >"$bad_manifest_dir/manifest.json.tmp"
mv "$bad_manifest_dir/manifest.json.tmp" "$bad_manifest_dir/manifest.json"
assert_fails "$verify_script" "$bad_manifest_dir"

bad_archive_dir="$tmp_root/bad-archive"
cp -R "$artifact_dir" "$bad_archive_dir"
printf 'not a zstd stream\n' >"$bad_archive_dir/image.tar.zst"
sha256sum "$bad_archive_dir/image.tar.zst" | awk '{print $1 "  image.tar.zst"}' >"$bad_archive_dir/image.tar.zst.sha256"
assert_fails "$verify_script" "$bad_archive_dir"

echo "docker image archive verification checks passed"