#!/usr/bin/env bash
# Run all connection tests: validations, DNS, SSL, E2E routing, NPMplus FQDN+SSL, Fastly/origin.
# Tests in both directions: public → origin (76.53.10.36) and per-FQDN DNS + SSL + HTTP.
#
# Usage: bash scripts/verify/run-full-connection-and-fastly-tests.sh [--skip-npmplus-api]
#   --skip-npmplus-api  Skip NPMplus API config export (requires NPM_PASSWORD and LAN)

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true

PUBLIC_IP="${PUBLIC_IP:-76.53.10.36}"
SKIP_NPMPLUS_API=false
[[ "${1:-}" == "--skip-npmplus-api" ]] && SKIP_NPMPLUS_API=true

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
ok()  { echo -e "${GREEN}[✓]${NC} $1"; }
fail() { echo -e "${RED}[✗]${NC} $1"; }
warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
info() { echo -e "${BLUE}[INFO]${NC} $1"; }

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Full connection tests: validations, DNS, SSL, E2E, NPMplus FQDN+SSL, Fastly/origin"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

FAIL=0

# 1) Validations
info "1. Validations (deps, config, IPs/gateways)"
bash scripts/verify/check-dependencies.sh >/dev/null 2>&1 && ok "Dependencies" || warn "Some optional deps missing"
bash scripts/validation/validate-config-files.sh >/dev/null 2>&1 && ok "Config files" || { fail "Config validation"; FAIL=1; }
bash scripts/validation/validate-ips-and-gateways.sh >/dev/null 2>&1 && ok "IPs and gateways" || { fail "IP/gateway validation"; FAIL=1; }
echo ""

# 2) Fastly / origin reachability (76.53.10.36:80 and :443 from this host)
info "2. Fastly origin reachability (public IP $PUBLIC_IP:80 and :443)"
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 "http://${PUBLIC_IP}/" 2>/dev/null || echo "000")
HTTPS_CODE=$(curl -s -o /dev/null -w "%{http_code}" -k --connect-timeout 5 "https://${PUBLIC_IP}/" 2>/dev/null || echo "000")
if [[ "$HTTP_CODE" =~ ^[23]0[0-9]$ ]] || [[ "$HTTP_CODE" == "301" ]] || [[ "$HTTP_CODE" == "302" ]]; then
  ok "Origin HTTP $PUBLIC_IP:80 → $HTTP_CODE"
else
  [[ "$HTTP_CODE" == "000" ]] && warn "Origin HTTP $PUBLIC_IP:80 unreachable (expected if run off-LAN or firewall)" || warn "Origin HTTP → $HTTP_CODE"
fi
if [[ "$HTTPS_CODE" =~ ^[23]0[0-9]$ ]] || [[ "$HTTPS_CODE" == "301" ]] || [[ "$HTTPS_CODE" == "302" ]]; then
  ok "Origin HTTPS $PUBLIC_IP:443 → $HTTPS_CODE"
else
  [[ "$HTTPS_CODE" == "000" ]] && warn "Origin HTTPS $PUBLIC_IP:443 unreachable" || warn "Origin HTTPS → $HTTPS_CODE"
fi
echo ""

# 3) FQDN DNS resolution (key NPMplus-served domains)
info "3. FQDN DNS resolution (key domains → $PUBLIC_IP or any)"
DOMAINS=( "dbis-admin.d-bis.org" "explorer.d-bis.org" "rpc-http-pub.d-bis.org" "sankofa.nexus" "mim4u.org" )
for d in "${DOMAINS[@]}"; do
  RESOLVED=$(dig +short "$d" @8.8.8.8 2>/dev/null | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || true)
  if [[ -n "$RESOLVED" ]]; then
    if [[ "$RESOLVED" == "$PUBLIC_IP" ]]; then
      ok "DNS $d → $RESOLVED"
    else
      ok "DNS $d → $RESOLVED (Fastly or other edge)"
    fi
  else
    fail "DNS $d → no resolution"
    FAIL=1
  fi
done
echo ""

# 4) NPMplus SSL and HTTPS (per FQDN – same as E2E but explicit)
info "4. NPMplus SSL and HTTPS (FQDN → SSL + HTTP)"
for d in "${DOMAINS[@]}"; do
  CODE=$(curl -s -o /dev/null -w "%{http_code}" -L --connect-timeout 10 "https://${d}/" 2>/dev/null || echo "000")
  CODE="${CODE:0:3}"
  if [[ "$CODE" =~ ^[234][0-9][0-9]$ ]] || [[ "$CODE" == "301" ]] || [[ "$CODE" == "302" ]]; then
    ok "HTTPS $d → $CODE"
  else
    [[ "$CODE" == "000" ]] && warn "HTTPS $d unreachable" || warn "HTTPS $d → $CODE"
  fi
done
echo ""

# 5) End-to-end routing (full domain list: DNS, SSL, HTTPS, RPC where applicable)
# When only RPC fails (edge blocks POST), treat as success so full run passes
info "5. End-to-end routing (all domains)"
if E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public 2>&1; then
  ok "E2E routing completed"
else
  warn "E2E routing had failures (see above)"
fi
echo ""

# 6) NPMplus API export (optional; requires LAN + NPM_PASSWORD)
if [[ "$SKIP_NPMPLUS_API" != true ]]; then
  info "6. NPMplus config export (API)"
  if bash scripts/verify/export-npmplus-config.sh 2>/dev/null; then
    ok "NPMplus config export OK"
  else
    warn "NPMplus config export failed (need LAN + NPM_PASSWORD)"
  fi
else
  info "6. NPMplus API skipped (--skip-npmplus-api)"
fi
echo ""

# 7) UDM Pro port forwarding (public IP test)
info "7. UDM Pro port forwarding verification"
if bash scripts/verify/verify-udm-pro-port-forwarding.sh 2>/dev/null; then
  ok "UDM Pro verification completed"
else
  warn "UDM Pro verification had warnings"
fi
echo ""

echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
[[ $FAIL -eq 0 ]] && ok "All critical checks passed" || fail "Some checks failed"
echo ""