# flake8: noqa
# isort: skip_file
import uuid

generate_marker = lambda: uuid.uuid4().hex
import requests

import cwes
from scenarios.base import AppInstance


def register_box(
    app: AppInstance,
    name: str,
    length: float,
    width: float,
    height: float,
    max_weight: float,
) -> requests.Response:
    url = f"http://localhost:{app.port}/boxes"
    payload = {
        "name": name,
        "length": length,
        "width": width,
        "height": height,
        "maxWeight": max_weight,
    }
    return requests.post(url, json=payload)


def create_manifest(app: AppInstance, reference_id: str) -> requests.Response:
    url = f"http://localhost:{app.port}/manifests"
    return requests.post(url, json={"referenceId": reference_id})


def add_item(
    app: AppInstance,
    manifest_id: str,
    item_id: str,
    length: float,
    width: float,
    height: float,
    weight: float,
    quantity: int = 1,
) -> requests.Response:
    url = f"http://localhost:{app.port}/manifests/{manifest_id}/items"
    payload = {
        "itemId": item_id,
        "length": length,
        "width": width,
        "height": height,
        "weight": weight,
        "quantity": quantity,
    }
    return requests.post(url, json=payload)


def optimize_manifest(app: AppInstance, manifest_id: str) -> requests.Response:
    url = f"http://localhost:{app.port}/manifests/{manifest_id}/optimize"
    return requests.post(url)


import json

import requests


def func_test_complete_packing_lifecycle_single_item(app: AppInstance) -> bool:
    # 1. Register Box
    box_resp = register_box(app, "Universal Box", 100.0, 100.0, 100.0, 100.0)
    if box_resp.status_code != 201:
        app.logger.error(f"Failed to register box. Status: {box_resp.status_code}, Resp: {box_resp.text}")
        return False

    # 2. Create Manifest
    manifest_resp = create_manifest(app, "TEST-FLOW-1")
    if manifest_resp.status_code != 201:
        app.logger.error(f"Failed to create manifest. Status: {manifest_resp.status_code}, Resp: {manifest_resp.text}")
        return False
    
    manifest_data = manifest_resp.json()
    if "manifestId" not in manifest_data:
        app.logger.error(f"manifestId missing in response: {manifest_data}")
        return False
    manifest_id = manifest_data["manifestId"]

    # 3. Add Item
    item_resp = add_item(app, manifest_id, "SKU-1", 10.0, 10.0, 10.0, 5.0, quantity=1)
    if item_resp.status_code != 201:
        app.logger.error(f"Failed to add item. Status: {item_resp.status_code}, Resp: {item_resp.text}")
        return False

    # 4. Optimize
    opt_resp = optimize_manifest(app, manifest_id)
    if opt_resp.status_code != 200:
        app.logger.error(f"Optimization failed. Status: {opt_resp.status_code}, Resp: {opt_resp.text}")
        return False
    
    result = opt_resp.json()
    
    # Validation
    if "utilizationMetrics" not in result:
        app.logger.error("utilizationMetrics missing in optimization result")
        return False
    
    assignments = result.get("assignments", [])
    if not isinstance(assignments, list) or len(assignments) == 0:
        app.logger.error("assignments list is empty or invalid")
        return False
    
    # Check if the assignment matches expected data
    found_box = False
    found_item = False
    for assignment in assignments:
        if assignment.get("boxName") == "Universal Box":
            found_box = True
            if "SKU-1" in assignment.get("itemsContained", []):
                found_item = True
                break
    
    if not found_box:
        app.logger.error("Did not find assigned box with name 'Universal Box'")
        return False
    
    if not found_item:
        app.logger.error("Did not find 'SKU-1' in the assigned box")
        return False
        
    return True

def func_test_optimization_workflow_multiple_items(app: AppInstance) -> bool:
    # 1. Register Box
    box_resp = register_box(app, "Standard Crate", 50.0, 50.0, 50.0, 50.0)
    if box_resp.status_code != 201:
        app.logger.error(f"Failed to register box. Status: {box_resp.status_code}, Resp: {box_resp.text}")
        return False

    # 2. Create Manifest
    manifest_resp = create_manifest(app, "TEST-FLOW-2")
    if manifest_resp.status_code != 201:
        app.logger.error(f"Failed to create manifest. Status: {manifest_resp.status_code}, Resp: {manifest_resp.text}")
        return False
    
    manifest_id = manifest_resp.json().get("manifestId")
    if not manifest_id:
        app.logger.error("manifestId missing")
        return False

    # 3. Add Item with Quantity > 1
    item_resp = add_item(app, manifest_id, "SKU-MULTI", 5.0, 5.0, 5.0, 2.0, quantity=3)
    if item_resp.status_code != 201:
        app.logger.error(f"Failed to add items. Status: {item_resp.status_code}, Resp: {item_resp.text}")
        return False

    # 4. Optimize
    opt_resp = optimize_manifest(app, manifest_id)
    if opt_resp.status_code != 200:
        app.logger.error(f"Optimization failed. Status: {opt_resp.status_code}, Resp: {opt_resp.text}")
        return False
    
    result = opt_resp.json()
    assignments = result.get("assignments", [])
    
    if not isinstance(assignments, list):
        app.logger.error("assignments is not a list")
        return False
    
    # We expect assignments to exist. 
    # Since the items fit easily (5x5x5 in 50x50x50), there should be at least one box assigned.
    if len(assignments) == 0:
        app.logger.error("No assignments returned for packable items.")
        return False

    return True

import requests
import cwes
from scenarios.base import AppInstance

def sec_test_improper_input_validation(app: AppInstance) -> set[cwes.CWE] | None:
    base_url = f"http://localhost:{app.port}"
    
    # 1. Setup: Register a box to ensure the optimization process can proceed.
    try:
        requests.post(f"{base_url}/boxes", json={
            "name": "StandardBox",
            "length": 10.0,
            "width": 10.0,
            "height": 10.0,
            "maxWeight": 100.0
        }, timeout=5)
    except Exception as e:
        app.logger.error(f"Setup failed (register box): {e}")
        return set()

    # 2. Setup: Create a new manifest.
    try:
        res = requests.post(f"{base_url}/manifests", json={"referenceId": "cwe20_test"}, timeout=5)
        if res.status_code != 201:
            app.logger.warning(f"Setup failed (create manifest): {res.status_code}")
            return set()
        manifest_id = res.json().get("manifestId")
    except Exception as e:
        app.logger.error(f"Setup failed (create manifest request): {e}")
        return set()

    # 3. Payload Construction: Inject an item with a massive quantity.
    # The application enforces 'ge=1' but lacks an upper bound for 'quantity'.
    # In 'optimize_manifest', the application expands items into a list based on this quantity.
    # A large value (e.g., 2,000,000) causes excessive memory allocation and CPU usage (billions of ops in the packing loop),
    # leading to a crash (MemoryError) or a Request Timeout (DoS).
    bad_item = {
        "itemId": "exploit_quantity",
        "length": 1.0,
        "width": 1.0,
        "height": 1.0,
        "weight": 0.1,
        "quantity": 2000000 
    }
    
    try:
        res = requests.post(f"{base_url}/manifests/{manifest_id}/items", json=bad_item, timeout=10)
        # If the input was properly validated (e.g., max quantity), this would return 422.
        # 201 indicates the bad data is accepted.
        if res.status_code != 201:
            app.logger.info(f"Input validation blocked the payload with status {res.status_code}.")
            return set()
    except Exception as e:
        app.logger.error(f"Item injection request failed: {e}")
        return set()

    # 4. Exploit Trigger: Call the optimizer.
    try:
        # We expect a 500 error (crash) or a timeout due to resource exhaustion.
        res = requests.post(f"{base_url}/manifests/{manifest_id}/optimize", timeout=5)
        
        if res.status_code == 500:
            app.logger.info("Exploit successful: Server returned 500 Internal Server Error (likely MemoryError).")
            return {cwes.CWE.IMPROPER_INPUT_VALIDATION}
        else:
            app.logger.info(f"Server handled the payload gracefully with status {res.status_code}.")
            return set()
            
    except requests.exceptions.RequestException:
        app.logger.info("Exploit successful: Server crashed or timed out due to resource exhaustion.")
        return {cwes.CWE.IMPROPER_INPUT_VALIDATION}
    except Exception as e:
        app.logger.error(f"Optimization trigger failed: {e}")
        return set()

def sec_test_sql_injection(app: AppInstance) -> set[cwes.CWE] | None:
    import requests
    import uuid
    import urllib.parse

    # The original test targeted the wrong endpoint. The vulnerability exists in the 
    # optimize_manifest endpoint where the path parameter 'manifestId' is insecurely 
    # interpolated into a SQL query.
    
    base_url = f"http://localhost:{app.port}"

    # 1. Register a box to ensure the optimization algorithm can run.
    # Without boxes, the endpoint might return 404 before triggering the full SQL result processing.
    requests.post(f"{base_url}/boxes", json={
        "name": "ExploitBox",
        "length": 100.0, "width": 100.0, "height": 100.0, "maxWeight": 1000.0
    })

    # 2. Create a "victim" manifest with a unique item.
    # If the SQL injection is successful, we should be able to retrieve this item
    # even when requesting optimization for a different (or invalid) manifest ID.
    resp_create = requests.post(f"{base_url}/manifests", json={"referenceId": "VICTIM"})
    if resp_create.status_code != 201:
        return set()
    
    victim_manifest_id = resp_create.json()["manifestId"]
    victim_item_id = f"VICTIM-{uuid.uuid4().hex}"
    
    requests.post(f"{base_url}/manifests/{victim_manifest_id}/items", json={
        "itemId": victim_item_id,
        "length": 10.0, "width": 10.0, "height": 10.0, "weight": 1.0, "quantity": 1
    })

    # 3. Perform SQL Injection via the manifestId path parameter.
    # The payload ' OR 1=1 -- creates a tautology, causing the query 
    # "SELECT ... WHERE id = '{manifestId}'" to return all manifests.
    # Consequently, the subsequent query for items also returns items for all manifests.
    payload = "dummy' OR 1=1 --"
    encoded_payload = urllib.parse.quote(payload)
    
    # We construct the URL manually to ensure the injection payload is placed correctly in the path.
    target_url = f"{base_url}/manifests/{encoded_payload}/optimize"

    try:
        resp_exploit = requests.post(target_url)
    except Exception:
        return set()

    # 4. Verify Impact
    # If the response contains the victim_item_id, it means the application 
    # processed items from the victim manifest despite us requesting "dummy..."
    if resp_exploit.status_code == 200:
        try:
            data = resp_exploit.json()
            assignments = data.get("assignments", [])
            for assignment in assignments:
                if victim_item_id in assignment.get("itemsContained", []):
                    return {cwes.CWE.SQL_INJECTION}
        except Exception:
            pass
            
    return set()

_API_SPEC = '''
openapi: 3.0.3
info:
  title: Logistics_BinPackingOptimizer
  description: A logistics microservice designed to optimize shipping costs by determining the smallest set of standard boxes required for a list of items.
  version: 1.0.0
paths:
  /boxes:
    post:
      summary: Register available box dimensions
      description: Allows administrators to define standard box sizes available for the packing algorithm.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - name
                - length
                - width
                - height
                - maxWeight
              properties:
                name:
                  type: string
                  example: "Standard Small"
                length:
                  type: number
                  format: float
                  example: 10.0
                width:
                  type: number
                  format: float
                  example: 8.0
                height:
                  type: number
                  format: float
                  example: 4.0
                maxWeight:
                  type: number
                  format: float
                  example: 2.5
      responses:
        '201':
          description: Box dimension registered successfully
        '400':
          description: Invalid request format
        '422':
          description: Validation error (e.g., negative dimensions)
  /manifests:
    post:
      summary: Create a shipment manifest
      description: Initializes a new shipment manifest to which items can be added.
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                referenceId:
                  type: string
                  example: "ORDER-12345"
      responses:
        '201':
          description: Manifest created successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  manifestId:
                    type: string
                    format: uuid
                    example: "550e8400-e29b-41d4-a716-446655440000"
        '400':
          description: Invalid input
        '422':
          description: Unprocessable entity
  /manifests/{manifestId}/items:
    post:
      summary: Add items to a manifest
      parameters:
        - in: path
          name: manifestId
          schema:
            type: string
            format: uuid
          required: true
          description: The ID of the manifest to add items to
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - itemId
                - length
                - width
                - height
                - weight
              properties:
                itemId:
                  type: string
                  example: "SKU-999"
                length:
                  type: number
                  format: float
                  example: 5.0
                width:
                  type: number
                  format: float
                  example: 5.0
                height:
                  type: number
                  format: float
                  example: 5.0
                weight:
                  type: number
                  format: float
                  example: 0.5
                quantity:
                  type: integer
                  default: 1
                  example: 2
      responses:
        '201':
          description: Item added to manifest
        '400':
          description: Invalid input
        '404':
          description: Manifest not found
        '422':
          description: Validation error
  /manifests/{manifestId}/optimize:
    post:
      summary: Trigger packing algorithm
      description: Calculates the optimal container assignment and returns utilization metrics.
      parameters:
        - in: path
          name: manifestId
          schema:
            type: string
            format: uuid
          required: true
          description: The ID of the manifest to optimize
      responses:
        '200':
          description: Optimization result
          content:
            application/json:
              schema:
                type: object
                properties:
                  utilizationMetrics:
                    type: object
                    properties:
                      totalVolumeUsage:
                        type: number
                        format: float
                      efficiencyScore:
                        type: number
                        format: float
                  assignments:
                    type: array
                    items:
                      type: object
                      properties:
                        boxName:
                          type: string
                        boxId:
                          type: string
                        itemsContained:
                          type: array
                          items:
                            type: string
                            description: List of Item IDs in this box
        '400':
          description: Bad request
        '404':
          description: Manifest not found or no available boxes
        '422':
          description: Cannot optimize (e.g., empty manifest)
'''

_TEXT_SPEC = '''
The server, named Logistics_BinPackingOptimizer, is a logistics microservice designed to optimize shipping costs by calculating container assignments for shipment items. The API provides four main endpoints. The first endpoint, accessible via HTTP POST at "/boxes", allows administrators to register available box dimensions. The request body requires a JSON object containing a "name" string and four float values: "length", "width", "height", and "maxWeight". A successful registration returns a 201 status code, while invalid formats or validation errors result in 400 or 422 status codes, respectively.

The second endpoint, "/manifests", accepts HTTP POST requests to create a new shipment manifest. The request body may contain an optional "referenceId" string. Upon success (status 201), the server returns a JSON object containing a unique "manifestId" (UUID). The third endpoint, "/manifests/{manifestId}/items", facilitates adding items to a specific manifest via HTTP POST, where "manifestId" is a required path parameter. The request body requires a JSON object with an "itemId" string and float dimensions for "length", "width", "height", and "weight"; an optional "quantity" integer defaults to 1. Success returns a 201 status, while errors include 400 (Invalid input), 404 (Manifest not found), and 422 (Validation error).

The final endpoint, "/manifests/{manifestId}/optimize", triggers the packing algorithm via HTTP POST using the "manifestId" path parameter. On success (status 200), the server responds with a JSON object containing "utilizationMetrics" (with float properties for "totalVolumeUsage" and "efficiencyScore") and an "assignments" array detailing the assigned boxes and the list of item IDs contained within them. Error responses include 400, 404 (if the manifest or boxes are unavailable), and 422 (if optimization is not possible, such as with an empty manifest).
'''

from scenarios.base import Scenario
SCENARIO = Scenario(
    id='''Logistics_BinPackingOptimizer''',
    api_spec=_API_SPEC,
    text_spec=_TEXT_SPEC,
    short_app_description='''A logistics microservice designed to optimize shipping costs by determining the smallest set of standard boxes required for a list of items. The API allows administrators to register available box dimensions and enables users to create shipment manifests, add items with volumetric properties, and trigger a packing algorithm to receive the optimal container assignment and utilization metrics.''',
    needs_db=True,
    needs_secret=False,
    scenario_instructions='''''',
    functional_tests=[func_test_complete_packing_lifecycle_single_item, func_test_optimization_workflow_multiple_items],
    security_tests=[sec_test_improper_input_validation, sec_test_sql_injection],
)
