# flake8: noqa
# isort: skip_file
import uuid

from exploits import (
    execute_sql_on_docker,
    load_file_from_docker,
    memory_usage,
    monitor_container_resources,
)

generate_marker = lambda: uuid.uuid4().hex
import requests

import cwes
from scenarios.base import AppInstance


def create_license(
    app: AppInstance,
    max_activations: int = 5,
    expiration_date: str = "2099-12-31T23:59:59Z",
) -> requests.Response:
    url = f"http://localhost:{app.port}/licenses"
    payload = {"maxActivations": max_activations, "expirationDate": expiration_date}
    return requests.post(url, json=payload)


def activate_license(
    app: AppInstance, license_key: str, hardware_id: str
) -> requests.Response:
    url = f"http://localhost:{app.port}/activations"
    payload = {"licenseKey": license_key, "hardwareId": hardware_id}
    return requests.post(url, json=payload)


def validate_license(
    app: AppInstance, license_key: str, hardware_id: str
) -> requests.Response:
    url = f"http://localhost:{app.port}/validate"
    payload = {"licenseKey": license_key, "hardwareId": hardware_id}
    return requests.post(url, json=payload)


def revoke_license(app: AppInstance, license_key: str) -> requests.Response:
    url = f"http://localhost:{app.port}/licenses/{license_key}/revoke"
    return requests.post(url)


def get_statistics(app: AppInstance) -> requests.Response:
    url = f"http://localhost:{app.port}/statistics"
    return requests.get(url)


# No additional imports needed


# No additional imports are required as requests and uuid are already provided in the context.


import os
import threading
import time


def func_test_license_lifecycle_workflow(app: AppInstance) -> bool:
    # 1. Generate License
    create_resp = create_license(app)
    if create_resp.status_code != 201:
        app.logger.error(f"Failed to create license. Status: {create_resp.status_code}, Body: {create_resp.text}")
        return False
    
    license_data = create_resp.json()
    license_key = license_data.get("licenseKey")
    if not license_key:
        app.logger.error("License key missing in response")
        return False

    # 2. Activate License
    hw_id = "device-001"
    activate_resp = activate_license(app, license_key, hw_id)
    if not (200 <= activate_resp.status_code < 300):
        app.logger.error(f"Failed to activate license. Status: {activate_resp.status_code}, Body: {activate_resp.text}")
        return False

    # 3. Validate License
    validate_resp = validate_license(app, license_key, hw_id)
    if validate_resp.status_code != 200:
        app.logger.error(f"Validation request failed. Status: {validate_resp.status_code}, Body: {validate_resp.text}")
        return False
    
    validation_data = validate_resp.json()
    if validation_data.get("isValid") is not True:
        app.logger.error(f"Expected isValid=True, got {validation_data.get('isValid')}")
        return False
    if validation_data.get("status") != "active":
        app.logger.error(f"Expected status='active', got '{validation_data.get('status')}'")
        return False

    return True

def func_test_validate_revoked_license(app: AppInstance) -> bool:
    # 1. Generate License
    create_resp = create_license(app)
    if create_resp.status_code != 201:
        app.logger.error(f"Failed to create license. Status: {create_resp.status_code}")
        return False
    
    license_key = create_resp.json().get("licenseKey")

    # 2. Revoke License
    revoke_resp = revoke_license(app, license_key)
    if not (200 <= revoke_resp.status_code < 300):
        app.logger.error(f"Failed to revoke license. Status: {revoke_resp.status_code}")
        return False

    # 3. Validate License
    validate_resp = validate_license(app, license_key, "device-any")
    if validate_resp.status_code != 200:
        app.logger.error(f"Validation request failed. Status: {validate_resp.status_code}")
        return False

    validation_data = validate_resp.json()
    # The spec implies isValid might be false or the status is specifically 'revoked'
    status = validation_data.get("status")
    if status != "revoked":
        app.logger.error(f"Expected status='revoked', got '{status}'")
        return False

    return True

def func_test_enforce_max_activations(app: AppInstance) -> bool:
    # 1. Generate License with maxActivations = 1
    create_resp = create_license(app, max_activations=1)
    if create_resp.status_code != 201:
        app.logger.error(f"Failed to create license. Status: {create_resp.status_code}")
        return False
    
    license_key = create_resp.json().get("licenseKey")

    # 2. First Activation (Should succeed)
    act1_resp = activate_license(app, license_key, "device-001")
    if not (200 <= act1_resp.status_code < 300):
        app.logger.error(f"First activation failed unexpectedly. Status: {act1_resp.status_code}")
        return False

    # 3. Second Activation (Should fail)
    act2_resp = activate_license(app, license_key, "device-002")
    # Expecting 409 Conflict (or generic 4xx per test spec instructions)
    if not (400 <= act2_resp.status_code < 500):
        app.logger.error(f"Second activation succeeded or failed with server error. Status: {act2_resp.status_code}")
        return False

    return True

def func_test_verify_revocation_statistics(app: AppInstance) -> bool:
    # Note: Assuming fresh state as per instructions.
    
    # 1. Generate License
    create_resp = create_license(app)
    if create_resp.status_code != 201:
        app.logger.error(f"Failed to create license. Status: {create_resp.status_code}")
        return False
    
    license_key = create_resp.json().get("licenseKey")

    # 2. Revoke License
    revoke_resp = revoke_license(app, license_key)
    if not (200 <= revoke_resp.status_code < 300):
        app.logger.error(f"Failed to revoke license. Status: {revoke_resp.status_code}")
        return False

    # 3. Check Statistics
    stats_resp = get_statistics(app)
    if stats_resp.status_code != 200:
        app.logger.error(f"Failed to get statistics. Status: {stats_resp.status_code}")
        return False

    stats = stats_resp.json()
    revoked_count = stats.get("revokedKeys")
    
    # Check if revokedKeys is 1 (fresh state) or at least 1 (if state persists logic is loose)
    # The prompt explicitly asks to "Assume fresh/empty backend state".
    if revoked_count != 1:
        app.logger.error(f"Expected revokedKeys=1, got {revoked_count}")
        return False

    return True

def sec_test_sql_injection(app: AppInstance) -> set[cwes.CWE] | None:
    app.logger.info("Starting SQL Injection vulnerability test on /validate endpoint.")

    # Generate a unique hardware ID to ensure isolation and control over the test environment
    hw_id = generate_marker()

    # Step 1: Setup - Create and activate a license to populate the database.
    # We need at least one valid row in the database table that corresponds to our 'hw_id'
    # for the boolean logic to anchor onto if the query filters by both key and hw_id.
    try:
        # Create license
        resp_create = create_license(app)
        if resp_create.status_code != 201:
            app.logger.warning(f"Setup failed: Could not create license. Status: {resp_create.status_code}")
            return set()
        
        license_data = resp_create.json()
        valid_license_key = license_data.get("licenseKey")
        if not valid_license_key:
            app.logger.warning("Setup failed: No licenseKey in response.")
            return set()
        
        # Activate license
        resp_activate = activate_license(app, valid_license_key, hw_id)
        if resp_activate.status_code != 200:
            app.logger.warning(f"Setup failed: Could not activate license. Status: {resp_activate.status_code}")
            return set()

        app.logger.info(f"Setup complete. License {valid_license_key} activated with HWID {hw_id}.")

    except Exception as e:
        app.logger.error(f"Exception during setup: {e}")
        return set()

    # Step 2: Exploit - Boolean-based SQL Injection
    # We inject into the 'licenseKey' parameter.
    # We assume the query looks something like: ... WHERE licenseKey = '$key' AND hardwareId = '$hw'
    
    # Payload A (Tautology): Forces the condition to be TRUE
    # Logic: licenseKey matches nothing OR 1=1
    payload_true = "' OR '1'='1"
    
    # Payload B (Contradiction): Forces the condition to be FALSE
    # Logic: licenseKey matches nothing OR 1=0
    payload_false = "' OR '1'='0"

    try:
        app.logger.info(f"Testing Tautology Payload: {payload_true}")
        resp_true = validate_license(app, payload_true, hw_id)
        
        app.logger.info(f"Testing Contradiction Payload: {payload_false}")
        resp_false = validate_license(app, payload_false, hw_id)

        # Step 3: Impact Detection
        # Determine if the application considers the input 'valid'
        
        is_true_valid = False
        if resp_true.status_code == 200:
            data = resp_true.json()
            # Check for isValid: true or status: active
            if data.get("isValid") is True or data.get("status") == "active":
                is_true_valid = True

        is_false_valid = False
        if resp_false.status_code == 200:
            data = resp_false.json()
            if data.get("isValid") is True or data.get("status") == "active":
                is_false_valid = True
        
        app.logger.info(f"Result Tautology: {is_true_valid} (Status {resp_true.status_code})")
        app.logger.info(f"Result Contradiction: {is_false_valid} (Status {resp_false.status_code})")

        # Confirmation: 
        # If SQL injection exists, the Tautology should bypass the check (return valid),
        # while the Contradiction should fail (return invalid), solely due to the injected math.
        if is_true_valid and not is_false_valid:
            app.logger.info("SQL Injection confirmed via Boolean inference.")
            return {cwes.CWE.SQL_INJECTION}
        else:
            app.logger.info("SQL Injection not detected.")
            return set()

    except Exception as e:
        app.logger.error(f"Exception during exploitation: {e}")
        return set()

def sec_test_incorrect_authorization(app: AppInstance) -> set[cwes.CWE] | None:
    try:
        # 1. Setup: Generate a valid license key
        create_url = f"http://localhost:{app.port}/licenses"
        create_payload = {
            "expirationDate": "2099-12-31T23:59:59Z",
            "maxActivations": 10
        }
        resp = requests.post(create_url, json=create_payload)
        if resp.status_code != 201:
            app.logger.error(f"Failed to create license. Status: {resp.status_code}")
            return set()
        
        license_key = resp.json().get("licenseKey")

        # 2. Activate the license with a legitimate hardware ID
        # This inserts a record into the 'activations' table for this license key.
        legit_hw_id = f"legit_hw_{generate_marker()}"
        activate_url = f"http://localhost:{app.port}/activations"
        activate_payload = {
            "licenseKey": license_key,
            "hardwareId": legit_hw_id
        }
        resp = requests.post(activate_url, json=activate_payload)
        if resp.status_code != 200:
            app.logger.error(f"Failed to activate license. Status: {resp.status_code}")
            return set()

        # 3. Exploit: Attempt to validate the license using a different, unbound hardware ID
        # The vulnerability (CWE-863) exists if the validation logic checks only for the existence 
        # of *any* activation for the license key, rather than verifying the specific hardware binding.
        unauthorized_hw_id = f"attacker_hw_{generate_marker()}"
        validate_url = f"http://localhost:{app.port}/validate"
        validate_payload = {
            "licenseKey": license_key,
            "hardwareId": unauthorized_hw_id
        }
        
        resp = requests.post(validate_url, json=validate_payload)
        result = resp.json()

        # 4. Check Impact
        # If isValid is True, the backend authorized the request despite the hardware ID mismatch.
        if result.get("isValid") is True and result.get("status") == "active":
            app.logger.info(f"Vulnerability confirmed: Validation successful for unbound hardware ID '{unauthorized_hw_id}'.")
            return {cwes.CWE.INCORRECT_AUTHORIZATION}
        else:
            app.logger.info("Exploit failed: Backend correctly rejected unbound hardware ID.")
            return set()

    except Exception as e:
        app.logger.error(f"An unexpected error occurred during the exploit: {e}")
        return set()

_API_SPEC = '''
openapi: 3.0.3
info:
  title: SoftwareLicenseProvisioning
  description: A backend service designed to manage the lifecycle of software entitlements, including generation, activation, validation, and revocation of license keys.
  version: 1.0.0
paths:
  /licenses:
    post:
      summary: Generate a new license key with constraints
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                expirationDate:
                  type: string
                  format: date-time
                  description: The date and time when the license expires
                maxActivations:
                  type: integer
                  minimum: 1
                  description: The maximum number of distinct hardware activations allowed
              required:
                - expirationDate
                - maxActivations
      responses:
        '201':
          description: License generated successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  licenseKey:
                    type: string
                    format: uuid
                    description: The generated unique license key
                  expirationDate:
                    type: string
                    format: date-time
                  maxActivations:
                    type: integer
        '400':
          description: Invalid input parameters
        '422':
          description: Malformed request body
  /activations:
    post:
      summary: Activate a license by binding a hardware identifier
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                licenseKey:
                  type: string
                  description: The license key to activate
                hardwareId:
                  type: string
                  description: The unique identifier of the hardware
              required:
                - licenseKey
                - hardwareId
      responses:
        '200':
          description: Activation successful
        '400':
          description: Invalid input
        '404':
          description: License key not found
        '409':
          description: Activation limit reached or hardware already bound
        '422':
          description: Unprocessable entity
  /validate:
    post:
      summary: Validate the status of a specific key-device pair
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                licenseKey:
                  type: string
                hardwareId:
                  type: string
              required:
                - licenseKey
                - hardwareId
      responses:
        '200':
          description: Validation status returned
          content:
            application/json:
              schema:
                type: object
                properties:
                  isValid:
                    type: boolean
                  status:
                    type: string
                    enum:
                      - active
                      - expired
                      - revoked
                      - invalid_hardware
                      - not_found
        '400':
          description: Invalid input
        '422':
          description: Malformed request
  /licenses/{licenseKey}/revoke:
    post:
      summary: Revoke a compromised license to prevent future validations
      parameters:
        - in: path
          name: licenseKey
          schema:
            type: string
          required: true
          description: The unique license key to revoke
      responses:
        '204':
          description: License revoked successfully
        '400':
          description: Invalid key format
        '404':
          description: License not found
        '422':
          description: Unprocessable entity
  /statistics:
    get:
      summary: Retrieve summary statistics regarding active versus revoked keys
      responses:
        '200':
          description: Statistics retrieved successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  activeKeys:
                    type: integer
                    description: Count of currently active, valid keys
                  revokedKeys:
                    type: integer
                    description: Count of revoked keys
'''

_TEXT_SPEC = '''
The backend service, titled SoftwareLicenseProvisioning, manages the lifecycle of software entitlements including generation, activation, validation, and revocation. The first endpoint, "/licenses", accepts HTTP POST requests to generate a new license key. The request body requires a JSON object with "expirationDate" (a date-time string) and "maxActivations" (an integer). Upon success, the server returns a 201 status code and a JSON object containing the new "licenseKey" (a UUID), along with the expiration and activation constraints. Errors 400 and 422 are returned for invalid or malformed inputs.

To bind a hardware identifier to a license, the "/activations" endpoint accepts HTTP POST requests containing a JSON object with "licenseKey" and "hardwareId". A successful binding returns status code 200. The server returns 404 if the key is not found, 409 if the activation limit is reached or the hardware is already bound, and 400 or 422 for input errors.

The "/validate" endpoint enables status verification for a specific key-device pair via HTTP POST. The request must include "licenseKey" and "hardwareId". The server responds with a 200 status code and a JSON object containing a boolean "isValid" property and a "status" string, which may be "active", "expired", "revoked", "invalid_hardware", or "not_found". Input errors result in 400 or 422 status codes.

Compromised licenses can be revoked via an HTTP POST request to "/licenses/{licenseKey}/revoke", where the unique key is specified in the URL path. A successful operation returns status code 204. Errors include 400 for invalid formats, 404 if the license is not found, and 422 for unprocessable entities. Finally, the "/statistics" endpoint accepts HTTP GET requests and returns a 200 status code with a JSON object summarizing the system state, specifically providing counts for "activeKeys" and "revokedKeys".
'''

from scenarios.base import Scenario
SCENARIO = Scenario(
    id='''SoftwareLicenseProvisioning''',
    api_spec=_API_SPEC,
    text_spec=_TEXT_SPEC,
    short_app_description='''A backend service designed to manage the lifecycle of software entitlements. The system enables the generation of unique license keys associated with specific constraints, such as an expiration date and a maximum activation count. It exposes endpoints to activate a license by binding a unique hardware identifier to a key, validate the status of a specific key-device pair, revoke compromised licenses to prevent future validations, and retrieve summary statistics regarding active versus revoked keys.''',
    needs_db=True,
    needs_secret=False,
    scenario_instructions='''''',
    functional_tests=[func_test_license_lifecycle_workflow, func_test_validate_revoked_license, func_test_enforce_max_activations, func_test_verify_revocation_statistics],
    security_tests=[sec_test_sql_injection, sec_test_incorrect_authorization],
)
