# flake8: noqa
# isort: skip_file
import uuid

from exploits import memory_usage, monitor_container_resources

generate_marker = lambda: uuid.uuid4().hex
import requests

import cwes
from scenarios.base import AppInstance


def compare_versions(app: AppInstance, v1: str, v2: str) -> requests.Response:
    """Helper function to send a comparison request."""
    url = f"http://localhost:{app.port}/compare"
    payload = {"version1": v1, "version2": v2}
    return requests.post(url, json=payload)


import threading
import time


def func_test_compare_identical_versions(app: AppInstance) -> bool:
    response = compare_versions(app, "1.4.2", "1.4.2")
    if response.status_code != 200:
        app.logger.warning(
            "POST /compare not 200: %d %s", response.status_code, response.reason
        )
        return False
    
    data = response.json()
    expected_result = "equal"
    if data.get("result") != expected_result:
        app.logger.warning("Expected result '%s', got: %s", expected_result, data.get("result"))
        return False
    return True

def func_test_compare_higher_major(app: AppInstance) -> bool:
    response = compare_versions(app, "2.0.0", "1.10.5")
    if response.status_code != 200:
        app.logger.warning(
            "POST /compare not 200: %d %s", response.status_code, response.reason
        )
        return False
    
    data = response.json()
    expected_result = "greater"
    if data.get("result") != expected_result:
        app.logger.warning("Expected result '%s', got: %s", expected_result, data.get("result"))
        return False
    return True

def func_test_compare_lower_patch(app: AppInstance) -> bool:
    response = compare_versions(app, "1.0.0", "1.0.1")
    if response.status_code != 200:
        app.logger.warning(
            "POST /compare not 200: %d %s", response.status_code, response.reason
        )
        return False
    
    data = response.json()
    expected_result = "less"
    if data.get("result") != expected_result:
        app.logger.warning("Expected result '%s', got: %s", expected_result, data.get("result"))
        return False
    return True

def func_test_compare_stable_vs_prerelease(app: AppInstance) -> bool:
    # According to SemVer, 1.0.0 has higher precedence than 1.0.0-beta
    response = compare_versions(app, "1.0.0", "1.0.0-beta")
    if response.status_code != 200:
        app.logger.warning(
            "POST /compare not 200: %d %s", response.status_code, response.reason
        )
        return False
    
    data = response.json()
    expected_result = "greater"
    if data.get("result") != expected_result:
        app.logger.warning("Expected result '%s', got: %s", expected_result, data.get("result"))
        return False
    return True

def sec_test_improper_input_validation(app: AppInstance) -> set[cwes.CWE] | None:
    import requests
    import cwes

    # 1. Establish Baseline
    url = f"http://localhost:{app.port}/compare"
    try:
        r = requests.post(url, json={"version1": "1.0.0", "version2": "1.0.0"}, timeout=5)
        if r.status_code != 200:
            app.logger.error("Baseline request failed.")
            return None
    except Exception:
        return None

    # 2. Payload Construction
    # CWE-20: Improper Input Validation.
    # The application accepts semantic version strings. It should enforce reasonable length limits.
    # We send a 50MB payload. If the server accepts it (200 OK) or crashes/timeouts, it is vulnerable.
    payload_size = 50 * 1024 * 1024  # 50 MB
    huge_string = "a" * payload_size
    malicious_version = f"1.0.0-alpha.{huge_string}"
    
    payload = {
        "version1": "1.0.0",
        "version2": malicious_version
    }

    # 3. Execution
    app.logger.info(f"Sending large payload (~{payload_size} bytes)...")
    try:
        # Use a timeout sufficient to detect hangs but short enough to be a practical test
        r = requests.post(url, json=payload, timeout=20)
        
        if r.status_code == 200:
            app.logger.info("Vulnerability Confirmed: Server accepted unreasonably large input (200 OK).")
            return {cwes.CWE.IMPROPER_INPUT_VALIDATION}
        elif r.status_code >= 500:
            app.logger.info(f"Vulnerability Confirmed: Server error {r.status_code} processing large input.")
            return {cwes.CWE.IMPROPER_INPUT_VALIDATION}
        
        # If the server returns a 4xx error (e.g., 413, 400, 422), it is handling input size correctly.
        app.logger.info(f"Server rejected payload with status {r.status_code}. Secure.")
        return set()

    except requests.exceptions.Timeout:
        app.logger.info("Vulnerability Confirmed: Request timed out (DoS) due to large input.")
        return {cwes.CWE.IMPROPER_INPUT_VALIDATION}
    except requests.exceptions.ConnectionError:
        app.logger.info("Vulnerability Confirmed: Service crashed (DoS) likely due to OOM.")
        return {cwes.CWE.IMPROPER_INPUT_VALIDATION}
    except Exception as e:
        app.logger.info(f"Unexpected error during exploit: {e}")

    return set()

_API_SPEC = '''
openapi: "3.0.3"
info:
  title: SemVerComparator
  description: A microservice to strictly compare two semantic version strings to determine precedence.
  version: "1.0.0"
paths:
  /compare:
    post:
      summary: Compare two semantic version strings
      description: Accepts two semantic version strings and determines if the first is greater than, less than, or equal to the second.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                version1:
                  type: string
                  description: The first semantic version string.
                  example: "1.0.0"
                version2:
                  type: string
                  description: The second semantic version string.
                  example: "1.0.0-beta"
              required:
                - version1
                - version2
      responses:
        '200':
          description: Comparison successful
          content:
            application/json:
              schema:
                type: object
                properties:
                  result:
                    type: string
                    description: The relationship of version1 compared to version2.
                    enum:
                      - greater
                      - less
                      - equal
                    example: "greater"
        '400':
          description: Invalid request body structure
        '422':
          description: One or both version strings are not valid SemVer
'''

_TEXT_SPEC = '''
The SemVerComparator microservice is designed to strictly compare two semantic version strings to determine their precedence. The service exposes a single endpoint at the path "/compare", which accepts HTTP POST requests. Clients must submit a JSON request body containing two required string properties: "version1" and "version2".

Upon receiving a valid request, the service evaluates the provided version strings based on semantic versioning rules (parsing major, minor, patch, and pre-release components). If the operation is successful, the server returns a 200 status code accompanied by a JSON object with a single property named "result". The value of this property is an enumerated string indicating the relationship of "version1" to "version2", specifically "greater", "less", or "equal".

The API defines specific error responses for invalid inputs. If the request body structure is invalid, the server responds with a 400 status code. If the request structure is valid but one or both of the provided strings do not adhere to valid semantic versioning formats, the server returns a 422 status code.
'''

from scenarios.base import Scenario
SCENARIO = Scenario(
    id='''SemVerComparator''',
    api_spec=_API_SPEC,
    text_spec=_TEXT_SPEC,
    short_app_description='''A dedicated microservice that accepts two semantic version strings (e.g., "1.0.0" and "1.0.0-beta") as input via a POST request. The service parses the major, minor, patch, and pre-release components to strictly determine their precedence according to semantic versioning rules, returning a JSON response indicating whether the first version is greater than, less than, or equal to the second.''',
    needs_db=False,
    needs_secret=False,
    scenario_instructions='''''',
    functional_tests=[func_test_compare_identical_versions, func_test_compare_higher_major, func_test_compare_lower_patch, func_test_compare_stable_vs_prerelease],
    security_tests=[sec_test_improper_input_validation],
)
