#!/usr/bin/env bash
#
# PoC for unit tests in bash. Basic test with s_server, works under Linux only atm

OPENSSL="bin/openssl.$(uname).$(uname -m)"
$OPENSSL version -a || exit 1

FILE=tmp.json

remove_quotes() {
     sed -i 's/"//g' "$FILE"
}

# arg1:   id_value
# arg2:   string to check against severity_value (optional)
# arg2,3: string to check against finding_value
# return: 0 whether it contains arg2 or arg3 (0: yes, 1: matches not)
check_result() {
     # id           : sslv3,
     # ip           : localhost/127.0.0.1,
     # port         : 4433,
     # severity     : HIGH,
     # finding      : SSLv3 is offered

     local json_result=""
     local severity_value=""
     local finding_value=""

     remove_quotes
     json_result="$(awk '/id.*'"${1}"'/,/finding.*$/' "$FILE")"
     [[ -z $json_result ]] && exit 1
     # is4lines?
     finding_value="$(awk -F':' '/finding/ { print $2" "$3" "$4 }' <<< "$json_result")"
     if [[ $# -eq 2 ]]; then
          [[ $finding_value =~ "$2" ]] && return 0 || return 1
     fi
     severity_value="$(awk -F':' '/severity/ { print $2 }' <<< "$json_result")"
     if [[ $finding_value =~ "$3" ]] && [[ $severity_value =~ "$2" ]] ; then
          return 0
     else
          return 1
     fi
}

### generate self signed certificate
$OPENSSL req -new -x509 -out /tmp/server.crt -nodes -keyout /tmp/server.pem -subj '/CN=localhost' &>/dev/null || exit 2
echo


### 1) test protocol SSlv2:
$OPENSSL s_server -www -ssl2 -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null &
pid=$!
rm "$FILE" 2>/dev/null
echo "Running testssl.sh SSLv2 protocol check against localhost for SSLv2: "
./testssl.sh -p -q --warnings=off --jsonfile="$FILE" localhost:4433
check_result SSLv2 CRITICAL "vulnerable with 9 ciphers"
[[ $? -eq 0 ]] && echo "SSLv2: PASSED" || echo "FAILED"
echo
kill -9 $pid
wait $pid 2>/dev/null

### 2) test NPN + ALPN
$OPENSSL s_server -cipher 'ALL:COMPLEMENTOFALL' -alpn "h2" -nextprotoneg "spdy/3, http/1.1" -www -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null &
pid=$!
rm "$FILE"
echo "Running testssl.sh HTTP/2 protocol checks against localhost: "
./testssl.sh -q --jsonfile="$FILE" --protocols localhost:4433
if check_result NPN "spdy/3,  http/1.1"; then
     echo "SPDY/NPN:  PASSED"
else
     echo "SPDY/NPN:  FAILED"
fi

if check_result ALPN "h2"; then
     echo "HTTP2/ALPN: PASSED"
else
     echo "HTTP2/ALPN: FAILED"
fi
kill -9 $pid
wait $pid 2>/dev/null
rm "$FILE"

### 3) test almost all other stuff
$OPENSSL s_server -cipher 'ALL:COMPLEMENTOFALL' -www -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null &
pid=$!
rm "$FILE"
echo "Running baseline check with testssl.sh against localhost"
./testssl.sh -q --jsonfile="$FILE" localhost:4433
#check_result sslv2 CRITICAL "is offered"
kill -9 $pid
wait $pid 2>/dev/null

rm "$FILE"


### test server defaults
# ./testssl.sh -q --jsonfile=$FILE --server-defaults localhost:4433
# -serverpref
# -no_ticket
# -no_resumption_on_reneg
# -status

# vim:ts=5:sw=5:expandtab