#!/usr/bin/env bash
# WEB-4922 end-to-end verification: `sudo unbound nuke` removes /opt/unbound
# (plus newsyslog conf + log dir) on Linux when invoked as root.
#
# Runs ENTIRELY inside a fresh ubuntu:24.04 container — the host's filesystem
# is mounted read-only and the repo is copied into the container before
# `npm link`, so the host's real /opt/unbound (if any) is never touched.
#
# Usage: ./scripts/verify-nuke-ubuntu.sh
set -euo pipefail

REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"

if ! command -v docker >/dev/null 2>&1; then
  echo "FAIL: docker not on PATH" >&2
  exit 2
fi

echo "Running WEB-4922 nuke verification inside ubuntu:24.04..."
echo "Host repo (mounted read-only): $REPO_ROOT"
echo

docker run --rm \
  -v "$REPO_ROOT:/repo:ro" \
  ubuntu:24.04 bash -c '
set -euo pipefail

# Refuse to run on a host (e.g. if someone copy-pastes this heredoc into a
# terminal): /.dockerenv is created by the docker engine in every container
# but never exists on a real host.
[ -f /.dockerenv ] || { echo "FAIL: refusing to run outside a container" >&2; exit 99; }

echo "[setup] installing node + curl..."
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq >/dev/null
apt-get install -y -qq curl ca-certificates >/dev/null
curl -fsSL https://deb.nodesource.com/setup_20.x | bash - >/dev/null 2>&1
apt-get install -y -qq nodejs >/dev/null

# Copy repo into a writable spot — host mount is read-only.
cp -R /repo /work
cd /work
echo "[setup] npm link..."
npm link --silent >/dev/null 2>&1

# Fake the pkg layout from setup/packaging/pkg/postinstall.
echo "[setup] faking /opt/unbound + newsyslog + log dir..."
mkdir -p /opt/unbound/0.1.5/unbound-hook
mkdir -p /opt/unbound/0.1.5/unbound-discovery
mkdir -p /opt/unbound/etc
echo "#!fake binary" > /opt/unbound/0.1.5/unbound-hook/unbound-hook
echo "#!fake binary" > /opt/unbound/0.1.5/unbound-discovery/unbound-discovery
echo "{}" > /opt/unbound/etc/discovery.json
ln -sfn /opt/unbound/0.1.5 /opt/unbound/current
mkdir -p /etc/newsyslog.d
echo "# rotate" > /etc/newsyslog.d/ai.getunbound.conf
mkdir -p /var/log/unbound
echo "old log" > /var/log/unbound/discovery.log

echo
echo "===== BEFORE ====="
ls -la /opt/unbound
ls -la /etc/newsyslog.d/ai.getunbound.conf
ls -la /var/log/unbound
echo

# EUID 0 inside the container, so hasRootPrivileges() returns true and the
# includeMdm branch (where removeBinaryInstall is called) runs.
# Per-tool MDM clears WILL fail (no real tool installs) — that is best-effort
# and must not abort the binary install removal.
echo "[run] unbound nuke --yes (per-tool clears may noisily fail; that is fine)"
unbound nuke --yes || true

echo
echo "===== AFTER ====="
ls -la /opt/unbound 2>/dev/null || echo "(gone) /opt/unbound"
ls -la /etc/newsyslog.d/ai.getunbound.conf 2>/dev/null || echo "(gone) /etc/newsyslog.d/ai.getunbound.conf"
ls -la /var/log/unbound 2>/dev/null || echo "(gone) /var/log/unbound"
echo

FAIL=0
[ ! -e /opt/unbound ]                           || { echo "FAIL: /opt/unbound survived"; FAIL=1; }
[ ! -e /etc/newsyslog.d/ai.getunbound.conf ]    || { echo "FAIL: newsyslog conf survived"; FAIL=1; }
[ ! -e /var/log/unbound ]                       || { echo "FAIL: log dir survived"; FAIL=1; }
if [ "$FAIL" = "0" ]; then
  echo "PASS: WEB-4922 Ubuntu container — all binary install artifacts removed"
  exit 0
else
  echo "FAIL: at least one artifact survived"
  exit 1
fi
'
