#include "catch.hpp"
#include "duckdb.hpp"
#include "duckdb/main/database.hpp"
#include "duckdb/main/extension/extension_loader.hpp"
#include "duckdb/main/secret/secret.hpp"
#include "duckdb/main/secret/secret_manager.hpp"
#include "duckdb/main/secret/secret_storage.hpp"
#include "test_helpers.hpp"

#include <sys/stat.h>

#ifndef _WIN32
#include <fcntl.h>
#include <sys/stat.h>
#endif

using namespace duckdb;
using namespace std;

#ifndef _WIN32
static void assert_correct_permission(string file) {
	struct stat st;
	auto res = lstat(file.c_str(), &st);
	REQUIRE(res == 0);

	// Only permissions should be User Read+Write
	REQUIRE(st.st_mode & (S_IRUSR | S_IWUSR));
	// The rest should be 0
	REQUIRE(!(st.st_mode & (S_IXUSR | S_IRWXG | S_IRWXO)));
}

TEST_CASE("Test file permissions on linux/macos", "[secret][.]") {
	DuckDB db(nullptr);
	Connection con(db);

	if (!db.ExtensionIsLoaded("httpfs")) {
		return;
	}

	// Set custom secret path to prevent interference with other tests
	REQUIRE_NO_FAIL(con.Query("set allow_persistent_secrets=true;"));
	auto secret_dir = TestCreatePath("test_persistent_secret_permissions");
	REQUIRE_NO_FAIL(con.Query("set secret_directory='" + secret_dir + "'"));

	REQUIRE_NO_FAIL(con.Query("CREATE PERSISTENT SECRET oh_so_secret (TYPE S3)"));

	assert_correct_permission(secret_dir + "/" + "oh_so_secret.duckdb_secret");
}

static void assert_duckdb_will_reject_persistent_secret() {
	DuckDB db(nullptr);
	Connection con(db);

	// Set custom secret path to prevent interference with other tests
	REQUIRE_NO_FAIL(con.Query("set allow_persistent_secrets=true;"));
	auto secret_dir = TestCreatePath("test_persistent_secret_permissions");
	REQUIRE_NO_FAIL(con.Query("set secret_directory='" + secret_dir + "'"));

	auto res = con.Query("FROM duckdb_secrets()");
	REQUIRE(res->HasError());
	REQUIRE(StringUtil::Contains(res->GetError(),
	                             "has incorrect permissions! Please set correct permissions or remove file"));
}

TEST_CASE("Test that DuckDB rejects secrets with incorrect permissions on linux/macos", "[secret][.]") {
	DuckDB db(nullptr);
	Connection con(db);

	if (!db.ExtensionIsLoaded("httpfs")) {
		return;
	}

	// Set custom secret path to prevent interference with other tests
	REQUIRE_NO_FAIL(con.Query("set allow_persistent_secrets=true;"));
	auto secret_dir = TestCreatePath("test_persistent_secret_permissions");
	REQUIRE_NO_FAIL(con.Query("set secret_directory='" + secret_dir + "'"));

	REQUIRE_NO_FAIL(con.Query("CREATE PERSISTENT SECRET also_very_secret (TYPE S3)"));

	string secret_path = secret_dir + "/" + "also_very_secret.duckdb_secret";

	mode_t incorrect_permissions[] {S_IRUSR | S_IWUSR | S_IRGRP,  // user rw + group read
	                                S_IRUSR | S_IWUSR | S_IWGRP,  // user rw + group write
	                                S_IRUSR | S_IWUSR | S_IXGRP,  // user rw + group execute
	                                S_IRUSR | S_IWUSR | S_IROTH,  // user rw + other read
	                                S_IRUSR | S_IWUSR | S_IWOTH,  // user rw + other write
	                                S_IRUSR | S_IWUSR | S_IXOTH}; // user rw + other execute

	// Now confirm that for all possible incorrect permissions, we throw
	for (auto perm : incorrect_permissions) {
		chmod(secret_path.c_str(), perm);
		assert_duckdb_will_reject_persistent_secret();
	}

	// Setting back to correct permission should allow us to read it again
	chmod(secret_path.c_str(), S_IRUSR | S_IWUSR);

	// Should be gud now
	DuckDB db2(nullptr);
	Connection con2(db2);
	REQUIRE_NO_FAIL(con2.Query("set allow_persistent_secrets=true;"));
	REQUIRE_NO_FAIL(con2.Query("set secret_directory='" + secret_dir + "'"));
	REQUIRE_NO_FAIL(con2.Query("FROM duckdb_secrets()"));
}
#endif