#!/bin/bash
# Docker container diagnostic script
# Run this inside the sslh-lab-client container

set -e

echo "=========================================="
echo "SSLH Multiplex Lab - Container Diagnostics"
echo "=========================================="
echo ""

echo "=== 1. Container Information ==="
echo "Hostname: $(hostname)"
echo "Container ID: $(hostname)"
echo ""

echo "=== 2. Network Configuration ==="
echo "--- IP Addresses ---"
ip addr show || ifconfig || echo "Could not get IP addresses"
echo ""

echo "--- Routing Table ---"
ip route show || route -n || echo "Could not get routing table"
echo ""

echo "--- DNS Configuration ---"
cat /etc/resolv.conf
echo ""

echo "=== 3. DNS Resolution Tests ==="
echo "Testing DNS resolution:"
for host in google.com cloudflare.com 8.8.8.8; do
    if nslookup "$host" >/dev/null 2>&1 || getent hosts "$host" >/dev/null 2>&1; then
        echo "  $host: RESOLVES"
    else
        echo "  $host: FAILS"
    fi
done
echo ""

echo "=== 4. Firewall Rules (iptables) ==="
echo "--- OUTPUT Chain ---"
iptables -L OUTPUT -n -v 2>/dev/null || echo "Could not read iptables OUTPUT chain"
echo ""

echo "=== 5. Outbound Connectivity Tests ==="
echo "--- Testing TCP 443 (HTTPS) ---"
if timeout 3 bash -c '</dev/tcp/8.8.8.8/443' 2>/dev/null; then
    echo "TCP 443 to 8.8.8.8: ALLOWED"
else
    echo "TCP 443 to 8.8.8.8: BLOCKED or FAILED"
fi

if timeout 3 bash -c '</dev/tcp/google.com/443' 2>/dev/null; then
    echo "TCP 443 to google.com: ALLOWED"
else
    echo "TCP 443 to google.com: BLOCKED or FAILED"
fi
echo ""

echo "--- Testing UDP 53 (DNS) ---"
if timeout 2 bash -c 'echo > /dev/udp/8.8.8.8/53' 2>/dev/null || dig @8.8.8.8 google.com +short >/dev/null 2>&1; then
    echo "UDP 53 to 8.8.8.8: ALLOWED"
else
    echo "UDP 53 to 8.8.8.8: BLOCKED or FAILED"
fi
echo ""

echo "--- Testing Blocked Ports (should fail) ---"
if timeout 2 bash -c '</dev/tcp/8.8.8.8/80' 2>/dev/null; then
    echo "WARNING: TCP 80 to 8.8.8.8: ALLOWED (should be blocked!)"
else
    echo "TCP 80 to 8.8.8.8: BLOCKED (correct)"
fi

if timeout 2 bash -c '</dev/tcp/8.8.8.8/22' 2>/dev/null; then
    echo "WARNING: TCP 22 to 8.8.8.8: ALLOWED (should be blocked!)"
else
    echo "TCP 22 to 8.8.8.8: BLOCKED (correct)"
fi
echo ""

echo "=== 6. Server Information ==="
if [ -f /server-info.txt ]; then
    echo "Server info file:"
    cat /server-info.txt
else
    echo "Server info file not found"
fi
echo ""

echo "=== 7. SSH Keys ==="
if [ -d /keys ]; then
    echo "Keys directory exists:"
    ls -la /keys/
    if [ -f /keys/id_ed25519 ]; then
        echo "SSH key found: /keys/id_ed25519"
        echo "Key permissions: $(stat -c%a /keys/id_ed25519 2>/dev/null || stat -f%OLp /keys/id_ed25519 2>/dev/null)"
    else
        echo "SSH key not found in /keys/"
    fi
else
    echo "Keys directory not found"
fi
echo ""

echo "=== 8. WireGuard Configs ==="
if [ -d /wireguard ]; then
    echo "WireGuard directory exists:"
    ls -la /wireguard/
    for wg_file in /wireguard/*.conf; do
        if [ -f "$wg_file" ]; then
            echo "  Config: $(basename "$wg_file")"
        fi
    done
else
    echo "WireGuard directory not found"
fi
echo ""

echo "=== 9. Testing SSLH Server Connectivity ==="
if [ -f /server-info.txt ]; then
    server_ip=$(grep "Server IP:" /server-info.txt | awk '{print $3}')
    domain=$(grep "Domain:" /server-info.txt | awk '{print $2}')
    
    if [ -n "$server_ip" ]; then
        echo "Testing connectivity to server IP: $server_ip"
        echo "--- Testing SSH on port 443 (via SSLH) ---"
        if timeout 3 bash -c '</dev/tcp/'"$server_ip"'/443' 2>/dev/null; then
            echo "TCP 443 to $server_ip: REACHABLE"
        else
            echo "TCP 443 to $server_ip: NOT REACHABLE"
        fi
        
        echo "--- Testing HTTPS on port 443 (via SSLH) ---"
        if timeout 3 curl -k -v https://"$server_ip":443/ 2>&1 | head -10; then
            echo "HTTPS to $server_ip:443: RESPONDING"
        else
            echo "HTTPS to $server_ip:443: NOT RESPONDING"
        fi
    fi
    
    if [ -n "$domain" ]; then
        echo ""
        echo "Testing connectivity to domain: $domain"
        echo "--- DNS Resolution ---"
        if nslookup "$domain" >/dev/null 2>&1 || getent hosts "$domain" >/dev/null 2>&1; then
            resolved_ip=$(nslookup "$domain" 2>/dev/null | grep -A1 "Name:" | grep "Address:" | awk '{print $2}' | head -1)
            if [ -z "$resolved_ip" ]; then
                resolved_ip=$(getent hosts "$domain" | awk '{print $1}' | head -1)
            fi
            echo "  $domain resolves to: $resolved_ip"
            
            echo "--- Testing HTTPS to domain on port 443 ---"
            if timeout 3 curl -k -v https://"$domain":443/ 2>&1 | head -10; then
                echo "HTTPS to $domain:443: RESPONDING"
            else
                echo "HTTPS to $domain:443: NOT RESPONDING"
            fi
        else
            echo "  $domain: DNS RESOLUTION FAILED"
        fi
    fi
fi
echo ""

echo "=== 10. Process List ==="
ps aux || echo "Could not list processes"
echo ""

echo "=== 11. Environment Variables ==="
env | sort
echo ""

echo "=========================================="
echo "Container Diagnostics Complete"
echo "=========================================="