#!/bin/bash

# MEV Bot Security Validation Script
# This script validates all security implementations and configurations

set -e

echo "🔒 MEV Bot Security Validation"
echo "=============================="

# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Counters
TOTAL_CHECKS=0
PASSED_CHECKS=0
FAILED_CHECKS=0
WARNINGS=0

# Helper function to run checks
run_check() {
    local check_name="$1"
    local command="$2"
    local description="$3"

    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
    echo -e "${BLUE}🔍 $check_name${NC}: $description"

    if eval "$command" > /dev/null 2>&1; then
        echo -e "   ${GREEN}✅ PASSED${NC}"
        PASSED_CHECKS=$((PASSED_CHECKS + 1))
        return 0
    else
        echo -e "   ${RED}❌ FAILED${NC}"
        FAILED_CHECKS=$((FAILED_CHECKS + 1))
        return 1
    fi
}

# Helper function for warnings
run_warning() {
    local check_name="$1"
    local command="$2"
    local description="$3"

    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
    echo -e "${BLUE}🔍 $check_name${NC}: $description"

    if eval "$command" > /dev/null 2>&1; then
        echo -e "   ${GREEN}✅ PASSED${NC}"
        PASSED_CHECKS=$((PASSED_CHECKS + 1))
    else
        echo -e "   ${YELLOW}⚠️  WARNING${NC}"
        WARNINGS=$((WARNINGS + 1))
    fi
}

echo
echo "1. Environment Security Checks"
echo "=============================="

# Check for required environment variables
run_check "Encryption Key" "test -n \"\$MEV_BOT_ENCRYPTION_KEY\"" "Check if encryption key is set"
run_check "RPC Endpoints" "test -n \"\$ARBITRUM_RPC_ENDPOINT\"" "Check if RPC endpoint is configured"
run_warning "WS Endpoints" "test -n \"\$ARBITRUM_WS_ENDPOINT\"" "Check if WebSocket endpoint is configured"

# Check encryption key strength
if [ -n "$MEV_BOT_ENCRYPTION_KEY" ]; then
    KEY_LENGTH=$(echo -n "$MEV_BOT_ENCRYPTION_KEY" | base64 -d 2>/dev/null | wc -c || echo "0")
    run_check "Key Strength" "test $KEY_LENGTH -eq 32" "Verify encryption key is 256-bit (32 bytes)"
else
    echo -e "   ${RED}❌ Cannot validate key strength - key not set${NC}"
    FAILED_CHECKS=$((FAILED_CHECKS + 1))
fi

# Check for hardcoded secrets in code
echo
echo "2. Code Security Analysis"
echo "========================"

run_check "No Hardcoded Secrets" "! grep -r 'wss://.*\.com.*[a-f0-9]\\{40\\}' pkg/ --include='*.go'" "Check for hardcoded API keys in RPC URLs"
run_check "No Hardcoded Passwords" "! grep -r 'password.*=' pkg/ --include='*.go' | grep -v '_test.go'" "Check for hardcoded passwords"
run_check "No Hardcoded Keys" "! grep -r 'private.*key.*=' pkg/ --include='*.go' | grep -v '_test.go'" "Check for hardcoded private keys"

# Check for security imports
run_check "Crypto/Rand Usage" "grep -r 'crypto/rand' pkg/ --include='*.go' > /dev/null" "Verify crypto/rand is used for randomness"
run_check "SafeMath Implementation" "test -f pkg/security/safemath.go" "Check if SafeMath is implemented"
run_check "Input Validation" "test -f pkg/security/input_validator.go" "Check if input validation is implemented"

echo
echo "3. Integer Overflow Protection"
echo "============================="

# Check for unsafe integer conversions
run_check "Safe Uint32 Conversion" "grep -r 'security\\.SafeUint32' pkg/ --include='*.go' > /dev/null" "Check if safe uint32 conversions are used"
run_check "Safe Uint8 Conversion" "grep -r 'security\\.SafeUint64FromBigInt' pkg/ --include='*.go' > /dev/null" "Check if safe big.Int conversions are used"
run_check "No Direct uint32 Cast" "! grep -r 'uint32(' pkg/ --include='*.go' | grep -v 'SafeUint32' | grep -v '_test.go'" "Check for direct uint32 casts"

echo
echo "4. Configuration Security"
echo "========================"

run_check "Secure Config" "test -f pkg/security/config.go" "Check if secure configuration is implemented"
run_check "No Hardcoded Endpoints" "! grep -r 'wss://.*chainstack.*53c30e7a941160679fdcc396c894fc57' pkg/ --include='*.go'" "Check that hardcoded endpoints are removed"

# Check configuration validation
if [ -f pkg/security/config.go ]; then
    run_check "Endpoint Validation" "grep -q 'validateEndpoint' pkg/security/config.go" "Check if endpoint validation is implemented"
    run_check "Encryption Support" "grep -q 'Encrypt.*string' pkg/security/config.go" "Check if configuration encryption is supported"
fi

echo
echo "5. Transaction Security"
echo "======================"

run_check "Transaction Security" "test -f pkg/security/transaction_security.go" "Check if transaction security is implemented"
run_check "Front-running Protection" "grep -q 'frontRunningProtection' pkg/security/transaction_security.go 2>/dev/null" "Check if front-running protection exists"
run_check "Gas Validation" "grep -q 'gasValidation' pkg/security/transaction_security.go 2>/dev/null" "Check if gas validation exists"
run_check "Profit Validation" "grep -q 'profitValidation' pkg/security/transaction_security.go 2>/dev/null" "Check if profit validation exists"

echo
echo "6. Rate Limiting and DDoS Protection"
echo "===================================="

run_check "Rate Limiter" "test -f pkg/security/rate_limiter.go" "Check if rate limiter is implemented"
run_check "DDoS Detection" "grep -q 'DDoSDetector' pkg/security/rate_limiter.go 2>/dev/null" "Check if DDoS detection exists"
run_check "Token Bucket" "grep -q 'TokenBucket' pkg/security/rate_limiter.go 2>/dev/null" "Check if token bucket algorithm is implemented"

echo
echo "7. Monitoring and Alerting"
echo "=========================="

run_check "Security Monitor" "test -f pkg/security/monitor.go" "Check if security monitoring is implemented"
run_check "Alert System" "grep -q 'SecurityAlert' pkg/security/monitor.go 2>/dev/null" "Check if alert system exists"
run_check "Metrics Collection" "grep -q 'SecurityMetrics' pkg/security/monitor.go 2>/dev/null" "Check if metrics collection exists"

echo
echo "8. Build and Compilation Tests"
echo "=============================="

# Test core package compilation (excluding problematic ones)
run_check "SafeMath Compilation" "go build pkg/security/safemath.go" "Test SafeMath package compilation"
run_check "Config Compilation" "go build pkg/security/config.go" "Test secure config compilation"
run_check "Input Validator Compilation" "go build pkg/security/input_validator.go pkg/security/safemath.go" "Test input validator compilation"

# Clean up build artifacts
rm -f safemath config input_validator 2>/dev/null

echo
echo "9. Security Best Practices"
echo "=========================="

# Check for security best practices
run_check "Error Wrapping" "grep -r 'fmt\\.Errorf.*%w' pkg/ --include='*.go' > /dev/null" "Check if errors are properly wrapped"
run_check "Context Usage" "grep -r 'context\\.Context' pkg/ --include='*.go' > /dev/null" "Check if context is used for cancellation"
run_check "Mutex Usage" "grep -r 'sync\\..*Mutex' pkg/ --include='*.go' > /dev/null" "Check if mutexes are used for thread safety"

echo
echo "10. Static Security Analysis"
echo "============================"

# Run gosec if available
if command -v gosec &> /dev/null; then
    GOSEC_OUTPUT=$(gosec -quiet ./... 2>&1 | grep -E "(HIGH|MEDIUM)" | wc -l)
    if [ "$GOSEC_OUTPUT" -eq 0 ]; then
        echo -e "${BLUE}🔍 Gosec Analysis${NC}: Run static security analysis"
        echo -e "   ${GREEN}✅ PASSED${NC} - No high/medium severity issues found"
        PASSED_CHECKS=$((PASSED_CHECKS + 1))
    else
        echo -e "${BLUE}🔍 Gosec Analysis${NC}: Run static security analysis"
        echo -e "   ${RED}❌ FAILED${NC} - Found $GOSEC_OUTPUT high/medium severity issues"
        FAILED_CHECKS=$((FAILED_CHECKS + 1))
    fi
    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
else
    echo -e "${YELLOW}⚠️  Gosec not available - install with: go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest${NC}"
fi

echo
echo "11. Production Readiness Checks"
echo "==============================="

run_check "No Debug Code" "! grep -r 'fmt\\.Print' pkg/ --include='*.go'" "Check for debug print statements"
run_check "No Test Code in Prod" "! grep -r 'testing\\.T' pkg/ --include='*.go' | grep -v '_test.go'" "Check for test code in production files"
run_warning "Logging Configuration" "grep -r 'logger\\.' pkg/ --include='*.go' > /dev/null" "Check if proper logging is used"

echo
echo "SECURITY VALIDATION SUMMARY"
echo "==========================="
echo -e "Total Checks: ${BLUE}$TOTAL_CHECKS${NC}"
echo -e "Passed: ${GREEN}$PASSED_CHECKS${NC}"
echo -e "Failed: ${RED}$FAILED_CHECKS${NC}"
echo -e "Warnings: ${YELLOW}$WARNINGS${NC}"

# Calculate percentage
if [ $TOTAL_CHECKS -gt 0 ]; then
    PASS_PERCENTAGE=$(( (PASSED_CHECKS * 100) / TOTAL_CHECKS ))
    echo -e "Pass Rate: ${BLUE}$PASS_PERCENTAGE%${NC}"
fi

echo
if [ $FAILED_CHECKS -eq 0 ]; then
    echo -e "${GREEN}🎉 SECURITY VALIDATION PASSED!${NC}"
    echo -e "The MEV bot meets all critical security requirements."

    if [ $WARNINGS -gt 0 ]; then
        echo -e "${YELLOW}⚠️  Note: $WARNINGS warnings found - consider addressing them for enhanced security.${NC}"
    fi

    echo
    echo "✅ PRODUCTION READY - Security validation successful"
    exit 0
else
    echo -e "${RED}🚨 SECURITY VALIDATION FAILED!${NC}"
    echo -e "Found $FAILED_CHECKS critical security issues that must be resolved before production deployment."
    echo
    echo "❌ NOT PRODUCTION READY - Address all failed checks before deploying"
    exit 1
fi