#!/usr/bin/env bash
set -euo pipefail

S_PORT=18101        # TLS server
TMPDIR="$(mktemp -d)"
trap 'kill "$SPID" 2>/dev/null || true; rm -rf "$TMPDIR"' EXIT

# Create a self-signed cert
openssl req -x509 -newkey rsa:2048 -nodes -keyout "$TMPDIR/key.pem" -out "$TMPDIR/cert.pem" -subj "/CN=127.0.0.1" -days 1 >/dev/null 2>&1

# Minimal HTTPS echo server
cat >"$TMPDIR/https_server.py" <<'PY'
import ssl, json, sys
from http.server import HTTPServer, BaseHTTPRequestHandler

class Handler(BaseHTTPRequestHandler):
    protocol_version = "HTTP/1.1"  # ensure proper framing

    def _write_json(self, obj):
        data = json.dumps(obj).encode("utf-8")
        self.send_header("Content-Type", "application/json")
        self.send_header("Content-Length", str(len(data)))
        self.send_header("Connection", "close")  # keep it simple
        self.end_headers()
        self.wfile.write(data)
        self.wfile.flush()

    def do_GET(self):
        self.send_response(200)
        self._write_json({"path": self.path, "method": "GET"})

    def do_POST(self):
        length = int(self.headers.get("Content-Length", 0))
        body = self.rfile.read(length).decode("utf-8", "replace") if length else ""
        self.send_response(200)
        self._write_json({"path": self.path, "method": "POST", "body": body})

    def log_message(self, fmt, *args):
        # keep test output clean (optional)
        pass

port = int(sys.argv[1])
httpd = HTTPServer(("127.0.0.1", port), Handler)

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_cert_chain(sys.argv[2], keyfile=sys.argv[3])
httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True)

httpd.serve_forever()
PY

# Start HTTPS server
python3 "$TMPDIR/https_server.py" "$S_PORT" "$TMPDIR/cert.pem" "$TMPDIR/key.pem" >"$TMPDIR/https.log" 2>&1 &
SPID=$!
sleep 0.5

# Test direct HTTPS connection (without proxy)
resp="$(ecurl -u "https://127.0.0.1:${S_PORT}/test?x=" -X POST -d "foo=bar" -H "X-Test: ecurl" -i "tls" --json -q --insecure --timeout 5 || true)"
echo "$resp" | jq -e '.response.status == 200 or .response.status > 0' >/dev/null