rdp-proxy/scripts/fabric/c18z48-service-channel-introspection-smoke.ps1

param(
    [string]$ApiBaseUrl = "http://192.168.200.61:18121/api/v1",
    [string]$ClusterID = "cfc0743d-d960-49fb-9de8-96e063d5e4aa",
    [string]$ActorUserID = "f67d943f-5397-4b3a-a229-695fe67ad700",
    [string]$EntryNodeName = "test-1",
    [string]$ExitNodeName = "test-2",
    [string]$EntryBaseUrl = "http://192.168.200.61:19131",
    [string]$DockerSSH = "test-docker",
    [string]$ExpectedBackendImage = "rap-backend:fabric-service-channel-0.2.231",
    [string]$ExpectedNodeAgentImage = "rap-node-agent:0.2.232",
    [string]$ResultPath = "artifacts\c18z48-service-channel-introspection-smoke-result.json"
)

Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"

$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$repoRoot = (Resolve-Path (Join-Path $scriptDir "..\..")).ProviderPath

function Invoke-ApiGet {
    param([string]$Path, [int]$TimeoutSec = 30)
    Invoke-RestMethod -Method Get -Uri "$ApiBaseUrl$Path" -TimeoutSec $TimeoutSec
}

function Invoke-RawPostStatus {
    param(
        [string]$Url,
        [hashtable]$Headers
    )
    try {
        Invoke-WebRequest -Method Post -Uri $Url -Headers $Headers -Body ([System.Text.Encoding]::UTF8.GetBytes("packet")) -ContentType "application/octet-stream" -TimeoutSec 30 | Out-Null
        return 202
    } catch {
        if ($_.Exception.Response -and $_.Exception.Response.StatusCode) {
            return [int]$_.Exception.Response.StatusCode
        }
        throw
    }
}

$nodes = @((Invoke-ApiGet -Path "/clusters/$ClusterID/nodes?actor_user_id=$ActorUserID").nodes)
$entryNode = $nodes | Where-Object { $_.name -eq $EntryNodeName } | Select-Object -First 1
$exitNode = $nodes | Where-Object { $_.name -eq $ExitNodeName } | Select-Object -First 1
if ($null -eq $entryNode -or $null -eq $exitNode) {
    throw "Entry or exit node not found: $EntryNodeName / $ExitNodeName"
}

$resourceID = "c18z48-vpn-smoke"
$leaseBody = @{
    actor_user_id = $ActorUserID
    organization_id = "smoke-org"
    user_id = "smoke-user"
    resource_id = $resourceID
    service_class = "vpn_packets"
    entry_node_ids = @([string]$entryNode.id)
    exit_node_ids = @([string]$exitNode.id)
    preferred_entry_node_id = [string]$entryNode.id
    preferred_exit_node_id = [string]$exitNode.id
    allowed_channels = @("vpn_packet", "fabric_control")
    ttl_seconds = 120
} | ConvertTo-Json -Depth 20
$lease = (Invoke-RestMethod -Method Post -Uri "$ApiBaseUrl/clusters/$ClusterID/fabric/service-channels/leases" -ContentType "application/json" -Body $leaseBody -TimeoutSec 30).fabric_service_channel_lease

$packetPath = $lease.entry_http.path_template.
    Replace("{cluster_id}", $ClusterID).
    Replace("{channel_id}", [string]$lease.channel_id).
    Replace("{resource_id}", $resourceID)
$packetUrl = $EntryBaseUrl.TrimEnd("/") + $packetPath
$headers = @{
    "X-RAP-Service-Channel-Token" = [string]$lease.token.token
    "X-RAP-Fabric-Channel-ID" = [string]$lease.channel_id
    "X-RAP-Service-Class" = "vpn_packets"
    "X-RAP-Channel-Class" = "vpn_packet"
}
$badHeaders = $headers.Clone()
$badHeaders["X-RAP-Service-Channel-Token"] = "rap_fsc_wrong"

$introspectionStatus = Invoke-RawPostStatus -Url $packetUrl -Headers $headers
$introspectionResponse = Invoke-WebRequest -Method Post -Uri $packetUrl -Headers $headers -Body ([System.Text.Encoding]::UTF8.GetBytes("packet-accepted-by")) -ContentType "application/octet-stream" -TimeoutSec 30
$badTokenStatus = Invoke-RawPostStatus -Url $packetUrl -Headers $badHeaders
$backendLine = (& ssh $DockerSSH "docker ps --format '{{.Names}} {{.Image}} {{.Status}}' | grep '^rap_test_backend '") | Out-String
$nodeLines = (& ssh $DockerSSH "docker ps --format '{{.Names}} {{.Image}} {{.Status}}' | grep '^rap_test_node_test_'") | Out-String

$result = [ordered]@{
    schema_version = "c18z48.service_channel_introspection_smoke.v1"
    cluster_id = $ClusterID
    entry_node_id = [string]$entryNode.id
    exit_node_id = [string]$exitNode.id
    channel_id = [string]$lease.channel_id
    passed = [bool](
        $backendLine.Contains($ExpectedBackendImage) -and
        $nodeLines.Contains($ExpectedNodeAgentImage) -and
        $introspectionStatus -eq 202 -and
        [string]$introspectionResponse.Headers["X-RAP-Service-Channel-Accepted-By"] -eq "introspection" -and
        $badTokenStatus -eq 403
    )
    checks = [ordered]@{
        backend_expected_image_deployed = $backendLine.Contains($ExpectedBackendImage)
        node_agent_expected_image_deployed = $nodeLines.Contains($ExpectedNodeAgentImage)
        unsigned_token_accepted_by_introspection = ($introspectionStatus -eq 202)
        accepted_by_header_is_introspection = ([string]$introspectionResponse.Headers["X-RAP-Service-Channel-Accepted-By"] -eq "introspection")
        bad_token_rejected = ($badTokenStatus -eq 403)
    }
    summary = [ordered]@{
        backend_container = $backendLine.Trim()
        node_containers = $nodeLines.Trim()
        packet_url = $packetUrl
        introspection_status = $introspectionStatus
        accepted_by = [string]$introspectionResponse.Headers["X-RAP-Service-Channel-Accepted-By"]
        bad_token_status = $badTokenStatus
        lease_status = [string]$lease.status
        selected_route = $lease.primary_route
    }
}

$resultFullPath = Join-Path $repoRoot $ResultPath
$resultDir = Split-Path -Parent $resultFullPath
if (-not (Test-Path $resultDir)) {
    New-Item -ItemType Directory -Path $resultDir | Out-Null
}
$result | ConvertTo-Json -Depth 100 | Set-Content -Path $resultFullPath -Encoding UTF8

if (-not $result.passed) {
    throw "C18Z48 service-channel introspection smoke failed. Result: $resultFullPath"
}

Write-Host "C18Z48 service-channel introspection smoke passed. Result: $resultFullPath"
$result