#!/usr/bin/env bash
#
# CVE-2025-13673 Lab Setup
# One-command setup: ./setup.sh [plugin_version]
#
# Default plugin version: 3.9.3 (no esc_sql — easiest to exploit)
# Also vulnerable: 3.9.4, 3.9.5, 3.9.6 (partial esc_sql mitigation)
# Fixed: 3.9.7+
#
set -euo pipefail

PLUGIN_VERSION="${1:-3.9.3}"
WP_URL="http://localhost:8080"
ADMIN_USER="admin"
ADMIN_PASS="admin123"
TEST_USER="testuser"
TEST_PASS="test123"

echo "[*] CVE-2025-13673 Lab Setup"
echo "[*] Tutor LMS version: ${PLUGIN_VERSION}"
echo ""

# ── Start containers ──
echo "[1/5] Starting Docker containers..."
docker compose down -v 2>/dev/null || true
docker compose up -d 2>&1 | tail -3

# ── Wait for WordPress to be ready ──
echo "[2/5] Waiting for WordPress..."
for i in $(seq 1 30); do
    if curl -s -o /dev/null -w "%{http_code}" "$WP_URL/" 2>/dev/null | grep -qE '200|302'; then
        break
    fi
    sleep 2
done

# ── Install WP-CLI and configure WordPress ──
echo "[3/5] Installing WordPress + WP-CLI..."
docker exec tutor-wp bash -c '
    curl -sO https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
    chmod +x wp-cli.phar
    mv wp-cli.phar /usr/local/bin/wp
' 2>/dev/null

docker exec tutor-wp wp core install \
    --url="$WP_URL" \
    --title="Tutor LMS CVE Lab" \
    --admin_user="$ADMIN_USER" \
    --admin_password="$ADMIN_PASS" \
    --admin_email="admin@lab.local" \
    --skip-email --allow-root 2>&1 | tail -1

docker exec tutor-wp wp user create "$TEST_USER" testuser@lab.local \
    --user_pass="$TEST_PASS" --role=subscriber --allow-root 2>&1 | tail -1

docker exec tutor-wp wp option update users_can_register 1 --allow-root 2>/dev/null

# ── Install vulnerable Tutor LMS ──
echo "[4/5] Installing Tutor LMS ${PLUGIN_VERSION}..."
docker exec tutor-wp wp plugin install \
    "https://downloads.wordpress.org/plugin/tutor.${PLUGIN_VERSION}.zip" \
    --activate --allow-root 2>&1 | tail -1

# ── Enable monetization + coupons + create test course ──
echo "[5/5] Configuring monetization, coupons, and test course..."
docker exec tutor-wp wp option update tutor_option \
    '{"monetize_by":"tutor","enable_coupon":"on","is_coupon_applicable":"1"}' \
    --format=json --allow-root 2>/dev/null

docker exec tutor-wp bash -c '
    wp post create --post_type=courses --post_title="Test Course" \
        --post_status=publish --post_content="Lab course" --allow-root 2>&1 | tail -1
    POST_ID=$(wp post list --post_type=courses --field=ID --allow-root 2>/dev/null | head -1)
    wp post meta update "$POST_ID" _tutor_course_price_type paid --allow-root 2>/dev/null
    wp post meta update "$POST_ID" tutor_course_price 99 --allow-root 2>/dev/null
'

# ── Done ──
VERSION=$(docker exec tutor-wp wp plugin list --fields=name,version --format=csv --allow-root 2>/dev/null | grep tutor | cut -d, -f2)
echo ""
echo "============================================"
echo "  Lab ready!"
echo "  URL:       $WP_URL"
echo "  Plugin:    Tutor LMS v${VERSION}"
echo "  Admin:     $ADMIN_USER / $ADMIN_PASS"
echo "  Subscriber: $TEST_USER / $TEST_PASS"
echo ""
echo "  Test (unauthenticated):"
echo "    python3 exploit.py $WP_URL"
echo ""
echo "  Test (authenticated, fast UNION):"
echo "    python3 exploit.py $WP_URL -u $TEST_USER -p $TEST_PASS --all"
echo "============================================"