#!/usr/bin/env bash
#
# reset-lab.sh - restore the Mercator lab to a pristine state between
# ssrf2redis.py runs, so the SSRF -> Redis -> webshell chain can be
# re-tested as a true one-shot.
#
# Steps:
#   1. ensure the colocated redis-poc container is running
#   2. delete the dropped PHP webshell from the Mercator webroot
#   3. reset Redis (FLUSHALL + dir/dbfilename back to defaults) - a stale
#      `dir` left pointing at the webroot would let a degenerate exploit
#      "succeed" without doing CONFIG SET itself, i.e. a false positive
#   4. verify the lab is clean (webshell -> HTTP 404)
#
# Only the named webshell artifact is ever removed - Mercator's own files
# (index.php, ...) are never touched.
#
# Usage:  ./reset-lab.sh [webshell-name]      (default: poc.php)
#
set -euo pipefail

VM="mercator-lab"
REDIS_CTR="redis-poc"
WEBROOT="/var/www/mercator/public"
BASE="http://127.0.0.1:8000"
SHELL_NAME="${1:-poc.php}"

echo "[*] Resetting Mercator lab (artifact: ${SHELL_NAME})"

# 1. ensure redis-poc is up
if [ -z "$(orb -m "$VM" docker ps -q -f "name=^${REDIS_CTR}$")" ]; then
    echo "[*] ${REDIS_CTR} is down -> starting it"
    orb -m "$VM" docker start "$REDIS_CTR" >/dev/null
fi

# 2. delete the webshell artifact (exact name only)
orb -m "$VM" bash -lc "rm -fv '${WEBROOT}/${SHELL_NAME}'" \
    | sed 's/^/    removed: /' || true

# 3. reset Redis to pristine defaults
rcli() { orb -m "$VM" docker exec "$REDIS_CTR" redis-cli "$@"; }
rcli FLUSHALL                       >/dev/null
rcli CONFIG SET dir /data           >/dev/null
rcli CONFIG SET dbfilename dump.rdb >/dev/null
echo "[+] Redis flushed (dbsize=$(rcli DBSIZE)), dir/dbfilename reset to defaults"

# 4. verify clean state
code="$(curl -s -o /dev/null -w '%{http_code}' "${BASE}/${SHELL_NAME}")"
if [ "$code" = "404" ]; then
    echo "[+] Clean: ${BASE}/${SHELL_NAME} -> 404"
    echo "[+] Lab reset complete - ready for a fresh exploit run"
else
    echo "[-] WARNING: ${BASE}/${SHELL_NAME} -> ${code} (expected 404)"
    exit 1
fi