#!/bin/bash
# Cloud & Infrastructure Security
# S3 buckets, cloud metadata endpoints, exposed cloud assets, secrets in env
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../config.sh"
OUT="$OUT/cloud_infrastructure"
mkdir -p "$OUT"

echo '=== CLOUD & INFRASTRUCTURE SECURITY ===' | tee "$OUT/summary.txt"

BROWSER="$BROWSER_UA"
DOMAIN="${TARGET_HOST}"

# ── 1. Cloud Metadata Endpoint SSRF ──────────────────────────────────────────
echo '' | tee -a "$OUT/summary.txt"
echo '--- Cloud Metadata via SSRF ---' | tee -a "$OUT/summary.txt"
METADATA_URLS=(
  "http://169.254.169.254/latest/meta-data/"
  "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  "http://metadata.google.internal/computeMetadata/v1/"
  "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
  "http://100.100.100.200/latest/meta-data/"
)
for meta_url in "${METADATA_URLS[@]}"; do
  enc=$(printf '%s' "$meta_url" | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
  for param in "url" "redirect" "callback" "webhook" "target" "endpoint" "fetch"; do
    resp=$(curl -sk -o "$OUT/meta_resp.tmp" -w '%{http_code}' --max-time 8 -A "$BROWSER" \
      "$API_TARGET/encrypt?$param=$enc")
    grep -qi 'ami-id\|instance-id\|security-credentials\|computeMetadata\|access_key' "$OUT/meta_resp.tmp" && \
      echo "  [!!!] CLOUD METADATA SSRF via ?$param: $meta_url" | tee -a "$OUT/summary.txt"
  done
done
echo "  Cloud metadata SSRF sweep complete" | tee -a "$OUT/summary.txt"

# ── 2. S3 Bucket Enumeration ─────────────────────────────────────────────────
echo '' | tee -a "$OUT/summary.txt"
echo '--- S3 Bucket Enumeration ---' | tee -a "$OUT/summary.txt"
BUCKET_NAMES=(
  "pqcrypta" "pqcrypta-assets" "pqcrypta-backup" "pqcrypta-logs"
  "pqcrypta-uploads" "pqcrypta-static" "pqcrypta-prod" "pqcrypta-dev"
  "pqcrypta-data" "pqcrypta-keys" "pqcrypta-config"
  "philibert" "philibert-assets" "philibert-backup"
  "pqc-assets" "pqc-backup" "pqc-uploads"
)
for bucket in "${BUCKET_NAMES[@]}"; do
  resp=$(curl -sk -o "$OUT/s3_check.tmp" -w '%{http_code}' --max-time 8 \
    "https://$bucket.s3.amazonaws.com/")
  case "$resp" in
    200) echo "  [!!!] S3 BUCKET PUBLIC: $bucket" | tee -a "$OUT/summary.txt" ;;
    403) echo "  [PASS] $bucket — exists but access denied (403)" | tee -a "$OUT/summary.txt" ;;
    404) echo "  [INFO] $bucket — not found (404)" ;;
    *) echo "  [INFO] $bucket — $resp" ;;
  esac
done

# ── 3. Exposed Cloud Credentials / Config Files ──────────────────────────────
echo '' | tee -a "$OUT/summary.txt"
echo '--- Exposed Cloud Credentials ---' | tee -a "$OUT/summary.txt"
CRED_PATHS=(
  "/.aws/credentials" "/.aws/config"
  "/.gcloud/credentials.json" "/.gcloud/application_default_credentials.json"
  "/service-account.json" "/credentials.json" "/serviceaccount.json"
  "/.azure/credentials" "/azure-credentials.json"
  "/.kube/config" "/kubeconfig" "/kube-config.yaml"
  "/terraform.tfstate" "/terraform.tfstate.backup"
  "/.vault-token" "/vault-token"
)
for path in "${CRED_PATHS[@]}"; do
  resp=$(curl -sk -o "$OUT/cred_check.tmp" -w '%{http_code}' --max-time 8 -A "$BROWSER" "$TARGET$path")
  if [ "$resp" = "200" ]; then
    size=$(wc -c < "$OUT/cred_check.tmp")
    echo "  [!!!] CREDENTIAL FILE EXPOSED: $path ($size bytes)" | tee -a "$OUT/summary.txt"
  else
    echo "  [PASS] $path → $resp"
  fi
done

# ── 4. Kubernetes API & Pod Metadata ─────────────────────────────────────────
echo '' | tee -a "$OUT/summary.txt"
echo '--- Kubernetes API Exposure ---' | tee -a "$OUT/summary.txt"
K8S_PATHS=(
  "/api/v1/namespaces" "/api/v1/pods" "/api/v1/secrets"
  "/apis/apps/v1/deployments" "/.well-known/kubeconfig"
)
for path in "${K8S_PATHS[@]}"; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" "$TARGET$path")
  [ "$resp" = "200" ] && echo "  [!!!] K8s API EXPOSED: $path" || echo "  [PASS] $path → $resp" | tee -a "$OUT/summary.txt"
done
# Check default k8s ports
for port in 6443 8443 10250 10255 2379 2380; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 5 "https://${TARGET_HOST}:$port/")
  [ "$resp" = "200" ] && echo "  [!!!] K8s port OPEN: $port" || echo "  [PASS] port $port → $resp" | tee -a "$OUT/summary.txt"
done

# ── 5. Environment Variable Leakage via Endpoints ────────────────────────────
echo '' | tee -a "$OUT/summary.txt"
echo '--- Environment Variable Leakage ---' | tee -a "$OUT/summary.txt"
for ep in "/env" "/environment" "/config" "/settings" "/debug/env" "/api/env" "/info" "/actuator/env"; do
  resp=$(curl -sk -o "$OUT/env_check.tmp" -w '%{http_code}' --max-time 8 -A "$BROWSER" "$API_TARGET$ep")
  if [ "$resp" = "200" ]; then
    grep -qi 'DATABASE_URL\|SECRET_KEY\|AWS_\|PRIVATE_KEY\|PASSWORD\|TOKEN' "$OUT/env_check.tmp" && \
      echo "  [!!!] SENSITIVE ENV VARS EXPOSED at $ep" || echo "  [WARN] $ep is open (200) — check content" | tee -a "$OUT/summary.txt"
  else
    echo "  [PASS] $ep → $resp"
  fi
done

# ── 6. DNS Security: DNSSEC, SPF, DMARC, CAA ────────────────────────────────
echo '' | tee -a "$OUT/summary.txt"
echo '--- DNS Security Records ---' | tee -a "$OUT/summary.txt"
dig +short TXT "_dmarc.$DOMAIN" | grep -qi 'v=DMARC1' && echo "  [PASS] DMARC present" || echo "  [WARN] DMARC missing" | tee -a "$OUT/summary.txt"
dig +short TXT "$DOMAIN" | grep -qi 'v=spf1' && echo "  [PASS] SPF present" || echo "  [WARN] SPF missing" | tee -a "$OUT/summary.txt"
dig +short CAA "$DOMAIN" | grep -q '.' && echo "  [PASS] CAA record present: $(dig +short CAA $DOMAIN)" || echo "  [WARN] No CAA record" | tee -a "$OUT/summary.txt"
dig +short DNSKEY "$DOMAIN" | grep -q '.' && echo "  [PASS] DNSSEC enabled" || echo "  [INFO] DNSSEC not detected (may be at registrar)" | tee -a "$OUT/summary.txt"

# ── 7. Security.txt & Responsible Disclosure ────────────────────────────────
echo '' | tee -a "$OUT/summary.txt"
echo '--- Security.txt Presence ---' | tee -a "$OUT/summary.txt"
for secpath in "/.well-known/security.txt" "/security.txt"; do
  resp=$(curl -sk -o "$OUT/security_txt.tmp" -w '%{http_code}' --max-time 8 -A "$BROWSER" "$TARGET$secpath")
  if [ "$resp" = "200" ]; then
    echo "  [PASS] security.txt found at $secpath" | tee -a "$OUT/summary.txt"
    grep -iE 'Contact:|Expires:|Policy:' "$OUT/security_txt.tmp" | tee -a "$OUT/summary.txt"
  else
    echo "  [INFO] $secpath → $resp (no security.txt)" | tee -a "$OUT/summary.txt"
  fi
done

cat "$OUT/summary.txt"