#!/bin/bash
# Security Check Script
# Validates security configuration and provides security recommendations

set -e

echo "============================================================"
echo "Security Configuration Check"
echo "============================================================"

# Check OMP_NUM_THREADS
if [ -z "$OMP_NUM_THREADS" ]; then
    echo "⚠️  WARNING: OMP_NUM_THREADS not set"
elif ! [[ "$OMP_NUM_THREADS" =~ ^[0-9]+$ ]] || [ "$OMP_NUM_THREADS" -le 0 ]; then
    echo "❌ ERROR: OMP_NUM_THREADS is invalid: $OMP_NUM_THREADS"
else
    echo "✅ OMP_NUM_THREADS: $OMP_NUM_THREADS"
fi

# Check HF_TOKEN
if [ -z "$HF_TOKEN" ]; then
    echo "❌ ERROR: HF_TOKEN not set"
else
    echo "✅ HF_TOKEN is set"
fi

# Check rate limiting
if [ "$RATE_LIMIT_ENABLED" != "false" ]; then
    echo "✅ Rate limiting enabled"
else
    echo "⚠️  WARNING: Rate limiting disabled (not recommended for production)"
fi

# Check log directory
if [ -d "$LOG_DIR" ]; then
    echo "✅ Log directory exists: $LOG_DIR"
    if [ -w "$LOG_DIR" ]; then
        echo "✅ Log directory is writable"
    else
        echo "⚠️  WARNING: Log directory is not writable"
    fi
else
    echo "⚠️  WARNING: Log directory does not exist: ${LOG_DIR:-/tmp/logs}"
fi

# Check if running with Gunicorn
if pgrep -f "gunicorn" > /dev/null; then
    echo "✅ Running with Gunicorn (production server)"
else
    if pgrep -f "flask_api_standalone.py" > /dev/null; then
        echo "⚠️  WARNING: Running with Flask dev server (not recommended for production)"
    else
        echo "ℹ️  Application not running"
    fi
fi

# Check security headers (if app is running)
if curl -s -I http://localhost:7860/api/health > /dev/null 2>&1; then
    echo ""
    echo "Checking security headers..."
    headers=$(curl -s -I http://localhost:7860/api/health)
    
    required_headers=(
        "X-Content-Type-Options"
        "X-Frame-Options"
        "X-XSS-Protection"
        "Strict-Transport-Security"
        "Content-Security-Policy"
    )
    
    for header in "${required_headers[@]}"; do
        if echo "$headers" | grep -qi "$header"; then
            echo "✅ $header present"
        else
            echo "⚠️  WARNING: $header missing"
        fi
    done
fi

echo ""
echo "============================================================"
echo "Security Check Complete"
echo "============================================================"