#!/usr/bin/env bash
set -euo pipefail

REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
ARCHIVE="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"
VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"

usage() {
  cat <<USAGE
Usage: scripts/install-vault-pass.sh [archive.zip]

Installs the Ansible Vault password file to:
  ${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}

Behavior:
  1. If the password file already exists, keep it and verify permissions.
  2. If missing, prompt the user to choose one of four setup methods:
     [1] Create a new vault password and initialize/re-encrypt vault.yml
     [2] Paste/type vault-pass.txt content manually
     [3] Download vault-pass.txt from a user-provided URL
     [4] Extract vault-pass.txt from a password-protected zip archive

Default archive path for method [4]:
  $REPO_DIR/secrets/vault-pass.txt.zip
USAGE
}

ensure_dest_dir() {
  umask 077
  mkdir -p "$(dirname "$DEST")"
  chmod 700 "$(dirname "$DEST")" || true
}

secure_dest() {
  chmod 600 "$DEST"
}

verify_existing() {
  if [ -f "$DEST" ]; then
    secure_dest
    echo "Vault password file already exists: $DEST"
    return 0
  fi
  return 1
}

require_cmd() {
  if ! command -v "$1" >/dev/null 2>&1; then
    echo "Missing dependency: $1" >&2
    echo "Please install it first." >&2
    exit 3
  fi
}

create_new_password() {
  require_cmd ansible-vault
  require_cmd python3
  ensure_dest_dir
  umask 077
  python3 - <<'PY' > "$DEST"
import secrets
print(secrets.token_urlsafe(48))
PY
  secure_dest
  echo "Created new vault password file: $DEST"

  if [ -f "$VAULT_FILE" ]; then
    if ansible-vault view "$VAULT_FILE" --vault-password-file "$DEST" >/dev/null 2>&1; then
      echo "Existing vault is already readable with the new password. No re-encryption needed."
    else
      cat <<WARN

WARNING: $VAULT_FILE exists but is not readable with the new password.
To avoid destroying existing encrypted secrets, this script will NOT overwrite it automatically.
If this is a brand-new install, create a plaintext YAML file and run:
  ./scripts/vault.sh encrypt /path/to/plaintext.yml
If this is an existing vault, choose method [2], [3], or [4] with the correct password instead.
WARN
    fi
  else
    mkdir -p "$(dirname "$VAULT_FILE")"
    tmp="$(mktemp)"
    chmod 600 "$tmp"
    cat > "$tmp" <<'YAML'
# Initial placeholder vault. Replace with real secrets using ./scripts/vault.sh edit.
gitea: {}
openclaw_alice:
  http_nodes: {}
  ssh_nodes: {}
YAML
    cp "$tmp" "$VAULT_FILE"
    ansible-vault encrypt "$VAULT_FILE" --vault-password-file "$DEST"
    rm -f "$tmp"
    echo "Created encrypted placeholder vault: $VAULT_FILE"
  fi
}

manual_create() {
  ensure_dest_dir
  cat <<MSG
Paste/type the vault password content now, then press Enter.
Input is hidden. The content will be written to:
  $DEST
MSG
  read -r -s pass
  printf '\n'
  if [ -z "$pass" ]; then
    echo "Empty password is not allowed." >&2
    exit 4
  fi
  umask 077
  printf '%s\n' "$pass" > "$DEST"
  secure_dest
  echo "Installed manually provided vault password file: $DEST"
}

download_from_url() {
  ensure_dest_dir
  printf 'Enter vault-pass.txt URL: '
  read -r url
  if [ -z "$url" ]; then
    echo "URL is required." >&2
    exit 4
  fi
  case "$url" in
    http://*|https://*) ;;
    *) echo "Only http:// or https:// URLs are supported." >&2; exit 4 ;;
  esac
  if command -v curl >/dev/null 2>&1; then
    umask 077
    curl -fsSL "$url" -o "$DEST"
  elif command -v wget >/dev/null 2>&1; then
    umask 077
    wget -qO "$DEST" "$url"
  else
    echo "Missing dependency: curl or wget" >&2
    exit 3
  fi
  if [ ! -s "$DEST" ]; then
    echo "Downloaded file is empty or missing." >&2
    exit 4
  fi
  secure_dest
  echo "Downloaded vault password file to: $DEST"
}

extract_from_archive() {
  require_cmd unzip
  ensure_dest_dir
  if [ ! -f "$ARCHIVE" ]; then
    cat >&2 <<ERR
Missing archive: $ARCHIVE

Create/provide a password-protected archive that contains one file named:
  vault-pass.txt
ERR
    exit 2
  fi
  tmpdir="$(mktemp -d)"
  cleanup() { rm -rf "$tmpdir"; }
  trap cleanup EXIT

  # unzip will prompt for the archive password interactively.
  unzip -q "$ARCHIVE" -d "$tmpdir"

  src="$tmpdir/vault-pass.txt"
  if [ ! -f "$src" ]; then
    echo "Archive extracted, but vault-pass.txt was not found inside." >&2
    exit 4
  fi

  install -m 600 "$src" "$DEST"
  echo "Installed vault password file from archive: $DEST"
}

verify_vault_readable_if_possible() {
  if [ -f "$VAULT_FILE" ] && command -v ansible-vault >/dev/null 2>&1; then
    if ansible-vault view "$VAULT_FILE" --vault-password-file "$DEST" >/dev/null 2>&1; then
      echo "Verified: vault.yml is readable with $DEST"
    else
      echo "Warning: vault.yml is not readable with $DEST" >&2
      return 5
    fi
  fi
}

if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
  usage
  exit 0
fi

if verify_existing; then
  verify_vault_readable_if_possible || true
  exit 0
fi

cat <<MENU
Vault password file does not exist:
  $DEST

Choose setup method:
  1) Create a new vault password and initialize/re-encrypt vault.yml if needed
  2) Paste/type vault-pass.txt content manually
  3) Download vault-pass.txt from a URL
  4) Extract vault-pass.txt from password-protected zip archive
MENU
printf 'Enter choice [1-4]: '
read -r choice

case "$choice" in
  1) create_new_password ;;
  2) manual_create ;;
  3) download_from_url ;;
  4) extract_from_archive ;;
  *) echo "Invalid choice: $choice" >&2; exit 4 ;;
esac

verify_vault_readable_if_possible || true