#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
CONFIG="${1:-$SCRIPT_DIR/../config.ini}"

if [[ ! -f "$CONFIG" ]]; then
  echo "ERROR: config file not found: $CONFIG"
  exit 1
fi

# --- Parse INI ---
parse_ini() {
  local file="$1" section="$2" key="$3"
  sed -n "/^\[$section\]/,/^\[/p" "$file" | grep "^${key}\s*=" | head -1 | sed 's/^[^=]*=\s*//' | sed 's/\s*$//'
}

GITEA_API=$(parse_ini "$CONFIG" gitea api_url)
READER_USER=$(parse_ini "$CONFIG" reader username)
READER_PASS=$(parse_ini "$CONFIG" reader password)
TOKEN_NAME=$(parse_ini "$CONFIG" reader token_name)
TOKEN_SCOPE=$(parse_ini "$CONFIG" reader token_scope)

TOKEN_NAME="${TOKEN_NAME:-installer-readonly}"
TOKEN_SCOPE="${TOKEN_SCOPE:-read:repository}"

echo "=== Token Rotation for '$READER_USER' ==="

# --- Delete old token ---
echo "[1/2] Deleting old token '$TOKEN_NAME'..."
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
  -X DELETE "$GITEA_API/users/$READER_USER/tokens/$TOKEN_NAME" \
  -u "$READER_USER:$READER_PASS")

if [[ "$HTTP_CODE" == "204" || "$HTTP_CODE" == "200" ]]; then
  echo "  -> Old token deleted."
elif [[ "$HTTP_CODE" == "404" ]]; then
  echo "  -> No existing token found (404), creating fresh."
else
  echo "  -> WARNING: HTTP $HTTP_CODE while deleting old token."
fi

# --- Create new token ---
echo "[2/2] Creating new token '$TOKEN_NAME' (scope: $TOKEN_SCOPE)..."
TOKEN_RESPONSE=$(curl -s \
  -X POST "$GITEA_API/users/$READER_USER/tokens" \
  -u "$READER_USER:$READER_PASS" \
  -H "Content-Type: application/json" \
  -d "{\"name\": \"$TOKEN_NAME\", \"scopes\": [\"$TOKEN_SCOPE\"]}")

TOKEN_VALUE=$(echo "$TOKEN_RESPONSE" | grep -o '"sha1":"[^"]*"' | sed 's/"sha1":"//;s/"//')

if [[ -z "$TOKEN_VALUE" ]]; then
  echo "  -> ERROR: Failed to create new token:"
  echo "$TOKEN_RESPONSE"
  exit 1
fi

echo "  -> New token: ${TOKEN_VALUE:0:8}..."

# --- Update config.ini ---
if grep -q "^token\s*=" "$CONFIG" 2>/dev/null; then
  sed -i "s|^token\s*=.*|token = $TOKEN_VALUE|" "$CONFIG"
  echo "  -> Token updated in $CONFIG"
else
  sed -i "/^\[reader\]/,/^\[/{
    /^token_scope/a token = $TOKEN_VALUE
  }" "$CONFIG"
  echo "  -> Token added to $CONFIG"
fi

echo ""
echo "=== Rotation Complete ==="
echo "New token (first 8): ${TOKEN_VALUE:0:8}..."
echo ""
echo "IMPORTANT: Update any systems using the old token!"