#!/usr/bin/env bash
set -euo pipefail

repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
compose_file="$repo_root/config/traefik-compose.yml"

fail() {
  echo "$1" >&2
  exit 1
}

[[ -f "$compose_file" ]] || fail "config/traefik-compose.yml must exist."

if grep -Eq 'thomseddon/traefik-forward-auth:2\.3\.0' "$compose_file"; then
  fail "traefik-forward-auth image tag 2.3.0 is unavailable; use a runnable pinned tag."
fi

if grep -Eq 'auth/realms/master|PROVIDER_GENERIC_' "$compose_file"; then
  fail "Traefik forward-auth must use Baron/Ory Hydra endpoint variables, not legacy Keycloak or unsupported provider keys."
fi

if grep -Eq 'CLIENT_SECRET=[^$]|SECRET=[^$]' "$compose_file"; then
  fail "Traefik forward-auth secrets must be injected from environment variables, not hardcoded in compose."
fi

grep -Fq 'DEFAULT_PROVIDER=generic-oauth' "$compose_file" \
  || fail "Traefik bootstrap must use generic-oauth provider to avoid OIDC discovery before Baron/Ory is running."
grep -Fq 'PROVIDERS_GENERIC_OAUTH_AUTH_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/auth' "$compose_file" \
  || fail "Traefik forward-auth auth URL must point to Hydra authorize endpoint."
grep -Fq 'PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/token' "$compose_file" \
  || fail "Traefik forward-auth token URL must point to Hydra token endpoint."
grep -Fq 'PROVIDERS_GENERIC_OAUTH_USER_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/userinfo' "$compose_file" \
  || fail "Traefik forward-auth user URL must point to Hydra userinfo endpoint."

grep -Fq 'traefik.http.routers.traefik-dashboard.middlewares=auth-forward@docker' "$compose_file" \
  || fail "Traefik dashboard router must be protected by auth-forward middleware."
grep -Fq 'traefik.http.services.forward-auth.loadbalancer.server.port=4181' "$compose_file" \
  || fail "forward-auth service port must be declared for Traefik docker provider."
grep -Fq 'traefik-public:' "$compose_file" \
  || fail "traefik-public external network must be declared."
grep -Fq 'name: traefik-public' "$compose_file" \
  || fail "traefik-public network name must be explicit."

TRAEFIK_FORWARD_AUTH_CLIENT_SECRET=dummy \
TRAEFIK_FORWARD_AUTH_COOKIE_SECRET=dummy \
docker compose -f "$compose_file" config >/dev/null