#!/usr/bin/env bash
set -euo pipefail

die() {
  printf 'ERROR: %s\n' "$*" >&2
  exit 1
}

require_env() {
  local key="$1"
  [[ -n "${!key:-}" ]] || die "Missing required env: $key"
}

require_env IMAGE_DEPLOY_BUNDLE_FILE
require_env DEPLOY_HOST
require_env DEPLOY_USER
require_env DEPLOY_PATH
require_env WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID

[[ -f "$IMAGE_DEPLOY_BUNDLE_FILE" ]] || die "bundle file not found: $IMAGE_DEPLOY_BUNDLE_FILE"

resolve_works_drive_access_token() {
  if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN:-}" ]]; then
    printf '%s\n' "$WORKS_DRIVE_ACCESS_TOKEN"
    return
  fi

  if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_INPUT:-}" ]]; then
    printf '%s\n' "$WORKS_DRIVE_ACCESS_TOKEN_INPUT"
    return
  fi

  if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_FILE:-}" ]]; then
    [[ -f "$WORKS_DRIVE_ACCESS_TOKEN_FILE" ]] || die "WORKS_DRIVE_ACCESS_TOKEN_FILE not found: $WORKS_DRIVE_ACCESS_TOKEN_FILE"
    sed -n '1p' "$WORKS_DRIVE_ACCESS_TOKEN_FILE"
    return
  fi

  if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ]]; then
    sh -c "$WORKS_DRIVE_ACCESS_TOKEN_CMD"
    return
  fi

  if [[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]]; then
    [[ -n "${WORKS_DRIVE_OAUTH_CLIENT_ID:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_ID is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
    [[ -n "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_SECRET is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."

    local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
    local response
    local access_token
    local rotated_refresh_token

    response="$(curl -fsS -X POST "$token_url" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      --data-urlencode "grant_type=refresh_token" \
      --data-urlencode "refresh_token=${WORKS_DRIVE_OAUTH_REFRESH_TOKEN}" \
      --data-urlencode "client_id=${WORKS_DRIVE_OAUTH_CLIENT_ID}" \
      --data-urlencode "client_secret=${WORKS_DRIVE_OAUTH_CLIENT_SECRET}")"
    access_token="$(jq -er '.access_token' <<<"$response")"
    rotated_refresh_token="$(jq -r '.refresh_token // empty' <<<"$response")"
    if [[ -n "$rotated_refresh_token" && "$rotated_refresh_token" != "$WORKS_DRIVE_OAUTH_REFRESH_TOKEN" ]]; then
      printf 'WARNING: WORKS returned a rotated refresh token. Update WORKS_DRIVE_REFRESH_TOKEN before the old token ages out.\n' >&2
    fi
    printf '%s\n' "$access_token"
    return
  fi

  die "Missing WORKS Drive access auth. Provide WORKS_DRIVE_ACCESS_TOKEN, WORKS_DRIVE_ACCESS_TOKEN_FILE, WORKS_DRIVE_ACCESS_TOKEN_CMD, or WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
}

remote_bundle="/tmp/baron-sso-image-deploy-$(date -u '+%Y%m%d%H%M%S').tgz"
works_drive_access_token="$(resolve_works_drive_access_token)"

ssh-keyscan -H "$DEPLOY_HOST" >>~/.ssh/known_hosts
scp "$IMAGE_DEPLOY_BUNDLE_FILE" "${DEPLOY_USER}@${DEPLOY_HOST}:${remote_bundle}"

printf '%s\n' "$works_drive_access_token" | ssh "${DEPLOY_USER}@${DEPLOY_HOST}" \
  "set -euo pipefail; \
   read -r works_drive_access_token; \
   mkdir -p '${DEPLOY_PATH}'; \
   tar -xzf '${remote_bundle}' -C '${DEPLOY_PATH}'; \
   cd '${DEPLOY_PATH}'; \
   chmod 600 .env; \
   docker network inspect traefik-public >/dev/null 2>&1 || docker network create traefik-public; \
   export WORKS_DRIVE_ACCESS_TOKEN=\"\${works_drive_access_token}\"; \
   export WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID='${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}'; \
   export WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID='${WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID:-}'; \
   export WORKS_DRIVE_DOCKER_IMAGE_DIR='${WORKS_DRIVE_DOCKER_IMAGE_DIR:-baron-sso}'; \
   export WORKS_ADMIN_API_BASE_URL='${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}'; \
   scripts/docker-image/download_works_drive.sh; \
   docker compose --env-file .env -f docker-compose.yml up -d --remove-orphans; \
   docker compose --env-file .env -f docker-compose.yml ps"