#!/bin/bash
# Script to extract registry password from server and add it to vault

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ANSIBLE_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
VAULT_FILE="$ANSIBLE_DIR/secrets/production.vault.yml"
VAULT_PASS_FILE="$ANSIBLE_DIR/secrets/.vault_pass"

# Check if vault file exists
if [ ! -f "$VAULT_FILE" ]; then
    echo "❌ Vault file not found: $VAULT_FILE"
    exit 1
fi

# Check if vault password file exists
if [ ! -f "$VAULT_PASS_FILE" ]; then
    echo "❌ Vault password file not found: $VAULT_PASS_FILE"
    echo "Please create it or use --ask-vault-pass"
    exit 1
fi

echo "📋 Extracting registry password from server..."
echo ""

# Read inventory file to get server connection details
INVENTORY_FILE="$ANSIBLE_DIR/inventory/production.yml"
if [ ! -f "$INVENTORY_FILE" ]; then
    echo "❌ Inventory file not found: $INVENTORY_FILE"
    exit 1
fi

# Extract server hostname
SERVER_HOST=$(grep -E '^[[:space:]]*ansible_host:' "$INVENTORY_FILE" | awk '{print $2}' | head -1)
DEPLOY_USER=$(grep -E '^[[:space:]]*ansible_user:' "$INVENTORY_FILE" | awk '{print $2}' | head -1 || echo "deploy")

if [ -z "$SERVER_HOST" ]; then
    echo "❌ Could not determine server hostname from inventory"
    exit 1
fi

echo "Server: $SERVER_HOST"
echo "User: $DEPLOY_USER"
echo ""

# Try to extract password from registry .env file on server
REGISTRY_ENV_PATH="/home/$DEPLOY_USER/deployment/stacks/registry/.env"

echo "Attempting to extract password from: $REGISTRY_ENV_PATH"
echo ""

# Use SSH to read the password (assuming SSH key is configured)
REGISTRY_PASSWORD=$(ssh "${DEPLOY_USER}@${SERVER_HOST}" "grep '^REGISTRY_AUTH_HTPASSWD_REALM=' $REGISTRY_ENV_PATH 2>/dev/null | cut -d'=' -f2- | head -1" 2>/dev/null || echo "")

if [ -z "$REGISTRY_PASSWORD" ]; then
    echo "⚠️  Could not extract password from server .env file"
    echo ""
    echo "Generating new registry password..."
    REGISTRY_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
    echo "Generated password: ${REGISTRY_PASSWORD:0:8}..."
    echo ""
    echo "⚠️  Note: This is a NEW password. If the registry is already deployed,"
    echo "   you may need to update the registry .env file on the server."
else
    # Extract username from htpasswd format (username:password)
    # The format is usually: username:$apr1$salt$hash
    # We need to extract just the password part
    echo "✅ Found password in registry .env file"
    echo "   (Password format: htpasswd hash)"
    echo ""
    echo "⚠️  Note: The password in .env is in htpasswd format."
    echo "   We need the plain password to add to vault."
    echo ""
    read -p "Enter the plain registry password (or press Enter to generate new): " REGISTRY_PASSWORD_INPUT
    
    if [ -n "$REGISTRY_PASSWORD_INPUT" ]; then
        REGISTRY_PASSWORD="$REGISTRY_PASSWORD_INPUT"
    else
        echo "Generating new registry password..."
        REGISTRY_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
        echo "Generated password: ${REGISTRY_PASSWORD:0:8}..."
    fi
fi

echo ""
echo "Adding password to vault file..."
echo ""

# Check if vault_docker_registry_password already exists
if ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" 2>/dev/null | grep -q "vault_docker_registry_password:"; then
    echo "⚠️  vault_docker_registry_password already exists in vault"
    read -p "Replace it? (y/N): " REPLACE
    if [ "$REPLACE" != "y" ] && [ "$REPLACE" != "Y" ]; then
        echo "Aborted."
        exit 0
    fi
    
    # Replace existing password
    ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" | \
        sed "s/^vault_docker_registry_password:.*/vault_docker_registry_password: \"$REGISTRY_PASSWORD\"/" | \
        ansible-vault encrypt --vault-password-file "$VAULT_PASS_FILE" --output "$VAULT_FILE" -
else
    # Add new password
    ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" | \
        sed "/^vault_/a vault_docker_registry_password: \"$REGISTRY_PASSWORD\"" | \
        ansible-vault encrypt --vault-password-file "$VAULT_PASS_FILE" --output "$VAULT_FILE" -
fi

echo ""
echo "✅ Password added to vault file!"
echo ""
echo "Next steps:"
echo "1. Verify the password is set:"
echo "   ansible-vault view $VAULT_FILE --vault-password-file $VAULT_PASS_FILE | grep vault_docker_registry_password"
echo ""
echo "2. Re-run the playbook:"
echo "   ansible-playbook -i inventory/production.yml playbooks/setup-infrastructure.yml --vault-password-file $VAULT_PASS_FILE"