#!/bin/bash
# ------------------------------------------------------------------------------
# Secret management functions
# This file is part of the init.sh project
# Copyright (c) 2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
# ------------------------------------------------------------------------------
# This file is distributed under 3-clause BSD license.
# The complete license agreement can be obtained at:
# https://opensource.org/licenses/BSD-3-Clause
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Get Passbolt
get_passbolt_secret()
{
    local name="$1" secret

    if ! command -v passbolt >/dev/null 2>&1; then
        prnt E "Passbolt CLI not found (required to fetch passbolt:$name)."
        die 22
    fi

    # Exemple basé sur CLI Passbolt + jq
    secret=$(passbolt secret list --json 2>/dev/null | jq -r --arg NAME "$name" \
        '.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)

    if [[ -z "$secret" || "$secret" == "null" ]]; then
        prnt E "Secret '$name' not found in Passbolt."
        die 23
    fi

    printf '%s' "$secret"
}
export -f get_passbolt_secret
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Get File
get_file_secret()
{
    local path="$1" secret

    if [[ -s "$path" ]]; then
        prnt E "get_file_secret: missing secret file"
        die 10
    fi
    if [[ ! -r "$path" ]]; then
        prnt E "get_file_secret: '$path' not readable"
        die 24
    fi

    secret=$(<"$path")
    secret="${secret%$'\r'}"
    secret="${secret%$'\n'}"
    printf '%s' "$secret"
}
export -f get_file_secret
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Get Environment variable
get_var_secret()
{
    local var="$1" secret

    if [[ -z "$var" ]]; then
        prnt E "get_var_secret: missing variable name"
        die 25
    fi
    if ! printenv "$var" >/dev/null 2>&1; then
        prnt E "get_var_secret: variable '$var' not set"
        die 25
    fi

    secret="$(printenv "$var")"
    secret="${secret%$'\r'}"
    secret="${secret%$'\n'}"
    printf '%s' "$secret"
}
export -f get_var_secret
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Main get dispatcher
# Usage: fetch_secret "scheme:identifier"
fetch_secret()
{
    local ref="$1"
    local scheme identifier func

    if [[ -z "$ref" ]]; then
        prnt E "fetch_secret: no reference provided"
        die 26
    fi

    # par défaut, si pas de scheme -> "file"
    if [[ "$ref" != *:* ]]; then
        scheme="file"
        identifier="$ref"
    else
        scheme="${ref%%:*}"
        identifier="${ref#*:}"
    fi
    prnt I "Fetching secret from $scheme, identified with \"$identifier\"..."

    func="get_${scheme}_secret"

    if ! declare -f "$func" >/dev/null 2>&1; then
        prnt E "fetch_secret: unsupported scheme '$scheme' (no function $func)"
        die 27
    fi

    "$func" "$identifier"
}
export -f fetch_secret
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Check Passbolt
check_passbolt_secret() {
    local name="$1" found

    if ! command -v passbolt >/dev/null 2>&1; then
        return 1
    fi

    found=$(passbolt secret list --json 2>/dev/null | jq -e --arg NAME "$name" \
        '.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)

    [[ -n "$found" && "$found" != "null" ]]
}
export -f check_passbolt_secret
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Check File
check_file_secret() {
    local path="$1"

    [[ -r "$path" && -s "$path" ]]
}
export -f check_file_secret
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Check Environment variable
check_var_secret() {
    local var="$1"

    [[ -n "$var" ]] && printenv "$var" >/dev/null 2>&1
}
export -f check_var_secret
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Check Dispatcher
check_secret() {
    local ref="$1"
    local scheme identifier func

    if [[ -z "$ref" ]]; then
        prnt E "check_secret: no reference provided"
        return 1
    fi

    if [[ "$ref" != *:* ]]; then
        scheme="file"
        identifier="$ref"
    else
        scheme="${ref%%:*}"
        identifier="${ref#*:}"
    fi

    func="check_${scheme}_secret"

    if ! declare -f "$func" >/dev/null 2>&1; then
        prnt E "check_secret: unsupported scheme '$scheme' (no function $func)"
        return 1
    fi

    "$func" "$identifier"
}
export -f check_secret
# ------------------------------------------------------------------------------


# EOF