#!/usr/bin/env bash
set -euo pipefail
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
source "$ROOT/lib.sh"

need_cmd pass-cli
need_cmd jq

#──────────────────────────────────────────────────────────────
# STATE: SSH key configuration (edit these values)
#──────────────────────────────────────────────────────────────
VAULT_NAME="TA-Netzwerk"
HOST_TITLE="torben-mba"
SSH_DIR="${HOME}/.ssh"
KEY_BASENAME="id_ed25519_${HOST_TITLE}"

#──────────────────────────────────────────────────────────────
# LOGIC: Idempotent SSH key retrieval
#──────────────────────────────────────────────────────────────

KEY_PATH="${SSH_DIR}/${KEY_BASENAME}"
PUB_PATH="${KEY_PATH}.pub"

log "Checking SSH key setup"

# Check if Proton Pass CLI is authenticated
if ! pass-cli test >/dev/null 2>&1; then
  warn "Proton Pass CLI session not found"
  warn "Please run: pass-cli login"
  exit 1
fi

# Check if item exists in vault
if ! pass-cli item view --vault-name "$VAULT_NAME" --item-title "$HOST_TITLE" --output json >/dev/null 2>&1; then
  warn "Could not find item titled '$HOST_TITLE' in vault '$VAULT_NAME'"
  exit 1
fi

# Create SSH directory if needed
mkdir -p "$SSH_DIR"
chmod 700 "$SSH_DIR"

# Fetch key from Proton Pass
log "Retrieving SSH key from Proton Pass"
item_json=$(pass-cli item view --vault-name "$VAULT_NAME" --item-title "$HOST_TITLE" --output json)

# Extract private key
private_key=$(echo "$item_json" | jq -r '
  .item.content.content.SshKey.private_key
  | select(. != null and . != "")
  | gsub("\\r"; "")
  | capture("(?<head>-----BEGIN OPENSSH PRIVATE KEY-----)(?<body>.*)(?<tail>-----END OPENSSH PRIVATE KEY-----)")
  | "\(.head)\n" +
    ( .body
      | gsub("\\s+";"")
      | [range(0; length; 70) as $i | .[$i:$i+70]]
      | join("\n")
    ) + "\n" +
    "\(.tail)\n"
')

# Extract public key
public_key=$(echo "$item_json" | jq -r '.item.content.content.SshKey.public_key // empty')

# Check if keys already exist and match
keys_match=false
if [[ -f "$KEY_PATH" && -f "$PUB_PATH" ]]; then
  existing_private=$(cat "$KEY_PATH")
  existing_public=$(cat "$PUB_PATH")
  
  if [[ "$existing_private" == "$private_key" && "$existing_public" == "$public_key" ]]; then
    keys_match=true
    log "SSH keys already up to date"
  fi
fi

# Write keys only if changed
if [[ "$keys_match" == "false" ]]; then
  log "Writing SSH private key to $KEY_PATH"
  echo "$private_key" > "$KEY_PATH"
  chmod 600 "$KEY_PATH"
  
  log "Writing SSH public key to $PUB_PATH"
  echo "$public_key" > "$PUB_PATH"
  chmod 644 "$PUB_PATH"
  
  log "SSH keys updated"
else
  log "SSH keys verified"
fi