#!/usr/bin/env bash

_sync_service_secrets() {
  source "$LEADTECH/scripts/env_paths.sh" || { echo "env_paths.sh introuvable" >&2; return 1; }

  if [ ! -f "$SECRETS_KDBX" ]; then
    echo "Coffre introuvable : $SECRETS_KDBX" >&2
    return 1
  fi

  if ! command -v keepassxc-cli >/dev/null 2>&1; then
    echo "keepassxc-cli introuvable" >&2
    return 1
  fi

  if ! command -v expect >/dev/null 2>&1; then
    echo "expect introuvable" >&2
    return 1
  fi

  local target_file
  case "$(uname -s)" in
    Darwin) target_file="$HOME/.config/auto-secrets/service.env" ;;
    Linux)  target_file="/srv/shared/env/service.env" ;;
    *)      echo "OS non supporté" >&2; return 1 ;;
  esac

  mkdir -p "$(dirname "$target_file")"
  touch "$target_file"
  chmod 600 "$target_file"

  if [ -z "${KDBX_PASSWORD:-}" ]; then
    printf "Mot de passe KeePassXC : " >&2
    stty -echo
    IFS= read -r KDBX_PASSWORD
    stty echo
    printf '\n' >&2
  fi

  echo "Sync des secrets de service..." >&2

  # Export CSV complet — une seule ouverture du coffre
  local csv
  csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF'
    log_user 0
    set timeout 30
    spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
    expect "Saisir le mot de passe pour déverrouiller*"
    send -- "$env(KDBX_PASSWORD)\r"
    expect eof
    catch wait result
    puts -nonewline $expect_out(buffer)
    exit [lindex $result 3]
EOF
  ) || {
    echo "Impossible d'exporter le coffre." >&2
    return 1
  }

  # Parse CSV : colonnes "Group","Title","Username","Password",...
  # On garde les entrées dont le Group commence par "services/"
  # ou dont le Group est exactement "services" (selon la structure KeePass)
  local rendered_lines=""
  local loaded=0

  while IFS=',' read -r group title username password rest; do
    # Retirer les guillemets CSV
    group="${group//\"/}"
    title="${title//\"/}"
    password="${password//\"/}"

    # Filtrer le groupe services
    [[ "$group" != "Racine/services" && "$group" != "Racine/services/"* ]] && continue

    # Le nom de variable = titre de l'entrée
    local var_name="$title"
    if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then
      echo "Nom invalide ignoré : $var_name" >&2
      continue
    fi

    [ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; }

    rendered_lines+="$var_name=$password"$'\n'
    loaded=$((loaded + 1))
  done <<< "$csv"

  if [ "$loaded" -eq 0 ]; then
    echo "Aucun secret de service chargé." >&2
    return 1
  fi

  printf '%s' "$rendered_lines" > "$target_file"
  chmod 600 "$target_file"

  echo "Secrets de service écrits dans : $target_file"
  echo "Secrets de service chargés : $loaded"
}

_sync_service_secrets
unset -f _sync_service_secrets