#!/usr/bin/env bash
# creds-verify.sh — check all expected K8s secrets exist and update creds-state.yaml.
#
# Usage:
#   bash sso-mfa/bootstrap/creds-verify.sh
#   make creds-verify
#
# Checks the following K8s secrets:
#   databases/net-kingdom-pg-privacyidea-app  → secrets_applied.postgres
#   sso/lldap-secrets                         → secrets_applied.lldap
#   sso/authelia-secrets                      → secrets_applied.authelia
#   mfa/privacyidea-config                    → secrets_applied.privacyidea
#   sso/keycape-config                        → secrets_applied.keycape
#   mfa/privacyidea-enckey                    → enckey_bootstrapped
#   sso/keycape-pi-token                      → pi_admin_created

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
STATE_FILE="$SCRIPT_DIR/creds-state.yaml"

if ! kubectl cluster-info &>/dev/null; then
    echo "ERROR: Cannot reach the Kubernetes cluster. Verify KUBECONFIG." >&2
    exit 1
fi

# ── Check helper ──────────────────────────────────────────────────────────────
secret_exists() {
    local ns="$1" name="$2"
    kubectl get secret "$name" --namespace="$ns" --ignore-not-found -o name 2>/dev/null | grep -q .
}

update_state_top() {
    local key="$1" value="$2"
    if [[ -f "$STATE_FILE" ]]; then
        sed -i "s|^$key: .*|$key: $value|" "$STATE_FILE"
    fi
}

update_state_nested() {
    local key="$1" value="$2"
    if [[ -f "$STATE_FILE" ]]; then
        sed -i "s|^  $key: .*|  $key: $value|" "$STATE_FILE"
    fi
}

# ── Results table ─────────────────────────────────────────────────────────────
pass=0
fail=0

check() {
    local label="$1" ns="$2" secret="$3" state_fn="$4" state_key="$5"
    if secret_exists "$ns" "$secret"; then
        printf "  %-40s ✔ exists\n" "$label"
        "$state_fn" "$state_key" "true"
        ((pass++)) || true
    else
        printf "  %-40s ✗ missing  (ns: %s, secret: %s)\n" "$label" "$ns" "$secret"
        "$state_fn" "$state_key" "false"
        ((fail++)) || true
    fi
}

echo "=== creds-verify — net-kingdom SSO/MFA secrets ==="
echo ""

check "postgres (net-kingdom-pg-privacyidea-app)" \
    databases net-kingdom-pg-privacyidea-app \
    update_state_nested postgres

check "lldap (lldap-secrets)" \
    sso lldap-secrets \
    update_state_nested lldap

check "authelia (authelia-secrets)" \
    sso authelia-secrets \
    update_state_nested authelia

check "privacyidea (privacyidea-config)" \
    mfa privacyidea-config \
    update_state_nested privacyidea

check "keycape (keycape-config)" \
    sso keycape-config \
    update_state_nested keycape

echo ""

check "enckey (privacyidea-enckey)" \
    mfa privacyidea-enckey \
    update_state_top enckey_bootstrapped

check "pi-admin token (keycape-pi-token)" \
    sso keycape-pi-token \
    update_state_nested keycape

echo ""
echo "Results: $pass present, $fail missing"

if [[ -f "$STATE_FILE" ]]; then
    echo "State file updated: $STATE_FILE"
fi

[[ "$fail" -eq 0 ]]