#!/bin/bash
set -e

# =============================================================================
# Linux Patch Manager — Post-install script
# =============================================================================
# Fully automated: apt install ./linux-patch-manager_X.X.X-1_amd64.deb
# results in a running HTTPS service. The service generates and prints the
# initial admin password to its journal on first startup.
#
# All steps are idempotent (safe to re-run on upgrade).
# Migrations are handled by the application via sqlx on startup.
# This script: system user, dirs, DB/role, config, JWT keys, CA + web TLS
# cert, sqlx checksum repair (for upgrades from <= 1.1.7), services.
# =============================================================================

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
NC='\033[0m'

info()  { echo -e "${GREEN}[INFO]${NC}  $*"; }
warn()  { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*" >&2; }

DB_NAME="patch_manager"
DB_USER="patch_manager"
CONFIG_DIR="/etc/patch-manager"
SERVICE_USER="patch-manager"

# Secure temp file for passing the DB password between functions.
# (Was a predictable, world-readable /tmp/.pm-db-password-new.)
PM_TMP="$(umask 077 && mktemp /run/pm-postinst.XXXXXX)"
cleanup() { rm -f "${PM_TMP}"; }
trap cleanup EXIT

# ---------------------------------------------------------------------------
# PostgreSQL helpers — runuser instead of sudo (sudo is not guaranteed
# to exist and is discouraged in maintainer scripts).
# ---------------------------------------------------------------------------
psql_run() {
    runuser -u postgres -- psql -v ON_ERROR_STOP=1 "$@" 2>/dev/null
}

psql_run_db() {
    runuser -u postgres -- psql -v ON_ERROR_STOP=1 -d "${DB_NAME}" "$@" 2>/dev/null
}

# ---------------------------------------------------------------------------
# 1. Create service user (idempotent)
# ---------------------------------------------------------------------------
create_service_user() {
    if ! id "${SERVICE_USER}" &>/dev/null; then
        useradd --system --no-create-home --shell /usr/sbin/nologin \
            --comment "Linux Patch Manager service account" "${SERVICE_USER}"
        info "Service user '${SERVICE_USER}' created."
    else
        info "Service user '${SERVICE_USER}' already exists."
    fi
}

# ---------------------------------------------------------------------------
# 2. Create required directories (idempotent)
# ---------------------------------------------------------------------------
create_directories() {
    mkdir -p "${CONFIG_DIR}/ca" "${CONFIG_DIR}/certs" \
             "${CONFIG_DIR}/jwt" "${CONFIG_DIR}/tls" \
             /var/log/patch-manager /opt/patch-manager \
             /var/backups/patch-manager

    chown -R "${SERVICE_USER}:${SERVICE_USER}" \
        "${CONFIG_DIR}" /var/log/patch-manager /opt/patch-manager

    # Frontend assets stay root-owned and read-only: the service must not be
    # able to rewrite the JavaScript it serves (persistence vector if pm-web
    # is ever compromised). pm-web only reads these files.
    chown -R root:root /usr/share/patch-manager/frontend
    chmod -R a+rX /usr/share/patch-manager/frontend

    chmod 750 "${CONFIG_DIR}/ca" "${CONFIG_DIR}/jwt"
    chmod 700 /var/backups/patch-manager
}

# ---------------------------------------------------------------------------
# 3. Wait for PostgreSQL to be ready (non-fatal failure is impossible here:
#    postgresql-16 is a hard dependency and its packaging starts the cluster,
#    but give it time on slow first boots).
# ---------------------------------------------------------------------------
wait_for_postgresql() {
    info "Waiting for PostgreSQL to be ready..."
    local i
    for ((i = 1; i <= 30; i++)); do
        if pg_isready -q 2>/dev/null; then
            info "PostgreSQL is ready."
            return 0
        fi
        warn "PostgreSQL not ready yet (attempt ${i}/30), waiting 2s..."
        sleep 2
    done
    error "PostgreSQL did not become ready after 60 seconds."
    return 1
}

# ---------------------------------------------------------------------------
# 4. Create PostgreSQL user, database, and grants (idempotent)
# ---------------------------------------------------------------------------
setup_database() {
    info "Setting up PostgreSQL database and user..."

    local db_password
    db_password=$(openssl rand -base64 48 | tr -dc 'A-Za-z0-9' | head -c 32)

    local role_exists
    role_exists=$(psql_run -t -A -c "SELECT 1 FROM pg_roles WHERE rolname='${DB_USER}'" 2>/dev/null || echo "")
    if [[ "${role_exists}" != "1" ]]; then
        psql_run -c "CREATE ROLE ${DB_USER} LOGIN PASSWORD '${db_password}';"
        info "PostgreSQL user '${DB_USER}' created."
        printf '%s' "${db_password}" > "${PM_TMP}"
    else
        info "PostgreSQL user '${DB_USER}' already exists."
        local config_file="${CONFIG_DIR}/config.toml"
        local existing_pw=""
        if [[ -f "${config_file}" ]]; then
            existing_pw=$(sed -n 's|^url = "postgres://[^:]*:\(.*\)@localhost.*"|\1|p' "${config_file}" | head -1)
        fi
        if [[ -n "${existing_pw}" && "${existing_pw}" != "CHANGEME" ]]; then
            psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${existing_pw}';" 2>/dev/null || true
            printf '%s' "${existing_pw}" > "${PM_TMP}"
            info "Synced DB password from existing config to PostgreSQL."
        else
            psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
            printf '%s' "${db_password}" > "${PM_TMP}"
            info "Generated new DB password for existing user."
        fi
    fi

    local db_exists
    db_exists=$(psql_run -t -A -c "SELECT 1 FROM pg_database WHERE datname='${DB_NAME}'" 2>/dev/null || echo "")
    if [[ "${db_exists}" != "1" ]]; then
        psql_run -c "CREATE DATABASE ${DB_NAME} OWNER ${DB_USER};"
        info "Database '${DB_NAME}' created."
    else
        info "Database '${DB_NAME}' already exists, skipping creation."
    fi

    psql_run_db -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" 2>/dev/null || true
    psql_run_db -c "GRANT ALL PRIVILEGES ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
    psql_run_db -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};" 2>/dev/null || true
    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON TABLES TO ${DB_USER};" 2>/dev/null || true
    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON SEQUENCES TO ${DB_USER};" 2>/dev/null || true
    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON FUNCTIONS TO ${DB_USER};" 2>/dev/null || true
}

# ---------------------------------------------------------------------------
# 5. Repair sqlx migration checksums (upgrade from <= 1.1.7 only).
#
# Commit 4cac290 (v1.1.8) rewrote migrations 001/003/007/011/016 in place.
# sqlx::migrate! validates the SHA-384 checksum recorded in _sqlx_migrations
# against the embedded file on every startup, so any database migrated
# before 1.1.8 fails with "migration N was previously applied but has been
# modified" and pm-web crash-loops.
#
# The schema produced by old and new versions of these files is identical
# (the rewrite only added IF-NOT-EXISTS guards), so it is safe to update the
# recorded checksum to match the current embedded content. We only touch
# rows whose checksum matches the known OLD value — fresh installs and
# already-repaired databases are untouched.
#
# NEVER edit an applied migration again; append a new one instead.
# ---------------------------------------------------------------------------
repair_migration_checksums() {
    # Skip if the migrations table doesn't exist yet (fresh install).
    local has_table
    has_table=$(psql_run_db -t -A -c "SELECT to_regclass('public._sqlx_migrations') IS NOT NULL;" 2>/dev/null || echo "f")
    [[ "${has_table}" == "t" ]] || { info "No _sqlx_migrations table (fresh install) — checksum repair not needed."; return 0; }

    info "Checking for stale sqlx migration checksums (pre-1.1.8 databases)..."

    # version | old sha384 | new sha384
    local repairs=(
        "1|3e7492a3fdedf177d0467b495717b1b3f75894cabbd57a8aa0a0fa2189bacb8832ce69f400356c5f717cc3cd87c47685|2828d99226ba5017e754a8a72bce4f7f6d5535172817c2ba90d8ea9b93ff488787ec840cf43cc0eca7e1f526c8a1c0ef"
        "3|097ed9107821f2de4dd3f18b1c1b25aa3110ca4134fe8c37b81049d064357266a8bae05e84edf163bb77a88335943640|e7b6d63f244764184f127234e5b7735c9ea9ee810bd465b06bc9c74370358b56061cec137b7afee91c5417211561164c"
        "7|f3218a5b94ae9e009655e66cd4808a7abebdfae81675bccfbb079567df192f95cd62eab3b6c4d60b06e8a7dcbb1d9297|95c087779e952333094e6d9e058aaa18dc8a898b480152ba7a6d780ccfd3c562525834ea49f19999b1266b0acb9b68e9"
        "11|5bb3dabf7caf0a7c31998e74b03b312d1867a948643084b9253acabe0388bc00831d2a157379eacae971298fa9bc481e|f07ac98ae905b9a9730ec302aafbcce3d56eacf80a8fb0904a9cfd0e7c36fdc38bb21129054d6f0765131ce6fa1cdc2e"
        "16|e5450925e570cbd522cf5edd6990f5e8e010466c494bc39484fcf72651037440083a104eea0d217d65c5625b91bfb514|11d77a7097fe3a212786c55cf5c0b64c44a792ce18ace665aec4336efee1544f41568c0ba4605b9daedbf4ac12e91e6f"
    )

    local entry version old new updated
    for entry in "${repairs[@]}"; do
        IFS='|' read -r version old new <<< "${entry}"
        updated=$(psql_run_db -q -t -A -c \
            "UPDATE _sqlx_migrations SET checksum = '\\x${new}'::bytea \
             WHERE version = ${version} AND checksum = '\\x${old}'::bytea \
             RETURNING version;" 2>/dev/null || echo "")
        if [[ -n "${updated}" ]]; then
            info "Repaired checksum for migration ${version}."
        fi
    done
}

# ---------------------------------------------------------------------------
# 6. Write config.toml with DB URL
# ---------------------------------------------------------------------------
write_config() {
    local config_file="${CONFIG_DIR}/config.toml"

    local db_password=""
    [[ -s "${PM_TMP}" ]] && db_password=$(cat "${PM_TMP}")

    if [[ -f "${config_file}" ]]; then
        if grep -q 'CHANGEME' "${config_file}"; then
            if [[ -z "${db_password}" ]]; then
                db_password=$(openssl rand -base64 48 | tr -dc 'A-Za-z0-9' | head -c 32)
                psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
            fi
            info "Replacing CHANGEME placeholder in existing config with real DB password."
            sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
        else
            info "Config file ${config_file} already exists with a real password, leaving it unchanged."
            return 0
        fi
    else
        if [[ -z "${db_password}" ]]; then
            db_password=$(openssl rand -base64 48 | tr -dc 'A-Za-z0-9' | head -c 32)
            psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
        fi
        info "Writing configuration file..."
        cp /usr/share/patch-manager/config.example.toml "${config_file}"
        sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
    fi

    chown "${SERVICE_USER}:${SERVICE_USER}" "${config_file}"
    chmod 640 "${config_file}"
    info "Configuration written to ${config_file}"
}

# ---------------------------------------------------------------------------
# 7. Generate JWT keys (idempotent)
# ---------------------------------------------------------------------------
generate_jwt_keys() {
    if [[ ! -f "${CONFIG_DIR}/jwt/signing.pem" ]]; then
        info "Generating Ed25519 JWT signing key..."
        openssl genpkey -algorithm ed25519 -out "${CONFIG_DIR}/jwt/signing.pem" 2>/dev/null
        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
        chown "${SERVICE_USER}:${SERVICE_USER}" "${CONFIG_DIR}/jwt/signing.pem" "${CONFIG_DIR}/jwt/verify.pem"
        chmod 600 "${CONFIG_DIR}/jwt/signing.pem"
        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
        info "JWT keys generated."
    elif [[ ! -f "${CONFIG_DIR}/jwt/verify.pem" ]]; then
        info "Regenerating missing JWT verification key from existing signing key..."
        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
        chown "${SERVICE_USER}:${SERVICE_USER}" "${CONFIG_DIR}/jwt/verify.pem"
        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
        info "JWT verification key regenerated."
    else
        info "JWT keys already exist, skipping."
    fi
}

# ---------------------------------------------------------------------------
# 8. Generate internal CA and CA-signed web TLS certificate (idempotent).
#
# This was previously only done by scripts/setup.sh, which the package does
# not ship — so .deb installs had no /etc/patch-manager/tls/web.{crt,key},
# pm-web fell back to PLAIN HTTP on port 443, and the old HTTPS-only
# health check could never pass. Generating these here makes the package
# self-contained and HTTPS-by-default.
# ---------------------------------------------------------------------------
generate_tls_certs() {
    local ca_key="${CONFIG_DIR}/ca/ca.key"
    local ca_cert="${CONFIG_DIR}/ca/ca.crt"
    local tls_cert="${CONFIG_DIR}/tls/web.crt"
    local tls_key="${CONFIG_DIR}/tls/web.key"
    local tls_csr="${CONFIG_DIR}/tls/web.csr"

    if [[ ! -f "${ca_cert}" ]]; then
        info "Generating internal Certificate Authority (ECDSA P-256, 10-year validity)..."
        openssl ecparam -genkey -name prime256v1 -noout -out "${ca_key}"
        # Convert SEC1 → PKCS#8 (the Rust pm-ca crate only parses PKCS#8).
        openssl pkcs8 -topk8 -nocrypt -in "${ca_key}" -out "${ca_key}.tmp" && mv "${ca_key}.tmp" "${ca_key}"
        openssl req -new -x509 -key "${ca_key}" -out "${ca_cert}" \
            -days 3650 \
            -subj "/CN=Patch Manager Root CA/O=Patch Manager" \
            -addext "basicConstraints=critical,CA:true" \
            -addext "keyUsage=critical,keyCertSign,cRLSign"
        chown "${SERVICE_USER}:${SERVICE_USER}" "${ca_key}" "${ca_cert}"
        chmod 600 "${ca_key}"
        chmod 644 "${ca_cert}"
        info "Internal CA generated."
    else
        info "Internal CA already exists, skipping."
    fi

    if [[ ! -f "${tls_cert}" ]]; then
        info "Generating CA-signed web server certificate (valid 365 days)..."
        local fqdn short host_ip san
        fqdn=$(hostname -f 2>/dev/null || echo "localhost")
        short=$(hostname -s 2>/dev/null || echo "localhost")
        host_ip=$(ip -4 route get 1.1.1.1 2>/dev/null | awk '{print $7; exit}' || true)
        san="DNS:${fqdn},DNS:${short},DNS:localhost,IP:127.0.0.1,IP:::1"
        [[ -n "${host_ip}" ]] && san="${san},IP:${host_ip}"

        openssl ecparam -genkey -name prime256v1 -noout -out "${tls_key}"
        openssl req -new -key "${tls_key}" -out "${tls_csr}" \
            -subj "/CN=${fqdn}/O=Patch Manager" \
            -addext "subjectAltName=${san}"
        openssl x509 -req -in "${tls_csr}" -CA "${ca_cert}" -CAkey "${ca_key}" \
            -CAcreateserial -days 365 -out "${tls_cert}" \
            -extfile <(printf "subjectAltName=%s\nextendedKeyUsage=serverAuth\n" "${san}")
        rm -f "${tls_csr}"

        chown "${SERVICE_USER}:${SERVICE_USER}" "${tls_cert}" "${tls_key}"
        chmod 644 "${tls_cert}"
        chmod 600 "${tls_key}"
        info "CA-signed web server certificate generated for ${fqdn}."
    else
        info "TLS certificate already exists, skipping."
    fi
}

# ---------------------------------------------------------------------------
# 9. Enable and start services
# ---------------------------------------------------------------------------
enable_and_start_services() {
    systemctl daemon-reload
    systemctl enable patch-manager.target 2>/dev/null || true
    systemctl enable patch-manager-web.service patch-manager-worker.service 2>/dev/null || true

    if systemctl is-active --quiet patch-manager.target 2>/dev/null; then
        info "Restarting patch-manager services (upgrade)..."
        systemctl restart patch-manager.target 2>/dev/null || true
    else
        info "Starting patch-manager services..."
        systemctl start patch-manager.target 2>/dev/null || true
    fi
}

# ---------------------------------------------------------------------------
# 10. Verify the service came up — ADVISORY ONLY, never fails the install.
# A failed probe prints diagnostics instead of leaving dpkg half-configured.
# ---------------------------------------------------------------------------
report_service_status() {
    info "Waiting up to 30s for pm-web to come up (migrations run on startup)..."
    local i
    for ((i = 1; i <= 30; i++)); do
        if curl -skf https://localhost:443/ >/dev/null 2>&1 || \
           curl -skf https://localhost:8443/ >/dev/null 2>&1 || \
           curl -sf  http://localhost:443/  >/dev/null 2>&1 || \
           curl -sf  http://localhost:8443/ >/dev/null 2>&1; then
            echo ""
            echo -e "${CYAN}=================================================================${NC}"
            echo -e "${GREEN}  Linux Patch Manager is up.${NC}"
            echo ""
            echo -e "  Web UI:    ${GREEN}https://$(hostname -f 2>/dev/null || echo localhost)/${NC}"
            echo -e "  Username:  ${GREEN}admin${NC}"
            echo -e "  Password:  generated on first startup — retrieve it with:"
            echo -e "    ${YELLOW}journalctl -u patch-manager-web | grep -A2 'INITIAL ADMIN PASSWORD' | tail -3${NC}"
            echo ""
            echo -e "  You will be forced to change it on first login."
            echo -e "  The internal CA cert (for trusting the web UI) is at:"
            echo -e "    ${CONFIG_DIR}/ca/ca.crt"
            echo -e "${CYAN}=================================================================${NC}"
            echo ""
            return 0
        fi
        sleep 1
    done

    warn "pm-web did not respond within 30s. The install itself succeeded;"
    warn "the service may still be starting, or it may have failed. Check:"
    warn "  systemctl status patch-manager-web.service"
    warn "  journalctl -u patch-manager-web -n 50"
    return 0
}

# ---------------------------------------------------------------------------
# 11. Install backup cron (idempotent)
# ---------------------------------------------------------------------------
install_backup_cron() {
    if ! crontab -l 2>/dev/null | grep -qF "backup.sh"; then
        (crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/backup.sh >> /var/log/patch-manager/backup.log 2>&1") | crontab -
        info "Nightly backup cron installed."
    fi
}

# =============================================================================
# Main
# =============================================================================
case "$1" in
    configure)
        create_service_user
        create_directories
        wait_for_postgresql
        setup_database
        repair_migration_checksums
        write_config
        generate_jwt_keys
        generate_tls_certs
        enable_and_start_services
        report_service_status
        install_backup_cron

        info "Linux Patch Manager installation complete."
        ;;

    abort-upgrade|abort-remove|abort-deconfigure)
        ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        ;;
esac

exit 0
