#!/bin/bash
# inject-secrets.sh
# Writes GitLab CI File type variables to the secrets directory
# for K8s-style secret mounting in Docker Compose
#
# GitLab File variables provide the PATH to a temporary file containing the secret.
# This script copies those files to the expected secrets/app/ location.
#
# Required GitLab CI/CD Variables (File type):
#   - POSTGRES_PASSWORD
#   - AUTH0_CLIENT_SECRET
#   - GOOGLE_MAPS_API_KEY
#   - GOOGLE_MAPS_MAP_ID
#
# Required GitLab CI/CD Variables (Variable type):
#   - DEPLOY_PATH

set -euo pipefail

# Configuration
DEPLOY_PATH="${DEPLOY_PATH:-/opt/motovaultpro}"
SECRETS_DIR="${DEPLOY_PATH}/secrets/app"

echo "Injecting secrets..."
echo "  Deploy path: $DEPLOY_PATH"
echo "  Secrets dir: $SECRETS_DIR"

# Clean up any incorrectly created directories and create secrets directory
if [ -e "$SECRETS_DIR" ] && [ ! -d "$SECRETS_DIR" ]; then
    echo "  Removing invalid secrets path..."
    rm -rf "$SECRETS_DIR"
fi
mkdir -p "$SECRETS_DIR"
chmod 700 "$SECRETS_DIR"

# Function to inject a secret
inject_secret() {
    local var_name="$1"
    local file_name="$2"
    local target_path="${SECRETS_DIR}/${file_name}"

    # GitLab File variables contain the PATH to a temp file
    local source_path="${!var_name:-}"

    if [ -z "$source_path" ]; then
        echo "  ERROR: Variable $var_name is not set"
        return 1
    fi

    if [ ! -f "$source_path" ]; then
        echo "  ERROR: File not found for $var_name at $source_path"
        return 1
    fi

    # Remove if exists as directory (cleanup from bad previous runs)
    if [ -d "$target_path" ]; then
        rm -rf "$target_path"
    fi

    # Copy the secret file (644 so container users can read)
    cp "$source_path" "$target_path"
    chmod 644 "$target_path"
    echo "  OK: $file_name"
}

# Inject all secrets
FAILED=0

inject_secret "POSTGRES_PASSWORD" "postgres-password.txt" || FAILED=1
inject_secret "AUTH0_CLIENT_SECRET" "auth0-client-secret.txt" || FAILED=1
inject_secret "GOOGLE_MAPS_API_KEY" "google-maps-api-key.txt" || FAILED=1
inject_secret "GOOGLE_MAPS_MAP_ID" "google-maps-map-id.txt" || FAILED=1

if [ $FAILED -eq 1 ]; then
    echo ""
    echo "ERROR: One or more secrets failed to inject"
    echo "Ensure all required CI/CD variables are configured as File type in GitLab"
    exit 1
fi

echo ""
echo "Secrets injected successfully"
echo "Files created in $SECRETS_DIR:"
ls -la "$SECRETS_DIR"