#!/bin/bash
# restore-staging-fetch.sh — Artefakte vom dmz-backup Restore-Staging holen, decrypten, verifizieren
# Verwendung: restore-staging-fetch.sh <app> <backup-id> <staging-name>
# Beispiel:   restore-staging-fetch.sh homarr 20260622T083928Z 20260622T083928Z-homarr-restore-01

set -euo pipefail

APP="${1:-}"
BACKUP_ID="${2:-}"
STAGING_NAME="${3:-}"

if [ -z "$APP" ] || [ -z "$BACKUP_ID" ] || [ -z "$STAGING_NAME" ]; then
  echo "Verwendung: $0 <app> <backup-id> <staging-name>" >&2
  exit 1
fi

WORKDIR="/home/node/.openclaw/workspace/backups/restore-${APP}-${BACKUP_ID}"
LOG="$WORKDIR/restore.log"
STATUS_FILE="$WORKDIR/restore.status"
STAGING_PATH="/srv/dmz-backup/k3s-dmz/_restore-staging/pidoka/prod/${APP}/${STAGING_NAME}"
INFISICAL_URL="http://192.168.1.121:8088"
PROJECT_ID="ba0a79d9-32fe-474c-be2f-88384a3d9749"
AGE_BIN="/home/node/shared/tools/age"

mkdir -p "$WORKDIR"

log() { echo "[$(date -u +%H:%M:%SZ)] $*" | tee -a "$LOG"; }
fail() { log "FEHLER: $*"; echo "FAILED" > "$STATUS_FILE"; exit 1; }

log "=== Restore-Fetch START: $APP / $BACKUP_ID / $STAGING_NAME ==="
echo "RUNNING" > "$STATUS_FILE"

# Infisical Login
TOKEN=$(curl -s -X POST "$INFISICAL_URL/api/v1/auth/universal-auth/login" \
  -H "Content-Type: application/json" \
  -d "{\"clientId\":\"$INFISICAL_CLIENT_ID\",\"clientSecret\":\"$INFISICAL_AUTH_KEY\"}" \
  | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('accessToken','ERROR'))")
[ "$TOKEN" = "ERROR" ] && fail "Infisical Login fehlgeschlagen"

get_secret() {
  curl -s -X GET "$INFISICAL_URL/api/v3/secrets/raw/$1?workspaceId=$PROJECT_ID&environment=prod&secretPath=/" \
    -H "Authorization: Bearer $TOKEN" \
    | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('secret',{}).get('secretValue',''))"
}

DMZ_HOST=$(get_secret DMZ_BACKUP_HOST)
DMZ_USER=$(get_secret DMZ_BACKUP_SSH_USER)
DMZ_PRIVKEY=$(get_secret KUBE_BOT_DMZ_BACKUP_SSH_PRIVATE_KEY)
AGE_SECRET_NAME="BACKUP_$(echo "$APP" | tr '[:lower:]' '[:upper:]')_AGE_PRIVATE_KEY"
AGE_PRIVKEY=$(get_secret "$AGE_SECRET_NAME")

TMPKEY=$(mktemp)
printf '%s\n' "$DMZ_PRIVKEY" > "$TMPKEY"
chmod 600 "$TMPKEY"

TMPAGE=$(mktemp --suffix=.age-identity)
printf '%s\n' "$AGE_PRIVKEY" > "$TMPAGE"
chmod 600 "$TMPAGE"

# Preflight: Staging-Pfad erreichbar und beschreibbar
log "Preflight: Staging-Pfad prüfen"
ssh -i "$TMPKEY" -o StrictHostKeyChecking=no "$DMZ_USER@$DMZ_HOST" \
  "test -d $STAGING_PATH && echo STAGING_OK || echo STAGING_MISSING" >> "$LOG" 2>&1
STAGING_CHECK=$(ssh -i "$TMPKEY" -o StrictHostKeyChecking=no "$DMZ_USER@$DMZ_HOST" \
  "test -d $STAGING_PATH && echo OK || echo MISSING")
[ "$STAGING_CHECK" = "OK" ] || { rm -f "$TMPKEY" "$TMPAGE"; fail "Staging-Pfad nicht vorhanden: $STAGING_PATH"; }
log "Staging-Pfad: OK"

# Artefakte holen
for KIND in metadata data; do
  AGE_FILE="${BACKUP_ID}__dmz-k3s__pidoka__${APP}__${KIND}.tar.gz.age"
  SHA_FILE="${AGE_FILE}.sha256"
  LOCAL_AGE="$WORKDIR/$AGE_FILE"
  LOCAL_SHA="$WORKDIR/$SHA_FILE"

  # Prüfen ob Datei im Staging vorhanden
  EXIST=$(ssh -i "$TMPKEY" -o StrictHostKeyChecking=no "$DMZ_USER@$DMZ_HOST" \
    "test -f $STAGING_PATH/$AGE_FILE && echo OK || echo MISSING")
  if [ "$EXIST" = "MISSING" ]; then
    log "WARN: $AGE_FILE nicht im Staging — übersprungen"
    continue
  fi

  scp -i "$TMPKEY" -o StrictHostKeyChecking=no "$DMZ_USER@$DMZ_HOST:$STAGING_PATH/$AGE_FILE" "$LOCAL_AGE"
  scp -i "$TMPKEY" -o StrictHostKeyChecking=no "$DMZ_USER@$DMZ_HOST:$STAGING_PATH/$SHA_FILE" "$LOCAL_SHA"
  log "Geholt: $AGE_FILE"

  # SHA256-Check
  cd "$WORKDIR"
  sha256sum -c "$SHA_FILE" >> "$LOG" 2>&1 || { rm -f "$TMPKEY" "$TMPAGE"; fail "SHA256-Check fehlgeschlagen: $SHA_FILE"; }
  log "SHA256 $KIND: OK"

  # Decrypt
  LOCAL_TAR="${LOCAL_AGE%.age}"
  "$AGE_BIN" -d -i "$TMPAGE" -o "$LOCAL_TAR" "$LOCAL_AGE" >> "$LOG" 2>&1 \
    || { rm -f "$TMPKEY" "$TMPAGE"; fail "Decrypt fehlgeschlagen: $AGE_FILE"; }
  log "Decrypt $KIND: OK -> $(basename $LOCAL_TAR)"
done

rm -f "$TMPKEY" "$TMPAGE"
echo "OK" > "$STATUS_FILE"
log "=== Restore-Fetch FERTIG ==="
echo ""
echo "Status: OK"
echo "Workdir: $WORKDIR"
