#!/usr/bin/env bash
# server/validate_secrets.sh
#
# Vérifie que les secrets/tokens nécessaires sont bien renseignés.
# Retour !=0 -> permet de bloquer un démarrage "silencieux" en prod.
#
# Usage:
#   ./server/validate_secrets.sh /etc/rpa_vision_v3/rpa_vision_v3.env

set -euo pipefail

ENV_FILE="${1:-/etc/rpa_vision_v3/rpa_vision_v3.env}"

if [[ ! -f "$ENV_FILE" ]]; then
  echo "❌ Env file introuvable: $ENV_FILE" >&2
  exit 1
fi

_get() {
  local key="$1"
  grep -E "^${key}=" "$ENV_FILE" 2>/dev/null | head -n 1 | cut -d'=' -f2- || true
}

_is_placeholder() {
  local v="$1"
  [[ -z "$v" ]] && return 0
  [[ "$v" == "CHANGE_ME" ]] && return 0
  [[ "$v" == CHANGE_ME_* ]] && return 0
  [[ "$v" == "rpa_vision_v3_default_key" ]] && return 0
  return 1
}

ENVIRONMENT_VAL="$(_get ENVIRONMENT)"
AUTH_REQUIRED_VAL="$(_get RPA_AUTH_REQUIRED)"

AUTH_REQUIRED=false
if [[ "${ENVIRONMENT_VAL}" == "production" ]]; then
  AUTH_REQUIRED=true
fi
if [[ "${AUTH_REQUIRED_VAL,,}" == "true" ]]; then
  AUTH_REQUIRED=true
fi

MISSING=0

_require_key() {
  local key="$1"
  local v
  v="$(_get "$key")"
  if _is_placeholder "$v"; then
    echo "❌ Secret manquant ou placeholder: $key" >&2
    MISSING=1
  fi
}

echo "🔎 Validation secrets: $ENV_FILE"

# Toujours requis (prod)
_require_key "ENCRYPTION_PASSWORD"
_require_key "SECRET_KEY"

if [[ "$AUTH_REQUIRED" == "true" ]]; then
  _require_key "RPA_TOKEN_ADMIN"
  _require_key "RPA_TOKEN_READONLY"
  _require_key "AUTOHEAL_ADMIN_TOKEN"
fi

if [[ "$MISSING" -ne 0 ]]; then
  cat >&2 <<'EOF'

👉 Correctif rapide:
  sudo ./server/bootstrap_secrets_env.sh /etc/rpa_vision_v3/rpa_vision_v3.env

Puis redémarre:
  sudo systemctl restart rpa-vision-v3-api rpa-vision-v3-dashboard rpa-vision-v3-worker
EOF
  exit 1
fi

echo "✅ Secrets OK"