#!/bin/bash

set -e

#################################################################################
# Authelia Secrets Generator
#################################################################################
# 
# ⚠️  CRITICAL WARNING: DO NOT RUN THIS SCRIPT CASUALLY! ⚠️
#
# This script generates completely new secrets for Authelia. Running this will:
#
# 1. 🔑 INVALIDATE ALL EXISTING SECRETS - Users will be logged out, tokens invalid
# 2. 🗄️  REQUIRE UPDATING WOODPECKER CI VAULT - All 10 secrets must be manually
#        updated in your CI/CD system before the new secrets take effect
# 3. 💾 POTENTIALLY REQUIRE RECREATING DOCKER VOLUMES - If you change encryption
#        keys (STORAGE_ENCRYPTION_KEY), existing encrypted database data will be
#        unreadable and you may need to recreate persistent volumes
# 4. 🔄 TRIGGER FULL REDEPLOYMENT - The CI/CD pipeline will need to run to apply
#        the new secrets to production
#
# ONLY run this script when you intentionally want to rotate ALL secrets, such as:
# - Security incident requiring credential rotation
# - Periodic security maintenance (e.g., quarterly rotation)
# - Setting up a completely new environment
#
# REQUIRED STEPS AFTER RUNNING THIS SCRIPT:
# 1. Update all 10 secrets in Woodpecker CI vault with values from secrets.md
# 2. Trigger deployment (git push) to apply new secrets
# 3. Monitor deployment for successful startup
# 4. If database encryption key changed, may need to recreate volumes/data
# 5. Test authentication and OIDC functionality
#
#################################################################################

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

echo -e "${BLUE}🔐 Authelia Secrets Generator${NC}"
echo "=================================="

# Function to check if a command exists
command_exists() {
    command -v "$1" >/dev/null 2>&1
}

# Function to check for required tools
check_requirements() {
    local missing_tools=()
    
    echo -e "${BLUE}🔍 Checking required tools...${NC}"
    
    # Check for openssl
    if ! command_exists openssl; then
        missing_tools+=("openssl")
    else
        echo -e "${GREEN}✓ openssl found${NC}"
    fi
    
    # If any tools are missing, show installation instructions
    if [ ${#missing_tools[@]} -ne 0 ]; then
        echo ""
        echo -e "${RED}❌ Missing required tools: ${missing_tools[*]}${NC}"
        echo ""
        echo -e "${YELLOW}📦 Installation instructions:${NC}"
        
        for tool in "${missing_tools[@]}"; do
            case $tool in
                "openssl")
                    echo "• OpenSSL:"
                    echo "  - macOS: brew install openssl"
                    echo "  - Ubuntu/Debian: sudo apt-get install openssl"
                    echo "  - CentOS/RHEL: sudo yum install openssl"
                    echo "  - Alpine: apk add openssl"
                    ;;
            esac
        done
        
        echo ""
        echo -e "${RED}Please install the missing tools and run this script again.${NC}"
        exit 1
    fi
    
    echo -e "${GREEN}✅ All required tools are available${NC}"
    echo ""
}

# Function to show critical warnings
show_warnings() {
    echo -e "${RED}🚨 CRITICAL WARNINGS BEFORE PROCEEDING 🚨${NC}"
    echo -e "${RED}==========================================${NC}"
    echo ""
    echo -e "${YELLOW}This will generate completely NEW secrets that will:${NC}"
    echo -e "${RED}• Invalidate ALL existing user sessions and tokens${NC}"
    echo -e "${RED}• Require manual update of ALL 10 secrets in Woodpecker CI vault${NC}"
    echo -e "${RED}• Potentially require recreating database volumes if encryption key changes${NC}"
    echo -e "${RED}• Cause service downtime until deployment completes${NC}"
    echo ""
    echo -e "${YELLOW}REQUIRED FOLLOW-UP STEPS:${NC}"
    echo "1. Update secrets in Woodpecker CI vault (all 10 values)"
    echo "2. Commit and push to trigger deployment"
    echo "3. Monitor deployment logs for successful startup"
    echo "4. Test authentication functionality"
    echo "5. If STORAGE_ENCRYPTION_KEY changed, may need to recreate volumes"
    echo ""
    echo -e "${BLUE}💡 Only proceed if you understand these implications!${NC}"
    echo ""
}

# Check requirements before proceeding
check_requirements

# Show critical warnings
show_warnings

# Check if secrets.md already exists
if [[ -f "secrets.md" ]]; then
    echo -e "${YELLOW}⚠️  WARNING: secrets.md already exists!${NC}"
    read -p "Do you want to overwrite it? (y/N): " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        echo -e "${RED}❌ Cancelled by user${NC}"
        exit 1
    fi
    echo -e "${YELLOW}📝 Backing up existing secrets.md to secrets.md.backup${NC}"
    cp secrets.md secrets.md.backup
fi

# Final confirmation before generating secrets
echo -e "${RED}🔥 FINAL CONFIRMATION 🔥${NC}"
echo -e "${RED}Are you absolutely sure you want to generate NEW secrets?${NC}"
echo -e "${YELLOW}This will require updating CI vault and may cause data loss!${NC}"
read -p "Type 'YES' to confirm: " -r
echo
if [[ ! $REPLY == "YES" ]]; then
    echo -e "${RED}❌ Cancelled - must type 'YES' to confirm${NC}"
    exit 1
fi

echo -e "${GREEN}🔄 Generating fresh secrets...${NC}"

# Function to generate base64 secret
generate_base64_secret() {
    openssl rand -base64 48
}

# Function to generate RSA private key
generate_rsa_key() {
    openssl genrsa 2048 2>/dev/null
}

echo -e "${BLUE}📝 Creating secrets.md file...${NC}"

# Create the secrets.md file
cat > secrets.md << 'EOF'
# Authelia Production Secrets

**DO NOT COMMIT THIS FILE TO VERSION CONTROL**

## Core Secrets

### AUTHENTICATION_BACKEND_LDAP_PASSWORD
LDAP authentication backend password
```
EOF

# Generate and append each secret
echo "$(generate_base64_secret)" >> secrets.md

cat >> secrets.md << 'EOF'
```

### IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
JWT secret for password reset tokens
```
EOF

echo "$(generate_base64_secret)" >> secrets.md

cat >> secrets.md << 'EOF'
```

### STORAGE_ENCRYPTION_KEY
Database encryption key
```
EOF

echo "$(generate_base64_secret)" >> secrets.md

cat >> secrets.md << 'EOF'
```

### SESSION_SECRET
Session encryption secret
```
EOF

echo "$(generate_base64_secret)" >> secrets.md

cat >> secrets.md << 'EOF'
```

### NOTIFIER_SMTP_PASSWORD
SMTP email notifications password
```
8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu
```

## OIDC Secrets

### IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
OIDC HMAC signing secret
```
EOF

echo "$(generate_base64_secret)" >> secrets.md

cat >> secrets.md << 'EOF'
```

### IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
OIDC token signing private key
```
EOF

generate_rsa_key >> secrets.md

cat >> secrets.md << 'EOF'
```

### IDENTITY_PROVIDERS_OIDC_JWKS_KEY
OIDC JWKS validation key
```
EOF

generate_rsa_key >> secrets.md

cat >> secrets.md << 'EOF'
```

## Client Secrets

### CLIENT_SECRET_HEADSCALE
Headscale VPN OIDC client secret
```
EOF

echo "$(generate_base64_secret)" >> secrets.md

cat >> secrets.md << 'EOF'
```

### CLIENT_SECRET_HEADADMIN
Headscale admin panel OIDC client secret
```
EOF

echo "$(generate_base64_secret)" >> secrets.md

cat >> secrets.md << 'EOF'
```
EOF

echo -e "${GREEN}✅ Fresh secrets.md file generated successfully!${NC}"
echo ""
echo -e "${RED}🚨 CRITICAL NEXT STEPS - DO NOT SKIP! 🚨${NC}"
echo -e "${RED}=====================================${NC}"
echo -e "${YELLOW}1. 🗄️  UPDATE WOODPECKER CI VAULT:${NC}"
echo "   - Go to your Woodpecker CI secrets management"
echo "   - Update ALL 10 secret values with the new values from secrets.md"
echo "   - Double-check each secret is correctly copied"
echo ""
echo -e "${YELLOW}2. 🚀 TRIGGER DEPLOYMENT:${NC}"
echo "   - Commit any changes: git add . && git commit -m 'rotate secrets'"
echo "   - Push to trigger CI/CD: git push"
echo "   - Monitor the deployment logs for successful startup"
echo ""
echo -e "${YELLOW}3. 🔍 VERIFY DEPLOYMENT:${NC}"
echo "   - Check service logs: ssh macmini7 'docker service logs authelia_authelia'"
echo "   - Test authentication functionality"
echo "   - Verify OIDC clients can authenticate"
echo ""
echo -e "${YELLOW}4. 💾 IF STORAGE_ENCRYPTION_KEY CHANGED:${NC}"
echo "   - Existing encrypted data will be unreadable"
echo "   - May need to recreate database volumes"
echo "   - Users may need to re-register/re-authenticate"
echo ""
echo -e "${RED}⚠️  Remember: Keep secrets.md secure and never commit it to version control!${NC}"

# Show summary of what was generated
echo ""
echo -e "${BLUE}📊 Generated secrets summary:${NC}"
echo "• AUTHENTICATION_BACKEND_LDAP_PASSWORD (Base64)"
echo "• IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET (Base64)"
echo "• STORAGE_ENCRYPTION_KEY (Base64) ⚠️  May require volume recreation"
echo "• SESSION_SECRET (Base64) ⚠️  Will invalidate all user sessions"
echo "• NOTIFIER_SMTP_PASSWORD (Fixed production password)"
echo "• IDENTITY_PROVIDERS_OIDC_HMAC_SECRET (Base64)"
echo "• IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY (RSA 2048-bit)"
echo "• IDENTITY_PROVIDERS_OIDC_JWKS_KEY (RSA 2048-bit)"
echo "• CLIENT_SECRET_HEADSCALE (Base64) ⚠️  Will invalidate Headscale tokens"
echo "• CLIENT_SECRET_HEADADMIN (Base64) ⚠️  Will invalidate Headadmin tokens"