#!/usr/bin/env bash
# Provision LibEuFin bank users, debit limits and tokens via docker compose.
# Reads .env if present, then uses docker compose exec inside the bank container.

set -euo pipefail

if [[ -f ".env" ]]; then
  set -a
  # shellcheck disable=SC1091
  source ".env"
  set +a
fi

COMPOSE_CMD="${COMPOSE_CMD:-docker compose}"
BANK_SERVICE="${BANK_SERVICE:-bank}"
BANK_CONFIG="${BANK_CONFIG:-/etc/libeufin/bank.conf}"

USER="${LIBEUFIN_USER:-demogeld}"
USER_PASSWORD="${LIBEUFIN_USER_PASSWORD:-}"
DEBIT_THRESHOLD="${LIBEUFIN_DEBIT_THRESHOLD:-DEMOGELD:1000000}"

TOKEN_USER="${LIBEUFIN_MERCHANT_USER:-demogeldbank}"
TOKEN_PASSWORD="${LIBEUFIN_MERCHANT_PASSWORD:-}"
TOKEN_SCOPE="${LIBEUFIN_MERCHANT_SCOPE:-readwrite}"
TOKEN_DURATION="${LIBEUFIN_MERCHANT_TOKEN_DURATION:-forever}"
TOKEN_OUTPUT="${TOKEN_OUTPUT:-bank/token-info.txt}"

ensure_user() {
  echo "Ensuring bank user '${USER}' exists (password will be set if provided)..."
  if ! ${COMPOSE_CMD} exec -T "${BANK_SERVICE}" libeufin-bank users add "${USER}" --password "${USER_PASSWORD}" -c "${BANK_CONFIG}" >/tmp/libeufin-users-add.log 2>&1; then
    if grep -qi "already exists" /tmp/libeufin-users-add.log; then
      echo "User ${USER} already exists; proceeding."
    else
      echo "Failed to add user ${USER}:"
      cat /tmp/libeufin-users-add.log
      exit 1
    fi
  fi

  echo "Setting debit threshold ${DEBIT_THRESHOLD} for ${USER}..."
  ${COMPOSE_CMD} exec -T "${BANK_SERVICE}" libeufin-bank edit-account "${USER}" \
    --debit_threshold "${DEBIT_THRESHOLD}" -c "${BANK_CONFIG}"
}

provision_token() {
  echo "Creating token for user '${TOKEN_USER}' (scope=${TOKEN_SCOPE}, duration=${TOKEN_DURATION})..."
  local token_output
  token_output="$(${COMPOSE_CMD} exec -T "${BANK_SERVICE}" libeufin-bank create-token \
    -c "${BANK_CONFIG}" \
    --user="${TOKEN_USER}" \
    --scope="${TOKEN_SCOPE}" \
    --duration="${TOKEN_DURATION}")"

  echo "Token response:"
  echo "${token_output}"

  mkdir -p "$(dirname "${TOKEN_OUTPUT}")"
  {
    echo "# Generated $(date -Is)"
    echo "USER=${TOKEN_USER}"
    echo "SCOPE=${TOKEN_SCOPE}"
    echo "DURATION=${TOKEN_DURATION}"
    echo "${token_output}"
  } > "${TOKEN_OUTPUT}"
  echo "Token saved to ${TOKEN_OUTPUT}"
}

main() {
  if [[ -z "${USER_PASSWORD}" || -z "${TOKEN_PASSWORD}" ]]; then
    echo "Warning: LIBEUFIN_USER_PASSWORD or LIBEUFIN_MERCHANT_PASSWORD not set; user/token may be created without password enforcement." >&2
  fi
  ensure_user
  provision_token
  echo "Done."
}

main "$@"