#!/usr/bin/env bash
set -euo pipefail
# shellcheck disable=SC2329

# =============================================================================
# phase8_post_check.sh — Verify Phase 8 (Cutover) succeeded
# Checks:
#   1. HTTPS works with valid cert
#   2. HTTP redirects to HTTPS
#   3. All repos accessible via HTTPS
#   4. GitHub repos are marked as offsite backup
# Exits 0 only if ALL checks pass.
# =============================================================================

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"

load_env
require_vars GITEA_DOMAIN GITEA_ADMIN_TOKEN GITEA_ORG_NAME \
             GITHUB_USERNAME GITHUB_TOKEN \
             REPO_1_NAME REPO_2_NAME REPO_3_NAME

log_info "=== Phase 8 Post-Check ==="

REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
PASS=0
FAIL=0

run_check() {
  local description="$1"; shift
  if "$@" 2>/dev/null; then
    log_success "$description"
    PASS=$((PASS + 1))
  else
    log_error "FAIL: $description"
    FAIL=$((FAIL + 1))
  fi
}

# Check 1: HTTPS works
run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" \
  curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version"

# Check 2: HTTP redirects to HTTPS (returns 301)
# shellcheck disable=SC2329
check_redirect() {
  local http_code
  http_code=$(curl -sI -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/")
  [[ "$http_code" == "301" ]]
}
run_check "HTTP → HTTPS redirect (301)" check_redirect

# Check 3: SSL certificate is valid (not self-signed)
# shellcheck disable=SC2329
check_ssl_cert() {
  # Verify openssl can connect and the cert is issued by a recognized CA
  local issuer
  issuer=$(echo | openssl s_client -connect "${GITEA_DOMAIN}:443" -servername "${GITEA_DOMAIN}" 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || echo "")
  # Check that the issuer is not empty (meaning cert is valid)
  [[ -n "$issuer" ]]
}
run_check "SSL certificate is valid" check_ssl_cert

# Check 4: All repos accessible via HTTPS
for repo in "${REPOS[@]}"; do
  run_check "Repo ${repo} accessible at https://${GITEA_DOMAIN}/${GITEA_ORG_NAME}/${repo}" \
    curl -sf -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" "https://${GITEA_DOMAIN}/api/v1/repos/${GITEA_ORG_NAME}/${repo}"
done

# Check 5: GitHub repos are marked as offsite backup
for repo in "${REPOS[@]}"; do
  # shellcheck disable=SC2329
  check_mirror_marked() {
    local desc
    desc=$(github_api GET "/repos/${GITHUB_USERNAME}/$1" | jq -r '.description // ""')
    [[ "$desc" == "[MIRROR]"* ]]
  }
  run_check "GitHub repo ${repo} marked as mirror" check_mirror_marked "$repo"
done

# Summary
printf '\n'
log_info "Results: ${PASS} passed, ${FAIL} failed"

if [[ $FAIL -gt 0 ]]; then
  log_error "Phase 8 post-check FAILED"
  exit 1
else
  log_success "Phase 8 post-check PASSED — Gitea is live with HTTPS"
  exit 0
fi