#!/usr/bin/env bash
set -euo pipefail
# shellcheck disable=SC2329

# =============================================================================
# phase2_post_check.sh — Verify Phase 2 (Gitea on Fedora) succeeded
# Independent verification — can be run separately from phase2_gitea_fedora.sh
# Same checks as Phase 1 post-check MINUS the org check (Fedora has no org).
# Exits 0 only if ALL checks pass.
# =============================================================================

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"

load_env
require_vars GITEA_BACKUP_INTERNAL_URL GITEA_ADMIN_USER GITEA_ADMIN_PASSWORD \
             GITEA_BACKUP_ADMIN_TOKEN

log_info "=== Phase 2 Post-Check ==="

PASS=0
FAIL=0

# Helper: run a check, track results — same pattern as phase1_post_check.sh
run_check() {
  local description="$1"; shift
  if "$@" 2>/dev/null; then
    log_success "$description"
    PASS=$((PASS + 1))
  else
    log_error "FAIL: $description"
    FAIL=$((FAIL + 1))
  fi
}

# Check 1: Gitea responds with HTTP 200
run_check "Gitea HTTP 200 at ${GITEA_BACKUP_INTERNAL_URL}" \
  curl -sf -o /dev/null "${GITEA_BACKUP_INTERNAL_URL}/api/v1/version"

# Check 2: Admin user authenticates with basic auth
run_check "Admin user authenticates (basic auth)" \
  curl -sf -o /dev/null -u "${GITEA_ADMIN_USER}:${GITEA_ADMIN_PASSWORD}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/user"

# Check 3: API token works and returns correct username
# shellcheck disable=SC2329
check_token() {
  local response
  response=$(curl -sf -H "Authorization: token ${GITEA_BACKUP_ADMIN_TOKEN}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/user")
  local login
  login=$(printf '%s' "$response" | jq -r '.login')
  [[ "$login" == "${GITEA_ADMIN_USER}" ]]
}
run_check "Backup API token valid (returns correct username)" check_token

# Check 4: Gitea Actions enabled (verify via settings API)
# No org check here — the Fedora instance doesn't create an org.
# Mirror repos are stored under the admin user's namespace.
# shellcheck disable=SC2329
check_actions() {
  curl -sf -H "Authorization: token ${GITEA_BACKUP_ADMIN_TOKEN}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/settings/api" -o /dev/null
}
run_check "Gitea API settings accessible (Actions check)" check_actions

# Summary
printf '\n'
log_info "Results: ${PASS} passed, ${FAIL} failed"

if [[ $FAIL -gt 0 ]]; then
  log_error "Phase 2 post-check FAILED"
  exit 1
else
  log_success "Phase 2 post-check PASSED — Gitea backup on Fedora is fully operational"
  exit 0
fi