#!/usr/bin/env bash
# YuanRong Runtime Restart Script
# Fast restart: stop, reinstall packages, start (no building)

set -e

TYPE="$1"
if [ -z "$TYPE" ]; then
    TYPE="http"
fi

# Get the directory where this script is located
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"

refresh_casdoor_jwt_cert() {
    local endpoint="${CASDOOR_ENDPOINT:-http://casdoor:8000}"
    local cert_file="${SCRIPT_DIR}/casdoor/token_jwt_key.pem"
    local jwks
    local cert

    if ! command -v python3 >/dev/null 2>&1; then
        echo "python3 not found, skipping Casdoor JWT cert refresh"
        return 0
    fi

    jwks=$(curl -fsS "${endpoint}/.well-known/jwks" 2>/dev/null || true)
    if [ -z "${jwks}" ]; then
        echo "Warning: failed to fetch Casdoor JWKS from ${endpoint}, keeping existing JWT cert"
        return 0
    fi

    cert=$(printf '%s' "${jwks}" | python3 -c '
import json
import sys

try:
    data = json.load(sys.stdin)
    keys = data.get("keys") or []
    x5c = keys[0].get("x5c") or []
    value = x5c[0]
except Exception:
    sys.exit(1)

print("-----BEGIN CERTIFICATE-----")
for i in range(0, len(value), 64):
    print(value[i:i + 64])
print("-----END CERTIFICATE-----")
' 2>/dev/null || true)

    if [ -z "${cert}" ]; then
        echo "Warning: failed to parse Casdoor JWKS certificate, keeping existing JWT cert"
        return 0
    fi

    printf '%s\n' "${cert}" > "${cert_file}"
    echo "Refreshed Casdoor JWT public key at ${cert_file}"
}

echo "=== YuanRong Runtime Fast Restart ==="
echo "Project root: ${PROJECT_ROOT}"
echo ""

# Step 1: Stop existing runtime
echo "Step 1: Stopping existing runtime..."
yr stop 2>/dev/null || echo "No running instance found"

# Step 2: Uninstall old packages
echo ""
echo "Step 2: Uninstalling old packages..."
pip uninstall openyuanrong openyuanrong_sdk -y 2>/dev/null || true

# Step 3: Install new packages
echo ""
echo "Step 3: Installing new packages..."
pip install "${PROJECT_ROOT}/output/openyuanrong"*.whl 2>/dev/null || true

# Step 4: Start runtime
echo ""
echo "Step 4: Starting runtime..."
export LITEBUS_DATA_KEY=6D792D7365637265742D6B65792D666F722D6A77742D64656D6F
export CONTAINER_EP=unix:///tmp/yr_sessions/runtime-launcher.sock

# 加载 Keycloak client secret(由 init-realm.sh 生成写入)
KEYCLOAK_ENV_FILE="${SCRIPT_DIR}/keycloak/.keycloak.env"
if [ -f "${KEYCLOAK_ENV_FILE}" ]; then
    # shellcheck source=/dev/null
    source "${KEYCLOAK_ENV_FILE}"
    echo "Loaded Keycloak env from ${KEYCLOAK_ENV_FILE}"
fi

# 加载 Casdoor app 凭据(由 setup_quotas.sh 生成写入)
CASDOOR_ENV_FILE="${SCRIPT_DIR}/casdoor/.casdoor.env"
if [ -f "${CASDOOR_ENV_FILE}" ]; then
    # shellcheck source=/dev/null
    source "${CASDOOR_ENV_FILE}"
    echo "Loaded Casdoor env from ${CASDOOR_ENV_FILE}"
fi

# Keycloak integration envs (can be overridden before running this script)
export AUTH_PROVIDER="${AUTH_PROVIDER:-casdoor}"
if [ "$AUTH_PROVIDER" == "casdoor" ]; then
    export KEYCLOAK_ENABLED="${KEYCLOAK_ENABLED:-false}"
    export CASDOOR_ENABLED="${CASDOOR_ENABLED:-true}"
else
    export KEYCLOAK_ENABLED="${KEYCLOAK_ENABLED:-true}"
    export CASDOOR_ENABLED="${CASDOOR_ENABLED:-false}"
fi

export KEYCLOAK_URL="${KEYCLOAK_URL:-http://wyc.pc:18888}"
export KEYCLOAK_INTERNAL_URL="${KEYCLOAK_INTERNAL_URL:-http://yr-keycloak:8080}"
export KEYCLOAK_REALM="${KEYCLOAK_REALM:-yuanrong}"
export KEYCLOAK_CLIENT_ID="${KEYCLOAK_CLIENT_ID:-frontend}"
export KEYCLOAK_CLIENT_SECRET="${KEYCLOAK_CLIENT_SECRET:-}"

# Casdoor integration envs (can be overridden before running this script)
export CASDOOR_ENDPOINT="${CASDOOR_ENDPOINT:-http://casdoor:8000}"
export CASDOOR_PUBLIC_ENDPOINT="${CASDOOR_PUBLIC_ENDPOINT:-http://wyc.pc:18888}"
export CASDOOR_CLIENT_ID="${CASDOOR_CLIENT_ID:-}"
export CASDOOR_CLIENT_SECRET="${CASDOOR_CLIENT_SECRET:-}"
export CASDOOR_ORGANIZATION="${CASDOOR_ORGANIZATION:-openyuanrong.org}"
export CASDOOR_APPLICATION="${CASDOOR_APPLICATION:-yuanrong}"
export CASDOOR_ADMIN_USER="${CASDOOR_ADMIN_USER:-admin}"
export CASDOOR_ADMIN_PASSWORD="${CASDOOR_ADMIN_PASSWORD:-123}"

refresh_casdoor_jwt_cert

CASDOOR_JWT_PUBLIC_KEY_FILE="${SCRIPT_DIR}/casdoor/token_jwt_key.pem"
if [ -z "${CASDOOR_JWT_PUBLIC_KEY:-}" ] && [ -f "${CASDOOR_JWT_PUBLIC_KEY_FILE}" ]; then
    export CASDOOR_JWT_PUBLIC_KEY="$(cat "${CASDOOR_JWT_PUBLIC_KEY_FILE}")"
    echo "Loaded Casdoor JWT public key from ${CASDOOR_JWT_PUBLIC_KEY_FILE}"
fi

echo "Auth provider config:"
echo "  AUTH_PROVIDER=${AUTH_PROVIDER}"
echo "Keycloak config:"
echo "  KEYCLOAK_ENABLED=${KEYCLOAK_ENABLED}"
echo "  KEYCLOAK_URL=${KEYCLOAK_URL}"
echo "  KEYCLOAK_REALM=${KEYCLOAK_REALM}"
echo "  KEYCLOAK_CLIENT_ID=${KEYCLOAK_CLIENT_ID}"
if [ -n "${KEYCLOAK_CLIENT_SECRET}" ]; then
    echo "  KEYCLOAK_CLIENT_SECRET=***"
else
    echo "  KEYCLOAK_CLIENT_SECRET=<empty>"
fi

echo "Casdoor config:"
echo "  CASDOOR_ENABLED=${CASDOOR_ENABLED}"
echo "  CASDOOR_ENDPOINT=${CASDOOR_ENDPOINT}"
echo "  CASDOOR_PUBLIC_ENDPOINT=${CASDOOR_PUBLIC_ENDPOINT}"
echo "  CASDOOR_ORGANIZATION=${CASDOOR_ORGANIZATION}"
echo "  CASDOOR_APPLICATION=${CASDOOR_APPLICATION}"
echo "  CASDOOR_ADMIN_USER=${CASDOOR_ADMIN_USER}"
if [ -n "${CASDOOR_CLIENT_ID}" ]; then
    echo "  CASDOOR_CLIENT_ID=${CASDOOR_CLIENT_ID}"
else
    echo "  CASDOOR_CLIENT_ID=<empty>"
fi
if [ -n "${CASDOOR_CLIENT_SECRET}" ]; then
    echo "  CASDOOR_CLIENT_SECRET=***"
else
    echo "  CASDOOR_CLIENT_SECRET=<empty>"
fi
if [ -n "${CASDOOR_JWT_PUBLIC_KEY:-}" ]; then
    echo "  CASDOOR_JWT_PUBLIC_KEY=loaded"
else
    echo "  CASDOOR_JWT_PUBLIC_KEY=<empty>"
fi
if [ -n "${CASDOOR_ADMIN_PASSWORD:-}" ]; then
    echo "  CASDOOR_ADMIN_PASSWORD=***"
else
    echo "  CASDOOR_ADMIN_PASSWORD=<empty>"
fi

# Find services.yaml in example directories
SERVICES_YAML="${SCRIPT_DIR}/webterminal/services.yaml"

echo "Using services.yaml: $SERVICES_YAML"

if [ "$TYPE" == "http" ]; then
    echo "Starting in HTTP mode..."
    yr start --master \
        --enable_faas_frontend=true \
        -l DEBUG \
        --port_policy FIX \
        --enable_function_scheduler true \
        --enable_meta_service true \
        --enable_iam_server true \
        -p "$SERVICES_YAML"
elif [ "$TYPE" == "token" ]; then
    echo "Starting in token mode..."
    yr start --master --enable_faas_frontend=true -l DEBUG \
        --port_policy FIX --enable_function_scheduler true \
        --enable_meta_service true \
        --ssl_base_path "${SCRIPT_DIR}/webterminal/cert" \
        --frontend_ssl_enable true \
        --enable_iam_server true \
        --frontend_client_auth_type NoClientCert \
        --enable_function_token_auth true \
        --fs_health_check_retry_times 6000 \
        -p "$SERVICES_YAML"
elif [ "$TYPE" == "mtls" ]; then
    echo "Starting in mtls mode..."
    yr start --master --enable_faas_frontend=true -l DEBUG \
        --port_policy FIX --enable_function_scheduler true \
        --enable_meta_service true \
	    --ssl_base_path "${SCRIPT_DIR}/webterminal/cert/" \
	    --frontend_ssl_enable true \
        --meta_service_ssl_enable true \
	    -p "$SERVICES_YAML"
else
    echo "Unknown type: $TYPE. Valid options are: http, token, mtls."
    exit 1
fi

echo ""
echo "=== Runtime restarted successfully ==="