#!/bin/bash

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Configuration
CONFIG_FILE="backpm7.yaml"

# Check if file argument is provided
if [ $# -eq 0 ]; then
    echo -e "${RED}Error: No input file specified${NC}"
    echo "Usage: $0 <database.sql.gz.enc>"
    echo "Example: $0 wordpress_20250905_14.sql.gz.enc"
    exit 1
fi

INPUT_FILE="$1"

# Check if input file exists
if [ ! -f "$INPUT_FILE" ]; then
    echo -e "${RED}Error: File not found: $INPUT_FILE${NC}"
    exit 1
fi

# Function to load encryption key from config
load_key_from_config() {
    if [ ! -f "$CONFIG_FILE" ]; then
        echo -e "${YELLOW}Warning: $CONFIG_FILE not found${NC}"
        return 1
    fi
    
    # Check for yq
    if ! command -v yq &> /dev/null; then
        echo -e "${RED}Error: yq is required to read config file${NC}"
        echo "Install with: sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && sudo chmod +x /usr/local/bin/yq"
        return 1
    fi
    
    local key_path=$(yq '.global.enc_key' "$CONFIG_FILE" | tr -d '"')
    
    if [ -z "$key_path" ]; then
        echo -e "${RED}Error: enc_key not found in $CONFIG_FILE${NC}"
        return 1
    fi
    
    if [ ! -f "$key_path" ]; then
        echo -e "${RED}Error: Encryption key file not found: $key_path${NC}"
        return 1
    fi
    
    ENC_KEY=$(cat "$key_path")
    echo -e "${GREEN}Encryption key loaded from: $key_path${NC}"
    return 0
}

# Check file type early - accept both old and new naming
if [[ "$INPUT_FILE" != *.sql.gz.enc ]] && [[ "$INPUT_FILE" != *.sql.tar.gz.enc ]]; then
    echo -e "${RED}Error: File must be a .sql.gz.enc or .sql.tar.gz.enc file${NC}"
    echo "This tool only decrypts SQL backup files created by backpm7.sh"
    exit 1
fi

# Get encryption key from config
if ! load_key_from_config; then
    echo -e "${RED}Error: Cannot load encryption key${NC}"
    echo "Make sure $CONFIG_FILE exists and contains enc_key path"
    exit 1
fi

# Process SQL backup file
echo -e "${BLUE}Decrypting SQL backup: $INPUT_FILE${NC}"

# Determine output file - extract just the filename and put in current directory
BASENAME=$(basename "$INPUT_FILE")
if [[ "$BASENAME" == *.sql.tar.gz.enc ]]; then
    OUTPUT_FILE="${BASENAME%.sql.tar.gz.enc}.sql"
else
    OUTPUT_FILE="${BASENAME%.sql.gz.enc}.sql"
fi

# Decrypt and decompress in one command
echo "Decrypting to: $OUTPUT_FILE"

# Decrypt and decompress in one pipeline
if openssl enc -aes-256-cbc -d -salt -pass pass:"$ENC_KEY" -pbkdf2 -in "$INPUT_FILE" | gunzip > "$OUTPUT_FILE" 2>/dev/null; then
    # Get file size
    size=$(du -h "$OUTPUT_FILE" | cut -f1)
    echo -e "${GREEN}✓ Successfully decrypted: $OUTPUT_FILE ($size)${NC}"
    
    # Show first few lines of SQL
    echo -e "${BLUE}First 5 lines of SQL:${NC}"
    head -n 5 "$OUTPUT_FILE"
else
    echo -e "${RED}✗ Decryption failed${NC}"
    echo "Possible causes:"
    echo "  - Wrong encryption key"
    echo "  - Corrupted file"
    echo "  - File was encrypted differently"
    
    # Try to help debug
    echo -e "\n${YELLOW}Debug info:${NC}"
    echo "File size: $(du -h "$INPUT_FILE" | cut -f1)"
    echo "First bytes (should start with 'Salted__'):"
    hexdump -C "$INPUT_FILE" | head -n 1
    
    # Let's also check what key we're using (first 10 chars)
    echo "Key begins with: ${ENC_KEY:0:10}..."
    
    exit 1
fi

echo -e "${GREEN}Operation completed successfully${NC}"