#!/usr/bin/env bash
# onx-db-grant — MariaDB kullanicisina yetki ver
# Input:  {"db_user":"onx_xxx_user","host":"localhost","db_name":"onx_xxx_app",
#           "privileges":["ALL"]}
# Output: {"db_user":...,"db_name":...,"granted":true}

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${SCRIPT_DIR}/_lib/common.sh"

require_root
require_cmd mysql
onx_json_input

DB_USER="$(onx_json_field db_user)"
HOST="$(onx_json_field host 'localhost')"
DB_NAME="$(onx_json_field db_name)"
# privileges dizisini virgülle birlestir
PRIVS="$(printf '%s' "$INPUT" | jq -r '(.privileges // ["ALL"]) | join(",")')"

[[ -z "$DB_USER" ]] && onx_die 1 "db_user zorunlu"
[[ -z "$DB_NAME" ]] && onx_die 1 "db_name zorunlu"
[[ "$DB_USER" =~ ^onx_[a-z0-9]+_[a-z0-9_]+$ ]] || \
    onx_die 1 "Gecersiz db_user: '${DB_USER}'"
[[ "$DB_NAME" =~ ^onx_[a-z0-9]+_[a-z0-9_]+$ ]] || \
    onx_die 1 "Gecersiz db_name: '${DB_NAME}'"
[[ "$HOST" =~ ^[a-zA-Z0-9.%_-]+$ ]] || onx_die 1 "Gecersiz host: '${HOST}'"
# Privileges whitelist kontrolu
SAFE_PRIVS="$(printf '%s' "$PRIVS" | tr ',' '\n' | grep -E '^(ALL|SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|INDEX|REFERENCES|EXECUTE|CREATE VIEW|SHOW VIEW|CREATE ROUTINE|ALTER ROUTINE|EVENT|TRIGGER|LOCK TABLES)$' | tr '\n' ',' | sed 's/,$//')"
[[ -z "$SAFE_PRIVS" ]] && onx_die 1 "Gecersiz privilege listesi: '${PRIVS}'"

onx_log "db-grant: ${SAFE_PRIVS} ON ${DB_NAME} TO ${DB_USER}@${HOST}"

mysql_exec "" "GRANT ${SAFE_PRIVS} ON \`${DB_NAME}\`.* TO '${DB_USER}'@'${HOST}'; FLUSH PRIVILEGES;" \
    || onx_die 3 "GRANT basarisiz: ${DB_USER}@${HOST} -> ${DB_NAME}"

json_ok "{\"db_user\":\"${DB_USER}\",\"host\":\"${HOST}\",\"db_name\":\"${DB_NAME}\",\"privileges\":\"${SAFE_PRIVS}\",\"granted\":true}"
