#!/usr/bin/env bash
# =============================================================================
# onx-gpg-key-import — Import an armored public/secret key into ~/.gnupg
#
# Input:
#   { "username": "onx_xxxx", "public_key": "-----BEGIN PGP PUBLIC KEY..." }
#
# Output:
#   { "fingerprint": "...", "key_id": "...", "imported": true|false }
#
# Exit codes: 0=ok 1=invalid-input 2=preflight-fail 3=execution-fail
# Deployed to: /usr/local/onoxsoft/bin/onx-gpg-key-import
# =============================================================================

set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
source "${SCRIPT_DIR}/_lib/common.sh"

require_cmd jq
require_cmd gpg

INPUT=$(cat)
onx_require_json "${INPUT}"

USERNAME=$(onx_json_get "${INPUT}" "username")
KEYBODY=$(echo "${INPUT}" | jq -r '.public_key // empty')

onx_validate_username "${USERNAME}"
[[ -n "${KEYBODY}" ]] || onx_die 1 "public_key is required"

echo "${KEYBODY}" | grep -q 'BEGIN PGP' || onx_die 1 "public_key does not look like an armored block"

id "${USERNAME}" &>/dev/null || onx_die 2 "Linux user does not exist: ${USERNAME}"

GNUPGHOME="/home/${USERNAME}/.gnupg"
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
chown -R "${USERNAME}:${USERNAME}" "${GNUPGHOME}"

TMPKEY=$(mktemp -t onx-gpg-imp.XXXXXX)
chmod 600 "${TMPKEY}"
chown "${USERNAME}:${USERNAME}" "${TMPKEY}"
trap 'rm -f "${TMPKEY}" 2>/dev/null || true' EXIT
echo "${KEYBODY}" > "${TMPKEY}"

# gpg --import emits status on stderr ("imported: 1", "fingerprint: X", etc.)
IMPORT_OUT=$(su -s /bin/bash "${USERNAME}" -c \
    "gpg --homedir '${GNUPGHOME}' --batch --import-options import-show --import '${TMPKEY}'" \
    2>&1 || true)

# Parse fingerprint from "fpr:::...:FINGERPRINT:" or fallback regex
FPR=$(echo "${IMPORT_OUT}" | grep -oE '[A-F0-9]{40}' | head -1 || true)

if [[ -z "${FPR}" ]]; then
    # Fallback: list keys, take last imported
    FPR=$(su -s /bin/bash "${USERNAME}" -c \
        "gpg --homedir '${GNUPGHOME}' --list-keys --with-colons --with-fingerprint" \
        | awk -F: '/^fpr/ {print $10}' | tail -1 || true)
fi

[[ -n "${FPR}" ]] || onx_die 3 "import failed: could not determine fingerprint"

KEY_ID="${FPR:24:16}"
IMPORTED=true
if echo "${IMPORT_OUT}" | grep -q 'unchanged'; then
    IMPORTED=false
fi

onx_log "gpg-key-import: ${FPR} for ${USERNAME} imported=${IMPORTED}"

printf '{"fingerprint":"%s","key_id":"%s","imported":%s}\n' "${FPR}" "${KEY_ID}" "${IMPORTED}"
