#!/usr/bin/env bash
# onx-ftp-user-add — Pure-FTPd MySQL backend'e kullanici ekle (Phase 1.5: sub-dir jailing, quota, bandwidth)
# Input:  {"username":"onx_xxx_dev","password":"<plain>",
#           "home_dir":"/home/onx_xxx/public_html/uploads",
#           "uid":12345,"gid":12345,
#           "quota_mb":-1,
#           "bandwidth_kb_per_sec":0}
# Output: {"username":...,"home":...,"uid":...,"gid":...,"quota_mb":...,"ul_bandwidth":...,"created":true}

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${SCRIPT_DIR}/_lib/common.sh"

require_root
require_cmd mysql
onx_json_input

USERNAME="$(onx_json_field username)"
PASSWORD="$(onx_json_field password)"
HOME_DIR="$(onx_json_field home_dir)"
UID_VAL="$(onx_json_field uid)"
GID_VAL="$(onx_json_field gid)"
QUOTA_MB="$(onx_json_field quota_mb "-1")"
BW_KBS="$(onx_json_field bandwidth_kb_per_sec "0")"

# ─── Input validation ────────────────────────────────────────────────────────
[[ -z "$USERNAME" ]] && onx_die 1 "username zorunlu"
[[ -z "$PASSWORD" ]] && onx_die 1 "password zorunlu"
[[ -z "$HOME_DIR" ]] && onx_die 1 "home_dir zorunlu"
[[ -z "$UID_VAL"  ]] && onx_die 1 "uid zorunlu"
[[ -z "$GID_VAL"  ]] && onx_die 1 "gid zorunlu"

[[ "$USERNAME" =~ ^onx_[a-z0-9]+_[a-z0-9_]+$ ]] || \
    onx_die 1 "Gecersiz username: '${USERNAME}'"
[[ "$UID_VAL" =~ ^[0-9]+$ ]]  || onx_die 1 "Gecersiz uid: '${UID_VAL}'"
[[ "$GID_VAL" =~ ^[0-9]+$ ]]  || onx_die 1 "Gecersiz gid: '${GID_VAL}'"

# Ev dizini /home/<account>/ altinda olmali (path traversal engeli)
[[ "$HOME_DIR" =~ ^/home/[a-z][a-z0-9_]+(/.+)?$ ]] || \
    onx_die 1 "home_dir gecersiz format: '${HOME_DIR}'"
[[ "$HOME_DIR" == *..* ]] && onx_die 1 "home_dir path traversal iceriyor"

# quota_mb: -1 or positive integer
[[ "$QUOTA_MB" =~ ^-?[0-9]+$ ]] || QUOTA_MB="-1"
# bandwidth: 0 or positive integer
[[ "$BW_KBS" =~ ^[0-9]+$ ]] || BW_KBS="0"

onx_log "ftp-user-add: user=${USERNAME} home=${HOME_DIR} quota_mb=${QUOTA_MB} bw=${BW_KBS}kb/s"

# ─── Password hash ───────────────────────────────────────────────────────────
_mycnf_tmp

if command -v openssl &>/dev/null; then
    HASHED_PW="$(openssl passwd -1 "${PASSWORD}")"
elif command -v mkpasswd &>/dev/null; then
    HASHED_PW="$(mkpasswd -m sha-512 "${PASSWORD}")"
else
    onx_die 2 "openssl veya mkpasswd gerekli (sifre hash)"
fi

# ─── Insert / update Pure-FTPd MySQL record ──────────────────────────────────
# Dir     = absolute chroot jail path (sub-directory jailing)
# QuotaSize / QuotaMBytes = per-user disk quota in MB (-1 = unlimited)
# ULBandwidth / DLBandwidth = per-user bandwidth limit in KB/s (0 = unlimited)
mysql --defaults-extra-file="$_MYCNF_TMP" --batch --silent "${ONX_FTP_DB}" <<SQL
INSERT INTO ftp_users (User, Password, Uid, Gid, Dir, ULBandwidth, DLBandwidth, QuotaFiles, QuotaMBytes, Ipaccess, Status)
VALUES ('${USERNAME}', '${HASHED_PW}', ${UID_VAL}, ${GID_VAL}, '${HOME_DIR}', ${BW_KBS}, ${BW_KBS}, 0, ${QUOTA_MB}, '*', 1)
ON DUPLICATE KEY UPDATE
    Password='${HASHED_PW}',
    Dir='${HOME_DIR}',
    QuotaMBytes=${QUOTA_MB},
    ULBandwidth=${BW_KBS},
    DLBandwidth=${BW_KBS};
SQL
[[ $? -ne 0 ]] && onx_die 3 "FTP kullanici ekleme basarisiz: ${USERNAME}"

json_ok "{\"username\":\"${USERNAME}\",\"home\":\"${HOME_DIR}\",\"uid\":${UID_VAL},\"gid\":${GID_VAL},\"quota_mb\":${QUOTA_MB},\"ul_bandwidth\":${BW_KBS},\"created\":true}"
