#!/usr/bin/env bash
#
# onx-service-restart — systemctl restart $UNIT
#
# Stdin:  JSON {"unit":"httpd"}
# Stdout: JSON {"unit":..., "action":"restart", "success":true, "message":...}
# Exit:   0=ok  1=invalid_input  3=execution_fail

set -euo pipefail

die_input() { printf '{"error":"%s","code":1}\n' "$*" >&2; exit 1; }
die_exec()  { printf '{"error":"%s","code":3}\n' "$*" >&2; exit 3; }
json_str()  { printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g'; }

# ---------------------------------------------------------------------------
# Parse stdin
# ---------------------------------------------------------------------------
INPUT=$(cat)
UNIT=$(echo "$INPUT" | grep -oP '"unit"\s*:\s*"\K[^"]+' 2>/dev/null || true)

[[ -z "$UNIT" ]]            && die_input "unit alani gerekli"
[[ "$UNIT" =~ ^[a-zA-Z0-9._@:-]{1,64}$ ]] || die_input "Gecersiz unit adi"
[[ "$UNIT" == *"/"* ]]       && die_input "Gecersiz unit adi (slash iceremiyor)"

# Protect critical services from accidental restart via sshd (panel admin must confirm)
# (This check can be removed if caller always validates — defense-in-depth)
if [[ "$UNIT" == "sshd" ]]; then
  # Allow restart but log it prominently
  logger -t onox-sysapi "WARNING: sshd restart requested via panel"
fi

# ---------------------------------------------------------------------------
# Execute
# ---------------------------------------------------------------------------
if systemctl restart "${UNIT}" 2>/tmp/onx-svc-restart-err; then
  MSG="$(json_str "${UNIT} yeniden baslatildi")"
  printf '{"unit":"%s","action":"restart","success":true,"message":"%s"}\n' \
    "$(json_str "$UNIT")" "$MSG"
  exit 0
else
  ERR=$(cat /tmp/onx-svc-restart-err 2>/dev/null | head -3 || echo "bilinmeyen hata")
  rm -f /tmp/onx-svc-restart-err
  die_exec "$(json_str "systemctl restart ${UNIT} basarisiz: ${ERR}")"
fi
