#!/bin/bash
# gitea-approve-repo - Add a Gitea repo to the webhook allowlist
# Usage: gitea-approve-repo owner/repo
# After adding, validates nginx config. You must manually reload nginx.

set -euo pipefail

ALLOWLIST="/etc/nginx/gitea-repo-allowlist.json"
REPO="${1:-}"

if [ -z "$REPO" ]; then
    echo "Usage: gitea-approve-repo owner/repo"
    echo ""
    echo "Adds a repository to the Gitea webhook allowlist."
    echo "After adding, validates with nginx -t."
    echo "You must manually run: sudo nginx -s reload"
    echo ""
    echo "Current allowlist:"
    if [ -f "$ALLOWLIST" ]; then
        python3 -c "import json; d=json.load(open('$ALLOWLIST')); [print('  - ' + r) for r in d.get('repos', [])]"
        echo ""
        echo "Trusted owners:"
        python3 -c "import json; d=json.load(open('$ALLOWLIST')); [print('  - ' + o) for o in d.get('trusted_owners', [])]"
    else
        echo "  (file not found: $ALLOWLIST)"
    fi
    exit 1
fi

# Validate format: must contain exactly one /
if ! echo "$REPO" | grep -qP '^[^/]+/[^/]+$'; then
    echo "ERROR: Invalid repo format. Must be: owner/repo (e.g. myorg/my-project)"
    exit 1
fi

# Check if already approved
if [ -f "$ALLOWLIST" ]; then
    EXISTING=$(python3 -c "import json; d=json.load(open('$ALLOWLIST')); print('yes' if '$REPO' in d.get('repos', []) else 'no')")
    if [ "$EXISTING" = "yes" ]; then
        echo "Repo '$REPO' is already in the allowlist."
        exit 0
    fi

    # Check if owner is trusted (auto-allowed)
    OWNER_TRUSTED=$(python3 -c "import json; d=json.load(open('$ALLOWLIST')); owner='$REPO'.split('/')[0]; print('yes' if owner in d.get('trusted_owners', []) else 'no')")
    if [ "$OWNER_TRUSTED" = "yes" ]; then
        echo "Repo '$REPO' is already allowed via trusted owner."
        exit 0
    fi
fi

# Add to allowlist
if [ ! -f "$ALLOWLIST" ]; then
    echo "ERROR: Allowlist file not found: $ALLOWLIST"
    echo "Create it first with: echo '{\"repos\": [], \"trusted_owners\": []}' > $ALLOWLIST"
    exit 1
fi

# Use python3 to safely modify JSON
python3 -c "
import json
with open('$ALLOWLIST', 'r') as f:
    data = json.load(f)
data.setdefault('repos', []).append('$REPO')
with open('$ALLOWLIST', 'w') as f:
    json.dump(data, f, indent=2)
    f.write('\n')
print('Added: $REPO')
"

echo ""
echo "Updated allowlist:"
python3 -c "import json; d=json.load(open('$ALLOWLIST')); [print('  - ' + r) for r in d.get('repos', [])]"
echo ""

# Validate nginx config
echo "Validating nginx configuration..."
if nginx -t 2>&1; then
    echo ""
    echo "Config is valid. To activate, run:"
    echo "  sudo nginx -s reload"
else
    echo ""
    echo "WARNING: nginx -t failed! Check the configuration before reloading."
    exit 1
fi