#!/usr/bin/env bash
set -euo pipefail

ROOT="/opt/hx-ki"
COMPOSE="/opt/hx-ki/com2-stack/docker-compose.yml"
PG_C="hxki-postgres"
MY_C="hxki-mariadb"

echo "=== COM2 · DISCOVER + VERIFY DB CREDS (one-shot, no guessing) ==="

[ -f "$COMPOSE" ] || { echo "FAIL: missing $COMPOSE"; exit 1; }

echo "[0] Start only DB containers (for verification tests)"
docker compose -f "$COMPOSE" up -d "$PG_C" "$MY_C" >/dev/null 2>&1 || true

echo "[1] Read current container ENV (ground truth candidates)"
PG_USER="$(docker inspect "$PG_C" --format '{{range .Config.Env}}{{println .}}{{end}}' | awk -F= '/^POSTGRES_USER=/{print $2}' | tail -n1 || true)"
PG_DB="$(docker inspect "$PG_C" --format '{{range .Config.Env}}{{println .}}{{end}}' | awk -F= '/^POSTGRES_DB=/{print $2}' | tail -n1 || true)"
MY_ROOT_PW_ENV="$(docker inspect "$MY_C" --format '{{range .Config.Env}}{{println .}}{{end}}' | awk -F= '/^(MARIADB_ROOT_PASSWORD|MYSQL_ROOT_PASSWORD)=/{print $2}' | tail -n1 || true)"

echo "  PG_USER=${PG_USER:-<unknown>}  PG_DB=${PG_DB:-<unknown>}"
echo "  MY_ROOT_PW_ENV=${MY_ROOT_PW_ENV:+<set>} ${MY_ROOT_PW_ENV:+"(not shown)"}"

echo "[2] Collect password candidates from existing files (no guessing)"
# We only scan /opt/hx-ki for known keys; no invention.
mapfile -t CANDIDATES < <(
  grep -RInh --binary-files=without-match -E \
    '(^|[[:space:]])(POSTGRES_PASSWORD|PG_PASSWORD|DB_POSTGRESDB_PASSWORD|MARIADB_ROOT_PASSWORD|MYSQL_ROOT_PASSWORD|MAUTIC_DB_PASSWORD|MAUTIC_DB_ROOT_PASSWORD)[[:space:]]*[:=][[:space:]]*[^[:space:]]+' \
    "$ROOT" 2>/dev/null \
  | sed -E 's/.*[:=][[:space:]]*//' \
  | sed -E "s/^['\"]//; s/['\"]$//" \
  | awk 'NF' \
  | sort -u
)

# Add current env passwords as candidates (if set)
if [ -n "${MY_ROOT_PW_ENV:-}" ]; then
  CANDIDATES+=("$MY_ROOT_PW_ENV")
fi

# De-dup again
mapfile -t CANDIDATES < <(printf "%s\n" "${CANDIDATES[@]}" | awk 'NF' | sort -u)

echo "  Found candidates: ${#CANDIDATES[@]}"

mask() { local s="$1"; local n="${#s}"; if [ "$n" -le 4 ]; then echo "****"; else echo "****${s: -4}"; fi; }

echo "[3] Verify Postgres password by REAL login test (no assumptions)"
PG_OK=""
if [ -z "${PG_USER:-}" ]; then
  echo "  FAIL: PG_USER not detectable from container env"
else
  for pw in "${CANDIDATES[@]}"; do
    # Try connecting to default DBs first; existence of PG_DB may vary.
    if docker exec -e PGPASSWORD="$pw" "$PG_C" sh -lc \
      "psql -U '$PG_USER' -d postgres -tAc 'SELECT 1' >/dev/null 2>&1 || psql -U '$PG_USER' -d template1 -tAc 'SELECT 1' >/dev/null 2>&1"; then
      PG_OK="$pw"
      echo "  OK: Postgres login works with password $(mask "$pw")"
      break
    fi
  done
  [ -n "$PG_OK" ] || echo "  FAIL: No candidate password could log in to Postgres as user '$PG_USER'"
fi

echo "[4] Verify MariaDB root password by REAL login test (no assumptions)"
MY_OK=""
for pw in "${CANDIDATES[@]}"; do
  if docker exec "$MY_C" sh -lc "mysql -uroot -p'$pw' -e 'SELECT 1' >/dev/null 2>&1"; then
    MY_OK="$pw"
    echo "  OK: MariaDB root login works with password $(mask "$pw")"
    break
  fi
done
[ -n "$MY_OK" ] || echo "  FAIL: No candidate password could log in to MariaDB as root"

echo
echo "=== RESULT (verifiziert oder nicht auffindbar) ==="
if [ -n "$PG_OK" ]; then
  echo "POSTGRES_USER=$PG_USER"
  echo "POSTGRES_PASSWORD=<VERIFIED $(mask "$PG_OK")>"
else
  echo "POSTGRES: VERIFIED PASSWORD NOT FOUND IN /opt/hx-ki SOURCES"
fi

if [ -n "$MY_OK" ]; then
  echo "MYSQL_ROOT_PASSWORD=<VERIFIED $(mask "$MY_OK")>"
else
  echo "MARIADB: VERIFIED ROOT PASSWORD NOT FOUND IN /opt/hx-ki SOURCES"
fi

echo
echo "If one of them is NOT found: the only deterministic path is a controlled password reset (auth bypass), because plaintext cannot be recovered from the data directories."