#!/usr/bin/env bash
# Sign dangerous-grade model + system-user assertions for salmanoff-dev-amd64.
set -euo pipefail

UC_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
ENV_FILE="${UC_ROOT}/config/dev-image.env"
MODEL_TEMPLATE="${UC_ROOT}/models/salmanoff-dev-amd64.model.json"
ASSERT_DIR="${UC_ROOT}/assertions"

usage() {
    cat <<'EOF'
Usage: sign-dev-assertions.sh [OPTIONS]

Sign the dev model assertion and a system-user assertion (SSH key, no Ubuntu One).

Requires config/dev-image.env (see scripts/setup-dev-signing.sh).

Outputs:
  models/salmanoff-dev-amd64.model
  assertions/smo-system-user.assert   (account + account-key + system-user chain)
EOF
}

while [[ $# -gt 0 ]]; do
    case "$1" in
        -h|--help) usage; exit 0 ;;
        *) echo "Unknown option: $1" >&2; usage >&2; exit 1 ;;
    esac
done

if [[ ! -f "$ENV_FILE" ]]; then
    echo "Missing $ENV_FILE — run scripts/setup-dev-signing.sh first" >&2
    exit 1
fi
# shellcheck source=/dev/null
source "$ENV_FILE"

: "${ACCOUNT_ID:?ACCOUNT_ID not set in $ENV_FILE}"
: "${SIGN_KEY_NAME:?SIGN_KEY_NAME not set in $ENV_FILE}"
: "${SYSTEM_USER_NAME:=smo}"
: "${SYSTEM_USER_EMAIL:=smo-dev@salmanoff}"
: "${SSH_PUBKEY_FILE:=config/ssh/smo-dev.pub}"
: "${MODEL_NAME:=salmanoff-dev-amd64}"

SSH_PUBKEY_PATH="${UC_ROOT}/${SSH_PUBKEY_FILE}"
if [[ ! -f "$SSH_PUBKEY_PATH" ]]; then
    echo "SSH public key not found: $SSH_PUBKEY_PATH" >&2
    echo "Run scripts/setup-dev-signing.sh" >&2
    exit 1
fi

KEY_FP="$(snap keys 2>/dev/null | awk -v k="$SIGN_KEY_NAME" '$1 == k {print $2}')"
if [[ -z "$KEY_FP" ]]; then
    echo "Signing key '$SIGN_KEY_NAME' not found. Run scripts/setup-dev-signing.sh" >&2
    exit 1
fi

if ! snap known --remote account-key "public-key-sha3-384=${KEY_FP}" >/dev/null 2>&1; then
    echo "Key '$SIGN_KEY_NAME' is not registered in the Snap Store." >&2
    echo "Run: snapcraft register-key $SIGN_KEY_NAME" >&2
    exit 1
fi

export GPG_TTY="${GPG_TTY:-$(tty)}"

mkdir -p "$ASSERT_DIR" "${UC_ROOT}/models"

TIMESTAMP="$(date -Iseconds --utc)"
MODEL_JSON="$(mktemp)"
MODEL_OUT="${UC_ROOT}/models/${MODEL_NAME}.model"
SYSTEM_USER_JSON="$(mktemp)"
SYSTEM_USER_OUT="${ASSERT_DIR}/smo-system-user.assert"

sed -e "s/@ACCOUNT_ID@/${ACCOUNT_ID}/g" \
    -e "s/@TIMESTAMP@/${TIMESTAMP}/g" \
    "$MODEL_TEMPLATE" > "$MODEL_JSON"

echo "Signing model → $MODEL_OUT"
snap sign -k "$SIGN_KEY_NAME" "$MODEL_JSON" > "$MODEL_OUT"

SSH_PUB="$(tr -d '\n' < "$SSH_PUBKEY_PATH")"
cat > "$SYSTEM_USER_JSON" <<EOF
{
  "type": "system-user",
  "authority-id": "${ACCOUNT_ID}",
  "brand-id": "${ACCOUNT_ID}",
  "series": ["16"],
  "models": ["${MODEL_NAME}"],
  "name": "Salmanoff Dev",
  "username": "${SYSTEM_USER_NAME}",
  "email": "${SYSTEM_USER_EMAIL}",
  "ssh-keys": ["${SSH_PUB}"],
  "since": "2026-06-21T00:00:00+00:00",
  "until": "2064-06-21T00:00:00+00:00"
}
EOF

echo "Signing system-user chain → $SYSTEM_USER_OUT"
snap sign -k "$SIGN_KEY_NAME" "$SYSTEM_USER_JSON" --chain > "$SYSTEM_USER_OUT"

rm -f "$MODEL_JSON" "$SYSTEM_USER_JSON"

echo ""
echo "Model authority/brand: $ACCOUNT_ID"
echo "System user: ${SYSTEM_USER_NAME} (SSH pubkey from ${SSH_PUBKEY_FILE})"
echo "Signing key: ${SIGN_KEY_NAME} (${KEY_FP})"