#!/bin/bash

# Cloudflare Credential Setup Script
# Interactive script to configure Cloudflare API credentials

set -e

echo "🚀 Cloudflare Credential Setup Wizard"
echo "=================================================="
echo

echo "This script will help you configure your Cloudflare API credentials."
echo "You'll need:"
echo "1. Cloudflare API Token (with appropriate permissions)"
echo "2. Cloudflare Account ID"
echo "3. Optional: Zone ID for specific domain management"
echo

# Check if we're in the right directory
if [[ ! "$PWD" =~ "cloudflare" ]]; then
    echo "⚠️  Warning: This script should be run from the cloudflare directory"
    echo "   Current directory: $PWD"
    read -p "Continue anyway? (y/n): " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        echo "Please navigate to the cloudflare directory and run this script again."
        exit 1
    fi
fi

# Function to validate API token format
validate_api_token() {
    local token="$1"
    # Cloudflare API tokens are typically 40+ characters
    [[ ${#token} -ge 40 ]]
}

# Function to validate Account ID format
validate_account_id() {
    local account_id="$1"
    # Account IDs are 32-character hex strings
    [[ "$account_id" =~ ^[a-f0-9]{32}$ ]]
}

# Function to validate Zone ID format
validate_zone_id() {
    local zone_id="$1"
    # Zone IDs are 32-character hex strings
    [[ "$zone_id" =~ ^[a-f0-9]{32}$ ]]
}

# Function to get validated input
get_validated_input() {
    local prompt="$1"
    local validation_func="$2"
    local secret="$3"
    
    while true; do
        if [[ "$secret" == "true" ]]; then
            read -s -p "$prompt" value
            echo
        else
            read -p "$prompt" value
        fi
        
        if [[ -n "$validation_func" ]]; then
            if $validation_func "$value"; then
                echo "$value"
                return
            else
                echo "❌ Invalid format. Please try again."
            fi
        else
            echo "$value"
            return
        fi
    done
}

# Collect credentials
echo "🔐 Cloudflare API Configuration"
echo "------------------------------"
echo

# API Token
echo "📋 Step 1: Cloudflare API Token"
echo "Get your token from: https://dash.cloudflare.com/profile/api-tokens"
echo "Required permissions: Zone:DNS:Edit, Zone:Page Rules:Edit, Account:Read"
API_TOKEN=$(get_validated_input "API Token: " validate_api_token true)

# Account ID
echo
echo "🏢 Step 2: Cloudflare Account ID"
echo "Find your Account ID in the Cloudflare dashboard sidebar"
echo "Format: 32-character hex string (e.g., 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p)"
ACCOUNT_ID=$(get_validated_input "Account ID: " validate_account_id false)

# Zone ID (optional)
echo
echo "🌐 Step 3: Zone ID (Optional)"
echo "If you want to manage a specific domain, provide its Zone ID"
echo "Leave blank to skip"
ZONE_ID=$(get_validated_input "Zone ID (optional): " "[[ -z \"\$1\" ]] || validate_zone_id \"\$1\"" false)

# Create .env file
echo
echo "💾 Saving credentials..."

# Read existing .env if it exists
ENV_CONTENT=""
if [[ -f ".env" ]]; then
    # Preserve existing non-Cloudflare variables
    while IFS= read -r line; do
        if [[ ! "$line" =~ ^CLOUDFLARE_ ]] && [[ ! "$line" =~ ^#.*CLOUDFLARE ]]; then
            ENV_CONTENT="$ENV_CONTENT$line\n"
        fi
    done < ".env"
fi

# Create new .env content
cat > .env << EOF
# OpenCode Environment Variables
# Generated by setup_credentials.sh
# IMPORTANT: Never commit this file to git

# ============================================================================
# CLOUDFLARE API CONFIGURATION
# ============================================================================
CLOUDFLARE_API_TOKEN="$API_TOKEN"
CLOUDFLARE_ACCOUNT_ID="$ACCOUNT_ID"
EOF

# Add Zone ID if provided
if [[ -n "$ZONE_ID" ]]; then
    echo "CLOUDFLARE_ZONE_ID=\"$ZONE_ID\"" >> .env
fi

# Add preserved content
if [[ -n "$ENV_CONTENT" ]]; then
    echo >> .env
    echo "$ENV_CONTENT" >> .env
fi

# Set secure permissions
chmod 600 .env

echo "✅ Credentials saved to: .env"
echo "🔒 File permissions set to 600 (owner read/write only)"

# Basic validation
echo
echo "🧪 Validating credentials..."
if validate_api_token "$API_TOKEN" && validate_account_id "$ACCOUNT_ID"; then
    echo "✅ Credential formats are valid"
    echo "⚠️  Note: Full API connectivity test requires curl or python requests"
else
    echo "❌ Credential validation failed"
    echo "   Please check your inputs and try again"
fi

# Final instructions
echo
echo "🎉 Setup Complete!"
echo "=================================================="
echo
echo "Next steps:"
echo "1. Source the environment file:"
echo "   source .env"
echo
echo "2. Test Terraform configuration:"
echo "   cd terraform && terraform init && terraform plan"
echo
echo "3. Deploy infrastructure:"
echo "   terraform apply"
echo
echo "4. Start MCP servers:"
echo "   Check MCP_GUIDE.md for server startup instructions"
echo
echo "📚 Documentation:"
echo "- USAGE_GUIDE.md - Complete usage instructions"
echo "- DEPLOYMENT_GUIDE.md - Deployment procedures"
echo "- MCP_GUIDE.md - MCP server management"
echo
echo "🔐 Security Reminder:"
echo "- Never commit .env to version control"
echo "- Use .gitignore to exclude .env files"
echo "- Consider using environment-specific .env files (.env.production, etc.)"

# Make script executable
chmod +x "$0"