#!/bin/bash

# Security Hardening Script for apt-ostree
# This script relocates the project from /home/joe/particle-os-tools to /opt/particle-os-tools
# to eliminate the need for ProtectHome=false and improve security posture

set -e

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

OLD_PATH="/home/joe/particle-os-tools"
NEW_PATH="/opt/particle-os-tools"

echo -e "${BLUE}=== apt-ostree Security Hardening ===${NC}"
echo "This script will relocate the project to improve security:"
echo "  From: $OLD_PATH"
echo "  To:   $NEW_PATH"
echo
echo "This will eliminate the need for ProtectHome=false in systemd service."
echo

# Check if running as root
if [[ $EUID -ne 0 ]]; then
   echo -e "${RED}Error: This script must be run as root (sudo)${NC}"
   echo "The relocation requires root privileges to move files to /opt"
   exit 1
fi

# Check if old path exists
if [ ! -d "$OLD_PATH" ]; then
   echo -e "${RED}Error: Source directory $OLD_PATH does not exist${NC}"
   exit 1
fi

# Check if new path already exists
if [ -d "$NEW_PATH" ]; then
   echo -e "${YELLOW}Warning: Destination directory $NEW_PATH already exists${NC}"
   read -p "Do you want to backup and replace it? (y/N): " -n 1 -r
   echo
   if [[ $REPLY =~ ^[Yy]$ ]]; then
       echo -e "${BLUE}Backing up existing directory...${NC}"
       mv "$NEW_PATH" "${NEW_PATH}.backup.$(date +%Y%m%d_%H%M%S)"
   else
       echo -e "${RED}Aborting. Please remove or rename $NEW_PATH manually.${NC}"
       exit 1
   fi
fi

echo -e "${BLUE}Step 1: Stopping services...${NC}"
# Stop the daemon if running
if systemctl is-active --quiet apt-ostreed.service; then
    echo "Stopping apt-ostreed.service..."
    systemctl stop apt-ostreed.service
fi

echo -e "${BLUE}Step 2: Moving project to /opt...${NC}"
# Create parent directory
mkdir -p "$(dirname "$NEW_PATH")"

# Move the project
echo "Moving $OLD_PATH to $NEW_PATH..."
cp -r "$OLD_PATH" "$NEW_PATH"

# Set proper ownership and permissions
echo "Setting proper ownership and permissions..."
chown -R root:root "$NEW_PATH"
chmod -R 755 "$NEW_PATH"

echo -e "${BLUE}Step 3: Updating path references...${NC}"

# Function to update paths in a file
update_paths_in_file() {
    local file="$1"
    local description="$2"
    
    if [ -f "$file" ]; then
        echo "  Updating $description..."
        sed -i "s|$OLD_PATH|$NEW_PATH|g" "$file"
    else
        echo "  Warning: $file not found, skipping..."
    fi
}

# Update systemd service files
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/apt-ostreed.service" "systemd service file"
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/systemd-symlinks/apt-ostreed.service" "systemd service symlink"
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/systemd-symlinks/apt-ostree.service" "legacy systemd service symlink"

# Update D-Bus service files
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/org.debian.aptostree1.service" "D-Bus activation service"
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/systemd-symlinks/org.debian.aptostree1.service" "D-Bus service symlink"

# Update configuration files
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/config/apt-ostreed.yaml" "production configuration"
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/config/apt-ostreed-dev.yaml" "development configuration"
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/config/README.md" "configuration documentation"

# Update shell integration paths
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/python/utils/shell_integration.py" "shell integration utility"

# Update test and utility scripts
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/run_full_tests.sh" "test runner script"
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/test_apt_layer_fix.sh" "apt-layer test script"
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/fix_apt_layer_paths.sh" "apt-layer path fix script"

echo -e "${BLUE}Step 4: Removing ProtectHome=false from systemd service...${NC}"
# Remove ProtectHome=false and update ReadWritePaths
sed -i '/ProtectHome=false/d' "$NEW_PATH/src/apt-ostree.py/apt-ostreed.service"
sed -i '/ReadWritePaths.*\/home\/joe\/particle-os-tools/d' "$NEW_PATH/src/apt-ostree.py/apt-ostreed.service"

# Update PYTHONPATH environment variable
sed -i "s|PYTHONPATH=.*|PYTHONPATH=$NEW_PATH/src/apt-ostree.py/python|g" "$NEW_PATH/src/apt-ostree.py/apt-ostreed.service"

echo -e "${BLUE}Step 5: Updating symlinks...${NC}"
# Update the symlink for apt-layer.sh
if [ -L "/usr/local/bin/apt-ostree" ]; then
    echo "Updating apt-ostree symlink..."
    rm "/usr/local/bin/apt-ostree"
    ln -sf "$NEW_PATH/src/apt-ostree.py/python/apt_ostree_new.py" "/usr/local/bin/apt-ostree"
fi

echo -e "${BLUE}Step 6: Reinstalling service files...${NC}"
# Run the sync script to update service files
cd "$NEW_PATH/src/apt-ostree.py"
./sync-service-files.sh

echo -e "${BLUE}Step 7: Reloading systemd and D-Bus...${NC}"
systemctl daemon-reload
systemctl reload dbus

echo -e "${BLUE}Step 8: Testing the daemon...${NC}"
# Test that the daemon can start
echo "Testing daemon startup..."
if systemctl start apt-ostreed.service; then
    echo -e "${GREEN}✓ Daemon started successfully${NC}"
    systemctl stop apt-ostreed.service
else
    echo -e "${RED}✗ Daemon failed to start${NC}"
    echo "Check the logs with: journalctl -u apt-ostreed.service -n 50"
    exit 1
fi

echo -e "${BLUE}Step 9: Creating backup of old directory...${NC}"
# Create a backup of the old directory
BACKUP_PATH="${OLD_PATH}.backup.$(date +%Y%m%d_%H%M%S)"
echo "Creating backup at $BACKUP_PATH..."
mv "$OLD_PATH" "$BACKUP_PATH"

echo -e "${BLUE}Step 10: Creating symlink from old to new location...${NC}"
ln -sfn /opt/particle-os-tools /home/joe/particle-os-tools
echo "Symlink created: /home/joe/particle-os-tools -> /opt/particle-os-tools"

echo
echo -e "${GREEN}=== Security Hardening Complete! ===${NC}"
echo
echo "Project has been successfully relocated:"
echo "  From: $OLD_PATH"
echo "  To:   $NEW_PATH"
echo "  Backup: $BACKUP_PATH"
echo
echo "Security improvements:"
echo "  ✓ Removed ProtectHome=false from systemd service"
echo "  ✓ Project now located in /opt (standard system directory)"
echo "  ✓ Proper ownership and permissions set"
echo "  ✓ All path references updated"
echo
echo "Next steps:"
echo "  1. Update your development environment to use $NEW_PATH"
echo "  2. Update any IDE/editor workspace paths"
echo "  3. Test the daemon: sudo systemctl start apt-ostreed.service"
echo "  4. Run integration tests: cd $NEW_PATH && ./src/apt-ostree.py/run_integration_tests.sh"
echo
echo "To restore from backup if needed:"
echo "  sudo mv $BACKUP_PATH $OLD_PATH"
echo "  sudo systemctl stop apt-ostreed.service"
echo "  cd $OLD_PATH/src/apt-ostree.py && ./sync-service-files.sh"
echo "  sudo systemctl daemon-reload"
echo
echo -e "${GREEN}Security hardening completed successfully!${NC}"