#!/bin/bash
set -euo pipefail

# Traefik Restore Smoke Test
#
# Beweist, dass die restaurierten Traefik-Dateien (dynamic/, letsencrypt/)
# aus dem Borg-Archiv einen funktionsfaehigen Traefik-Start ermoeglichen.
#
# Scope:
# - Borg-Extract von dynamic/ und letsencrypt/
# - Traefik startet mit File-Provider gegen restauriertes dynamic/
# - /ping Health-Endpoint antwortet
# - acme.json aus letsencrypt/ ist vorhanden und nicht leer
#
# Bewusst NICHT Teil des Smokes:
# - Docker-Provider (kein docker.sock im Test — wuerde produktive Container discovern)
# - ACME/DNS-Challenge (kein CF-Token im Test)
# - TLS-Terminierung (kein Cert-Test)
# - Produktive Ports 80/443

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
. "$SCRIPT_DIR/common.sh"

WHATIF=0
KEEP_DATA=0
for arg in "$@"; do
  case "$arg" in
    --what-if) WHATIF=1 ;;
    --keep-data) KEEP_DATA=1 ;;
    *) echo "Unknown argument: $arg" >&2; exit 1 ;;
  esac
done

RESTORE_ROOT="/mnt/user/backups/restore-lab/traefik"
REPORT_ROOT="/mnt/user/backups/restore-reports"
EXTRACT_DIR="$BORG_RESTORE_HOST_ROOT/traefik-extract"
COMPOSE_FILE="$SCRIPT_DIR/traefik-compose.test.yml"
REPORT_FILE="$REPORT_ROOT/traefik-$(date +%F).md"

if [ "$WHATIF" -eq 1 ]; then
  cat <<EOF
Traefik restore test
Mode: WhatIf
RestoreRoot: $RESTORE_ROOT
Borg source: local/appdata/traefik
Test endpoint: 127.0.0.1:18880/ping
Scope: File-Provider + Ping, kein Docker-Provider, kein ACME, kein CF-Token
EOF
  exit 0
fi

require_cmd docker
require_cmd curl
require_path "$BORG_PASSPHRASE_FILE_DEFAULT"
require_path "$COMPOSE_FILE"

RESTORE_SUCCESS=0
cleanup() {
  cleanup_compose "$COMPOSE_FILE"
  if [ "$RESTORE_SUCCESS" -ne 1 ]; then
    preserve_on_failure "traefik" "$RESTORE_ROOT"
    rm -rf "$EXTRACT_DIR"
    return
  fi
  if [ "$KEEP_DATA" -ne 1 ]; then
    rm -rf "$RESTORE_ROOT"
  fi
  rm -rf "$EXTRACT_DIR"
}
trap cleanup EXIT

rm -rf "$EXTRACT_DIR" "$RESTORE_ROOT"
mkdir -p "$RESTORE_ROOT"

archive="$(latest_archive_name)"
repo="$(borg_repo_url)"

if [ -z "$archive" ] || [ -z "$repo" ]; then
  echo "Could not resolve Borg repo/archive from borg-ui database" >&2
  exit 1
fi

# Stufe 1: Traefik-Dateien aus Borg (dynamic/ + letsencrypt/)
# Secrets/ wird bewusst NICHT extrahiert (enthaelt CF-Token)
borg_extract "/restore/traefik-extract" \
  "local/appdata/traefik/dynamic" \
  "local/appdata/traefik/letsencrypt"

if [ ! -d "$EXTRACT_DIR/local/appdata/traefik/dynamic" ]; then
  echo "Traefik dynamic/ path missing in Borg archive" >&2
  exit 1
fi

cp -a "$EXTRACT_DIR/local/appdata/traefik/dynamic" "$RESTORE_ROOT/dynamic"
cp -a "$EXTRACT_DIR/local/appdata/traefik/letsencrypt" "$RESTORE_ROOT/letsencrypt"
chmod -R a+rX "$RESTORE_ROOT/dynamic" "$RESTORE_ROOT/letsencrypt"

# Stufe 2: Datei-Checks
dynamic_files="$(find "$RESTORE_ROOT/dynamic" -type f | wc -l)"
acme_size="$(stat -c %s "$RESTORE_ROOT/letsencrypt/acme.json" 2>/dev/null || echo 0)"

# Stufe 3: Traefik starten
docker compose -f "$COMPOSE_FILE" up -d restoretest-traefik >/dev/null

http_status=""
for _ in $(seq 1 30); do
  http_status="$(curl -s -o /dev/null -w '%{http_code}' \
    http://127.0.0.1:18880/ping || true)"
  if [ "$http_status" = "200" ]; then
    break
  fi
  sleep 2
done

if [ "$http_status" != "200" ]; then
  echo "Traefik /ping smoke failed: status=$http_status" >&2
  docker logs --tail 60 restoretest-traefik >&2 || true
  exit 1
fi

write_report "$REPORT_FILE" <<EOF
# Traefik Restore Test Report - $(date +%F)

- Service: \`traefik\`
- Source repo: \`$repo\`
- Archive: \`$archive\`
- Restore root: \`$RESTORE_ROOT\`
- Test container: \`restoretest-traefik\`
- Test endpoint: \`http://127.0.0.1:18880/ping\`
- Result: \`SUCCESS\`

## Checks

- Borg extract of dynamic/: \`ok\` ($dynamic_files files)
- Borg extract of letsencrypt/: \`ok\` (acme.json ${acme_size} bytes)
- Traefik /ping health: \`$http_status\`

## Scope

Config-Restore + File-Provider-Boot + Ping-Health. Kein Docker-Provider
(docker.sock nicht gemountet), kein ACME/DNS-Challenge (CF-Token nicht
im Test), keine produktiven Ports.

## Notes

- Productive CF-Token under /mnt/user/appdata/traefik/secrets/ was NOT extracted or mounted.
- dynamic/ contains middlewares.yml and usersfile — Traefik loads them via File-Provider.
- acme.json is present and non-empty; TLS cert validity not tested in smoke.
- Test data was cleaned after success: \`$([ "$KEEP_DATA" -eq 1 ] && echo no || echo yes)\`
EOF

RESTORE_SUCCESS=1
echo "Traefik restore test ok -> $REPORT_FILE"