#!/usr/bin/env bash
#
# onx-cert-backups-list — Bir domain için mevcut cert backup'larını listele.
# Rollback UI'sinde "hangi tarihe dönmek istiyorsun?" seçenekleri için.
#
# Stdin (JSON):
#   {"domain":"example.com"}
#
# Stdout (JSON):
#   {
#     "ok": true,
#     "domain": "example.com",
#     "backups": [
#       {"id":"20260518_103045","created_at":"2026-05-18T10:30:45Z","expires_at":"2026-08-17T..."},
#       ...
#     ]
#   }

set -uo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
source "${SCRIPT_DIR}/_lib/common.sh"

onx_json_input
DOMAIN=$(onx_json_field "domain")

[[ -z "${DOMAIN}" ]] && onx_die 1 "domain gerekli"

ACME_HOME=""
for c in /usr/local/onoxsoft/acme.sh /etc/onoxsoft/acme.sh /root/.acme.sh /opt/onoxsoft/acme.sh; do
    if [[ -d "${c}/${DOMAIN}" ]]; then
        ACME_HOME="${c}"
        break
    fi
done

# Yoksa boş liste döndür (hata değil)
if [[ -z "${ACME_HOME}" ]]; then
    jq -nc --arg dom "${DOMAIN}" '{ok:true,domain:$dom,backups:[]}'
    exit 0
fi

BACKUP_DIR="${ACME_HOME}/${DOMAIN}/backup"
DOMAIN_DIR="${ACME_HOME}/${DOMAIN}"

BACKUPS_JSON="[]"

# Klasik backup/<id>/ formatı
if [[ -d "${BACKUP_DIR}" ]]; then
    while IFS= read -r dir; do
        local_id=$(basename "${dir}")
        # Cert dosyasını bul
        cert_path="${dir}/fullchain.cer"
        [[ ! -f "${cert_path}" ]] && cert_path="${dir}/${DOMAIN}.cer"

        if [[ -f "${cert_path}" ]]; then
            not_after=$(openssl x509 -enddate -noout -in "${cert_path}" 2>/dev/null | sed 's/^notAfter=//')
            exp_iso=""
            [[ -n "${not_after}" ]] && exp_iso=$(date -d "${not_after}" -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")

            created_iso=""
            if [[ "${local_id}" =~ ^([0-9]{4})([0-9]{2})([0-9]{2})_([0-9]{2})([0-9]{2})([0-9]{2})$ ]]; then
                created_iso="${BASH_REMATCH[1]}-${BASH_REMATCH[2]}-${BASH_REMATCH[3]}T${BASH_REMATCH[4]}:${BASH_REMATCH[5]}:${BASH_REMATCH[6]}Z"
            else
                created_iso=$(stat -c %y "${dir}" 2>/dev/null | sed 's/ /T/;s/\..*//' || echo "")
                [[ -n "${created_iso}" ]] && created_iso="${created_iso}Z"
            fi

            BACKUPS_JSON=$(echo "${BACKUPS_JSON}" | jq -c --arg id "${local_id}" --arg created "${created_iso}" --arg exp "${exp_iso}" \
                '. + [{id:$id, created_at:($created | if . == "" then null else . end), expires_at:($exp | if . == "" then null else . end)}]')
        fi
    done < <(find "${BACKUP_DIR}" -mindepth 1 -maxdepth 1 -type d 2>/dev/null | sort -r)
fi

# *.bak fallback
if [[ "${BACKUPS_JSON}" == "[]" ]] && [[ -f "${DOMAIN_DIR}/fullchain.cer.bak" ]]; then
    not_after=$(openssl x509 -enddate -noout -in "${DOMAIN_DIR}/fullchain.cer.bak" 2>/dev/null | sed 's/^notAfter=//')
    exp_iso=""
    [[ -n "${not_after}" ]] && exp_iso=$(date -d "${not_after}" -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "")
    created_iso=$(stat -c %y "${DOMAIN_DIR}/fullchain.cer.bak" 2>/dev/null | sed 's/ /T/;s/\..*//')
    [[ -n "${created_iso}" ]] && created_iso="${created_iso}Z"

    BACKUPS_JSON=$(jq -nc --arg id "_internal_bak" --arg created "${created_iso}" --arg exp "${exp_iso}" \
        '[{id:$id,created_at:($created | if . == "" then null else . end),expires_at:($exp | if . == "" then null else . end),note:"acme.sh internal .bak"}]')
fi

jq -nc \
    --arg dom "${DOMAIN}" \
    --argjson backups "${BACKUPS_JSON}" \
    '{ok:true,domain:$dom,backups:$backups}'

exit 0
