#!/usr/bin/env bash
# onx-db-user-create — MariaDB kullanici olustur
# Input:  {"db_user":"onx_xxx_user","password":"<plain>","host":"localhost",
#           "auth_plugin":"mysql_native_password|caching_sha2_password"}
# Output: {"db_user":...,"host":...,"created":true}

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${SCRIPT_DIR}/_lib/common.sh"

require_root
require_cmd mysql
onx_json_input

DB_USER="$(onx_json_field db_user)"
PASSWORD="$(onx_json_field password)"
HOST="$(onx_json_field host 'localhost')"
AUTH_PLUGIN="$(onx_json_field auth_plugin 'mysql_native_password')"

[[ -z "$DB_USER" ]]   && onx_die 1 "db_user zorunlu"
[[ -z "$PASSWORD" ]]  && onx_die 1 "password zorunlu"
[[ "$DB_USER" =~ ^onx_[a-z0-9]+_[a-z0-9_]+$ ]] || \
    onx_die 1 "Gecersiz db_user: '${DB_USER}'"
[[ "$AUTH_PLUGIN" =~ ^(mysql_native_password|caching_sha2_password)$ ]] || \
    onx_die 1 "Gecersiz auth_plugin: '${AUTH_PLUGIN}'"
[[ "$HOST" =~ ^[a-zA-Z0-9.%_-]+$ ]] || onx_die 1 "Gecersiz host: '${HOST}'"

onx_log "db-user-create: user=${DB_USER}@${HOST} plugin=${AUTH_PLUGIN}"

# Kullanici zaten varsa hata verme — IF NOT EXISTS yok, REPLACE kullanlir
# MariaDB: IDENTIFIED BY 'pass' (default plugin) — IDENTIFIED WITH plugin BY 'pass' MySQL 8 syntax, MariaDB reddediyor
# MariaDB 10.4+ otomatik mysql_native_password kullanir, ek plugin secimi gereksiz.
# PASSWORD müşteri kontrollü ve regex guard'ı YOK — SQL-literal breakout'unu
# kapat (ADD-01). DB_USER/HOST yukarıda regex ile doğrulandı.
PASSWORD_SQL="$(onx_sql_quote "${PASSWORD}")"
mysql_exec_root "" "CREATE USER IF NOT EXISTS '${DB_USER}'@'${HOST}' IDENTIFIED BY '${PASSWORD_SQL}';" \
    || onx_die 3 "CREATE USER basarisiz: ${DB_USER}@${HOST}"

json_ok "{\"db_user\":\"${DB_USER}\",\"host\":\"${HOST}\",\"auth_plugin\":\"${AUTH_PLUGIN}\",\"created\":true}"
