#!/usr/bin/env bash
# =============================================================================
# onx-default-page-restore — Restore customer's `.user-bak` index.html (v87)
#
# Purpose:
#   After an unsuspend (or admin-driven revert), bring back the customer's
#   original `index.html` by renaming `index.html.user-bak` → `index.html`.
#   If no backup exists but the current `index.html` is OUR placeholder,
#   simply remove it (so the docroot becomes empty and the web server falls
#   through to its default behaviour — usually 403 + directory index off).
#
# Use-cases:
#   1. onx-user-unsuspend post-hook: restore user content after suspend.
#   2. Admin manual revert: remove placeholder w/o creating a customer site.
#
# Input (stdin JSON):
#   {
#     "username":   "onx_xxxx",                       -- required
#     "docroot":    "/home/users/onx_xxxx/public_html", -- required
#     "remove_if_no_backup": true                       -- optional, default true
#   }
#
# Output (stdout JSON):
#   {
#     "ok": true,
#     "restored_from": "/home/.../public_html/index.html.user-bak" | null,
#     "removed_placeholder": false,
#     "current_state": "user-content|none|placeholder",
#     "skipped": false
#   }
#
# Exit codes: 0=ok 1=invalid-input 2=preflight-fail 3=exec-fail
#
# Sudoers entry:
#   apache ALL=(root) NOPASSWD: /usr/local/onoxsoft/bin/onx-default-page-restore
#
# Deployed to: /usr/local/onoxsoft/bin/onx-default-page-restore
# =============================================================================

set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
# shellcheck source=_lib/common.sh
source "${SCRIPT_DIR}/_lib/common.sh"

PLACEHOLDER_MARKER="ONOX-PLACEHOLDER"
DEFAULT_GROUP="onoxsoft-users"
ALT_GROUPS=("apache" "nginx" "webserver" "nobody")

# ── Dependencies ──────────────────────────────────────────────────────────────
command -v jq >/dev/null 2>&1 || onx_die 2 "jq required"
require_root

# ── Read & parse stdin ────────────────────────────────────────────────────────
INPUT=$(cat)
onx_require_json "${INPUT}"

USERNAME=$(onx_json_get "${INPUT}" "username")
DOCROOT=$(onx_json_get  "${INPUT}" "docroot"  "")
REMOVE_IF_NO_BAK=$(onx_json_get_bool "${INPUT}" "remove_if_no_backup" "true")

# ── Input validation ──────────────────────────────────────────────────────────
onx_validate_username "${USERNAME}"
[[ -n "${DOCROOT}" ]] || onx_die 1 "docroot is required"
case "${DOCROOT}" in
    /home/*/public_html|/home/*/public_html/|/home/*/*) : ;;
    *) onx_die 1 "docroot must be under /home/: '${DOCROOT}'" ;;
esac
[[ "${DOCROOT}" == *".."* ]] && onx_die 1 "docroot contains '..' — refused"

# ── Preflight ─────────────────────────────────────────────────────────────────
if [[ ! -d "${DOCROOT}" ]]; then
    onx_log "default-page-restore: docroot missing, skip user=${USERNAME}"
    onx_json_out \
        "ok"                  "true" \
        "restored_from"       "null" \
        "removed_placeholder" "false" \
        "current_state"       "none" \
        "skipped"             "true"
    exit 0
fi

INDEX_PATH="${DOCROOT}/index.html"
BACKUP_PATH="${INDEX_PATH}.user-bak"

# Determine target group (same logic as deploy — Apache/Nginx serve groups)
TARGET_GROUP=""
for g in "${DEFAULT_GROUP}" "${ALT_GROUPS[@]}"; do
    if getent group "${g}" >/dev/null 2>&1; then
        TARGET_GROUP="${g}"
        break
    fi
done
[[ -z "${TARGET_GROUP}" ]] && TARGET_GROUP="${USERNAME}"

OWNER_USER="${USERNAME}"
id "${USERNAME}" >/dev/null 2>&1 || OWNER_USER="root"

# ── Case 1: backup exists → restore it (atomic rename) ───────────────────────
if [[ -f "${BACKUP_PATH}" ]]; then
    # Atomic mv — rename within same FS is atomic, no torn read.
    if ! mv -f "${BACKUP_PATH}" "${INDEX_PATH}"; then
        onx_die 3 "failed to rename ${BACKUP_PATH} → ${INDEX_PATH}"
    fi
    # Re-assert ownership / mode — backup may have been root-owned during suspend
    chown "${OWNER_USER}:${TARGET_GROUP}" "${INDEX_PATH}" 2>/dev/null || true
    chmod 0644 "${INDEX_PATH}" 2>/dev/null || true
    if command -v restorecon >/dev/null 2>&1; then
        restorecon "${INDEX_PATH}" 2>/dev/null || true
    fi
    onx_log "default-page-restore: restored ${BACKUP_PATH} → ${INDEX_PATH} user=${USERNAME}"
    onx_json_out \
        "ok"                  "true" \
        "restored_from"       "${BACKUP_PATH}" \
        "removed_placeholder" "false" \
        "current_state"       "user-content" \
        "skipped"             "false"
    exit 0
fi

# ── Case 2: no backup, but current index.html is our placeholder ─────────────
# v3.68 FIX: ESKİ davranış rm idi → docroot BOŞ kalıyordu → OLS/Apache ham
# 404/403 (operatörün gördüğü "askıdan aktife çekince 404"). Müşteri hiç içerik
# yüklemediyse (yeni/boş hesap) suspended placeholder'ı SİLMEK yerine "new"
# (hesabınız hazır) branded sayfasıyla DEĞİŞTİR → aktif-ama-içeriksiz docroot
# ham webserver sayfası yerine branded sayfa gösterir. default-page-deploy
# yoksa/başarısızsa eski rm davranışına düş (emniyet).
if [[ -f "${INDEX_PATH}" ]] && grep -q -F "${PLACEHOLDER_MARKER}" "${INDEX_PATH}" 2>/dev/null; then
    if [[ "${REMOVE_IF_NO_BAK}" == "true" ]]; then
        if [[ -x "${SCRIPT_DIR}/onx-default-page-deploy" ]]; then
            NEW_PAYLOAD=$(jq -nc --arg u "${USERNAME}" --arg r "${DOCROOT}" \
                '{username:$u, domain:"", state:"new", docroot:$r, lang:"tr", force:true}')
            if echo "${NEW_PAYLOAD}" | "${SCRIPT_DIR}/onx-default-page-deploy" >/dev/null 2>&1; then
                onx_log "default-page-restore: no backup → deployed 'new' branded page user=${USERNAME}"
                onx_json_out \
                    "ok"                  "true" \
                    "restored_from"       "null" \
                    "removed_placeholder" "false" \
                    "current_state"       "new-placeholder" \
                    "skipped"             "false"
                exit 0
            fi
            onx_log "WARN: default-page-restore new-deploy failed → fallback rm user=${USERNAME}"
        fi
        rm -f "${INDEX_PATH}" || onx_die 3 "failed to remove placeholder ${INDEX_PATH}"
        onx_log "default-page-restore: placeholder removed (no backup, deploy unavailable) user=${USERNAME}"
        onx_json_out \
            "ok"                  "true" \
            "restored_from"       "null" \
            "removed_placeholder" "true" \
            "current_state"       "none" \
            "skipped"             "false"
        exit 0
    else
        onx_log "default-page-restore: placeholder present but remove_if_no_backup=false user=${USERNAME}"
        onx_json_out \
            "ok"                  "true" \
            "restored_from"       "null" \
            "removed_placeholder" "false" \
            "current_state"       "placeholder" \
            "skipped"             "true"
        exit 0
    fi
fi

# ── Case 3: index.html is user content (no marker) → no-op, leave alone ──────
if [[ -f "${INDEX_PATH}" ]]; then
    onx_log "default-page-restore: user content already in place user=${USERNAME}"
    onx_json_out \
        "ok"                  "true" \
        "restored_from"       "null" \
        "removed_placeholder" "false" \
        "current_state"       "user-content" \
        "skipped"             "true"
    exit 0
fi

# ── Case 4: no index.html at all → no-op ─────────────────────────────────────
onx_log "default-page-restore: no index.html, no backup user=${USERNAME}"
onx_json_out \
    "ok"                  "true" \
    "restored_from"       "null" \
    "removed_placeholder" "false" \
    "current_state"       "none" \
    "skipped"             "true"
