#!/usr/bin/env bash
# =============================================================================
# onx-ftp-pure-user-passwd — Pure-FTPd PureDB sifre degisikligi (cPanel pattern)
#
# v88 Agent 3 — Default FTP User System.
# Account password change'inde tetiklenir; default FTP user'in sifresini sync eder.
#
# Input (stdin JSON):
#   {
#     "username":    "onx_xxxx",       -- required
#     "password":    "<plain>",        -- required (pure-pw hash yapar)
#     "puredb_path": "/etc/pure-ftpd/pureftpd.pdb",
#     "passwd_path": "/etc/pure-ftpd/pureftpd.passwd"
#   }
#
# Output: {"ok":true,"username":"onx_xxxx","updated":true,"mkdb_run":true}
# Exit codes: 0=ok 1=invalid-input 2=preflight 3=exec-fail
# =============================================================================

set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
# shellcheck source=_lib/common.sh
source "${SCRIPT_DIR}/_lib/common.sh"

require_root
command -v jq      >/dev/null 2>&1 || onx_die 2 "jq gerekli"
command -v pure-pw >/dev/null 2>&1 || onx_die 2 "pure-pw bulunamadi"
onx_json_input

USERNAME=$(onx_json_field username)
PASSWORD=$(onx_json_field password)
PUREDB=$(onx_json_field   puredb_path "/etc/pure-ftpd/pureftpd.pdb")
PASSWD=$(onx_json_field   passwd_path "/etc/pure-ftpd/pureftpd.passwd")

[[ -z "${USERNAME}" ]] && onx_die 1 "username zorunlu"
[[ -z "${PASSWORD}" ]] && onx_die 1 "password zorunlu"
[[ "${USERNAME}" =~ ^onx_[a-z0-9_]{3,30}$ ]] || onx_die 1 "username gecersiz: ${USERNAME}"
[[ -f "${PASSWD}" ]] || onx_die 2 "pureftpd.passwd bulunamadi (${PASSWD})"

# Kullanıcı mevcut mu?
if ! pure-pw show "${USERNAME}" -f "${PASSWD}" >/dev/null 2>&1; then
    onx_die 2 "FTP kullanici bulunamadi: ${USERNAME}"
fi

# pure-pw passwd çift parola sorar — stdin'den besle
PW_FEED="$(printf '%s\n%s\n' "${PASSWORD}" "${PASSWORD}")"
if ! printf '%s' "${PW_FEED}" | pure-pw passwd "${USERNAME}" \
    -f "${PASSWD}" 2>/dev/null; then
    onx_die 3 "pure-pw passwd basarisiz: ${USERNAME}"
fi

# mkdb (yeni hash'i PureDB'ye yaz)
MKDB_RUN="false"
if pure-pw mkdb "${PUREDB}" -f "${PASSWD}" 2>/dev/null; then
    MKDB_RUN="true"
else
    onx_die 3 "pure-pw mkdb basarisiz (passwd guncellendi ama PureDB sync olmadi)"
fi

onx_log "ftp-pure-user-passwd: user=${USERNAME}"

jq -nc \
    --arg username "${USERNAME}" \
    --argjson mkdb_run "${MKDB_RUN}" \
    '{ ok: true, username: $username, updated: true, mkdb_run: $mkdb_run }'
