#!/usr/bin/env bash
set -euo pipefail

log() { echo "[start] $(date -Is) $*"; }
abort() { echo "[start] ERROR: $*" >&2; exit 1; }

# Defaults
: "${APP_PORT:=8080}"
: "${JENKINS_HOME:=/app/data/jenkins_home}"

log "Starting Jenkins CI/CD on port ${APP_PORT}"

# Ensure Jenkins home directory exists and is writable
mkdir -p "${JENKINS_HOME}"
chown -R cloudron:cloudron /app/data || true

# Set Jenkins environment variables
export JENKINS_HOME="${JENKINS_HOME}"
export JENKINS_OPTS="--httpPort=${APP_PORT} --httpListenAddress=0.0.0.0"

# Configure Jenkins for Cloudron with OIDC support
log "Configuring Jenkins for Cloudron environment with OIDC authentication"

# Create basic Jenkins configuration if not exists
if [[ ! -f "${JENKINS_HOME}/config.xml" ]]; then
    log "Creating initial Jenkins configuration with OIDC support"
    mkdir -p "${JENKINS_HOME}"
    
    # Create OIDC configuration if environment variables are provided
    if [[ -n "${CLOUDRON_OIDC_ISSUER_URL:-}" && -n "${CLOUDRON_OIDC_CLIENT_ID:-}" ]]; then
        log "Configuring OIDC authentication for Jenkins"
        mkdir -p "${JENKINS_HOME}/org.jenkinsci.plugins.openid_connect"
        
        # Create OIDC security realm configuration
        cat > "${JENKINS_HOME}/org.jenkinsci.plugins.openid_connect.OpenIdConnectSecurityRealm.xml" <<'OIDC_XML'
<?xml version='1.1' encoding='UTF-8'?>
<org.jenkinsci.plugins.openid_connect.OpenIdConnectSecurityRealm plugin="openid-connect@2.4">
  <issuer>${CLOUDRON_OIDC_ISSUER_URL}</issuer>
  <clientId>${CLOUDRON_OIDC_CLIENT_ID}</clientId>
  <clientSecret>${CLOUDRON_OIDC_CLIENT_SECRET}</clientSecret>
  <scopes>openid,email,profile</scopes>
  <usernameField>preferred_username</usernameField>
  <fullNameField>name</fullNameField>
  <emailField>email</emailField>
  <disableSslVerification>false</disableSslVerification>
  <logoutFromOpenidProvider>true</logoutFromOpenidProvider>
  <postLogoutRedirectUrl>${CLOUDRON_OIDC_REDIRECT_URI}</postLogoutRedirectUrl>
  <escapeHatchEnabled>false</escapeHatchEnabled>
  <escapeHatchUsername>admin</escapeHatchUsername>
  <escapeHatchSecret>jenkins-escape-hatch</escapeHatchSecret>
  <escapeHatchGroup>admin</escapeHatchGroup>
  <automanualconfigure>false</automanualconfigure>
  <wellKnownOpenIDConfigurationUrl></wellKnownOpenIDConfigurationUrl>
  <readTimeout>20</readTimeout>
  <connectTimeout>10</connectTimeout>
  <tokenServerUrl></tokenServerUrl>
  <authorizationServerUrl></authorizationServerUrl>
  <userInfoServerUrl></userInfoServerUrl>
  <userNameField></userNameField>
  <tokenFieldToCheckKey></tokenFieldToCheckKey>
  <tokenFieldToCheckValue></tokenFieldToCheckValue>
</org.jenkinsci.plugins.openid_connect.OpenIdConnectSecurityRealm>
OIDC_XML
    fi
    
    # Create basic config.xml for Jenkins
    cat > "${JENKINS_HOME}/config.xml" <<'XML'
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
  <version>2.450</version>
  <numExecutors>2</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy"/>
  <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
    <disableSignup>true</disableSignup>
  </securityRealm>
  <disableRememberMe>false</disableRememberMe>
  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
  <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir>
  <buildsDir>${JENKINS_HOME}/builds/${ITEM_FULLNAME}</buildsDir>
  <markupFormatter class="hudson.markup.RawHtmlMarkupFormatter" plugin="antisamy-markup-formatter@3.1"/>
  <jdks/>
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
  <clouds/>
  <slaves/>
  <scm class="hudson.scm.NullSCM"/>
  <views>
    <hudson.model.AllView>
      <owner class="hudson" reference="../../.."/>
      <name>all</name>
      <filterExecutors>false</filterExecutors>
      <filterQueue>false</filterQueue>
      <properties class="hudson.model.View$PropertyList"/>
    </hudson.model.AllView>
  </views>
  <primaryView>all</primaryView>
  <slaveAgentPort>50000</slaveAgentPort>
  <disabledAgentProtocols>
    <string>JNLP-connect</string>
    <string>JNLP2-connect</string>
  </disabledAgentProtocols>
  <label></label>
  <nodeProperties/>
  <globalNodeProperties/>
</hudson>
XML
fi

# Start Jenkins
log "Starting Jenkins WAR file"
exec java -jar /app/pkg/jenkins.war ${JENKINS_OPTS}