#!/usr/bin/env bash

set -euo pipefail

# Security: Validate input parameters to prevent command injection
sanitized_input() {
    local input="$1"
    # Check for potentially dangerous characters/commands
    case "$input" in
        *[\;\|\&\`\$]*)
            echo "Error: Invalid input detected: $input" >&2
            exit 1
            ;;
    esac
}

# Validate dependencies
if ! command -v docker &> /dev/null; then
    echo "Error: docker is required but not installed." >&2
    exit 1
fi

if ! docker buildx version &> /dev/null; then
    echo "Error: docker buildx is required but not available." >&2
    exit 1
fi

IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-base"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# Sanitize user input
USER_ID="${USER_ID_OVERRIDE:-$(id -u)}"
sanitized_input "$USER_ID"
GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}"
sanitized_input "$GROUP_ID"
USERNAME="${USERNAME_OVERRIDE:-toolbox}"
sanitized_input "$USERNAME"
TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}"
sanitized_input "$TEA_VERSION"
BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}"
sanitized_input "$BUILDER_NAME"
CACHE_DIR="${SCRIPT_DIR}/.build-cache"
TAG="${TAG_OVERRIDE:-dev}"
sanitized_input "$TAG"
RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}"
sanitized_input "$RELEASE_TAG"
VERSION_TAG="${VERSION_TAG_OVERRIDE:-}"
if [[ -n "$VERSION_TAG" ]]; then
    sanitized_input "$VERSION_TAG"
fi
PUSH="${PUSH_OVERRIDE:-false}"

echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USERNAME}"
echo "Primary tag: ${TAG}"

if ! docker buildx inspect "${BUILDER_NAME}" >/dev/null 2>&1; then
    echo "Creating builder: ${BUILDER_NAME}"
    docker buildx create --driver docker-container --name "${BUILDER_NAME}" --use >/dev/null
else
    echo "Using existing builder: ${BUILDER_NAME}"
    docker buildx use "${BUILDER_NAME}" >/dev/null
fi

mkdir -p "${CACHE_DIR}"

echo "Starting build..."
docker buildx build \
    --builder "${BUILDER_NAME}" \
    --load \
    --progress=plain \
    --build-arg USER_ID="${USER_ID}" \
    --build-arg GROUP_ID="${GROUP_ID}" \
    --build-arg USERNAME="${USERNAME}" \
    --build-arg TEA_VERSION="${TEA_VERSION}" \
    --cache-from "type=local,src=${CACHE_DIR}" \
    --cache-to "type=local,dest=${CACHE_DIR},mode=max" \
    --tag "${IMAGE_NAME}:${TAG}" \
    "${SCRIPT_DIR}"

if [[ "${PUSH}" == "true" ]]; then
    echo "Pushing ${IMAGE_NAME}:${TAG}"
    docker push "${IMAGE_NAME}:${TAG}"

    if [[ "${TAG}" == "dev" && -n "${VERSION_TAG}" ]]; then
        docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${VERSION_TAG}"
        echo "Pushing ${IMAGE_NAME}:${VERSION_TAG}"
        docker push "${IMAGE_NAME}:${VERSION_TAG}"
    fi

    if [[ "${TAG}" == "dev" ]]; then
        docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${RELEASE_TAG}"
        echo "Pushing ${IMAGE_NAME}:${RELEASE_TAG}"
        docker push "${IMAGE_NAME}:${RELEASE_TAG}"
    fi
fi

echo "Build completed successfully."

# Run security scan if TRIVY is available
if command -v trivy &> /dev/null; then
    echo "Running security scan with Trivy..."
    trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}:${TAG}"
else
    echo "Trivy not found. Install Trivy to perform security scanning."
fi