#!/bin/bash

set -Eeuo pipefail

if [[ "$UID" -ne 0 ]]; then
  echo "This command must be run as root!"
  exit 1
fi

if [ "$#" -lt 1 ]; then
  echo "Usage: $0 <bootc-target-image> [qcow2-target-image]"
  exit 1
fi

TARGET_IMAGE="$1"
QCOW2_TARGET_IMAGE="${2:-}"

# Parses the target image to get the tag and registry
# Example: myregistry.com/myimage:tag -> (myregistry.com/myimage + tag)
if [[ "$TARGET_IMAGE" == *":"* ]]; then
  TARGET_IMAGE_NAME="${TARGET_IMAGE%%:*}"
  TARGET_IMAGE_TAG="${TARGET_IMAGE##*:}"
else
  TARGET_IMAGE_NAME="$TARGET_IMAGE"
  TARGET_IMAGE_TAG="latest"
  TARGET_IMAGE="${IMAGE_NAME}:latest"
fi

# Compute the qcow2 target image if not provided
if [ -z "$QCOW2_TARGET_IMAGE" ]; then
  QCOW2_TARGET_IMAGE="${TARGET_IMAGE_NAME}-qcow2:${TARGET_IMAGE_TAG}"
fi

OCI_REGISTRY="${TARGET_IMAGE%%/*}"
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

if [ ! -f "$PROJECT_DIR/signing-key.pass" ]; then
  openssl rand -base64 30 > "$PROJECT_DIR/signing-key.pass"
  chmod 600 "$PROJECT_DIR/signing-key.pass"
fi

if [ ! -f "$PROJECT_DIR/signing-key.pub" ]; then
  skopeo generate-sigstore-key --output-prefix "$PROJECT_DIR/signing-key" --passphrase-file "$PROJECT_DIR/signing-key.pass"
fi

if [ ! -f "/etc/containers/registries.d/${OCI_REGISTRY}.yaml" ]; then
  tee "/etc/containers/registries.d/${OCI_REGISTRY}.yaml" > /dev/null <<EOF
docker:
  ${OCI_REGISTRY}:
    use-sigstore-attachments: true
EOF
fi

export REGISTRY_AUTH_FILE="$PROJECT_DIR/auth.json"
if [ ! -f "$REGISTRY_AUTH_FILE" ]; then
  echo "Please enter your credentials for ${OCI_REGISTRY}:"
  podman login "${OCI_REGISTRY}"

  echo "Please enter your credentials for registry.redhat.io:"
  podman login registry.redhat.io
fi

if [ -x "$PWD/custom.sh" ]; then
  echo "Running custom.sh..."
  "$PWD/custom.sh"
fi

echo "Building and pushing image $TARGET_IMAGE..."
podman build --no-cache -t "${TARGET_IMAGE}" .
podman push --sign-by-sigstore-private-key "$PROJECT_DIR/signing-key.private" --sign-passphrase-file "$PROJECT_DIR/signing-key.pass" "${TARGET_IMAGE}"

echo "Building and pushing image $QCOW2_TARGET_IMAGE..."
temp_dir="$(mktemp -d)"
trap 'rm -rf "$temp_dir"' EXIT

function bootc_image_builder () {
  local config="$1"
  shift
  podman run --rm -it --privileged --pull=newer --security-opt label=type:unconfined_t -v "$config:/$(basename $config):ro" \
             -v $temp_dir:/output -v /var/lib/containers/storage:/var/lib/containers/storage \
             registry.redhat.io/rhel10/bootc-image-builder:latest --config "/$(basename $config)" "$@"
}

bootc_image_builder "$PROJECT_DIR/config.toml" --type qcow2 "$TARGET_IMAGE"
podman artifact add "$QCOW2_TARGET_IMAGE" "$temp_dir/qcow2/disk.qcow2"
podman artifact push --sign-by-sigstore-private-key "$PROJECT_DIR/signing-key.private" --sign-passphrase-file "$PROJECT_DIR/signing-key.pass" "$QCOW2_TARGET_IMAGE"
podman artifact rm "$QCOW2_TARGET_IMAGE"