#!/bin/bash

## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -x
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
shopt -s inherit_errexit
shopt -s shift_verbose

true "INFO: Currently running script: ${BASH_SOURCE[0]} $*"

source /usr/libexec/helper-scripts/git.sh

## XXX: hardcoded path
derivative_maker_source_code_dir="$HOME/derivative-maker"

source "$derivative_maker_source_code_dir/help-steps/pre"

package-installed-check tb-updater

version_check() {
   if [ "${1,,}" = "" ]; then
      printf '%s\n' "${red}${bold}FATAL ERROR: Invalid version (empty)!${reset}"
      exit 1
   fi
   if [ "${1,,}" = "unknown" ]; then
      printf '%s\n' "${red}${bold}FATAL ERROR: Invalid version (unknown)!${reset}"
      exit 1
   fi
}

pkg_tor_browser_version_update() {
   local tbb_hardcoded_version_file tbb_hardcoded_version_alpha_file \
      tbb_stable_json_url tbb_alpha_json_url \
      current_tbb_version current_tbb_alpha_version

   ## `source` tb-updater 'version-validator' script to get 'tbbversion' function.
   ## Uses environment variables RecommendedTBBVersions
   ## Do not `source` source code file location.
   #source "${derivative_maker_source_code_dir}/packages/kicksecure/tb-updater/usr/libexec/tb-updater/version-validator"
   ## Instead `source` system location because 'version-validator' requires '/usr/libexec/tb-updater/version-parser'.
   source /usr/libexec/tb-updater/version-validator

   tbb_hardcoded_version_file="${derivative_maker_source_code_dir}/packages/kicksecure/tb-updater/usr/share/tb-updater/tbb_hardcoded_version"
   tbb_hardcoded_version_alpha_file="${derivative_maker_source_code_dir}/packages/kicksecure/tb-updater/usr/share/tb-updater/tbb_hardcoded_version_alpha"
   tbb_stable_json_url='https://aus1.torproject.org/torbrowser/update_3/release/download-linux-x86_64.json'
   tbb_alpha_json_url='https://aus1.torproject.org/torbrowser/update_3/alpha/download-linux-x86_64.json'
   RecommendedTBBVersions="$(mktemp)"
   export RecommendedTBBVersions
   ## Leftover temp files are by design - left on disk so a developer
   ## can inspect them after a failure. Print the path on every exit
   ## path (including the early `exit 0` for "nothing to commit") so
   ## the operator can find it.
   # shellcheck disable=SC2317
   trap 'printf '%s\n' "INFO: RecommendedTBBVersions tmp file kept for review: ${RecommendedTBBVersions}"' EXIT

   pushd -- "${derivative_maker_source_code_dir}/packages/kicksecure/tb-updater"
   if ! nothing_to_commit; then
      printf '%s\n' "${red}${bold}FATAL ERROR: Uncommitted changes!${reset}"
      exit 1
   fi
   popd

   ## tbbversion requires: ${RecommendedTBBVersions}
   ## tbbversion sets: ${tbb_version_stripped}
   2>/dev/null scurl --output "${RecommendedTBBVersions}" "${tbb_stable_json_url}"
   tbbversion || {
      printf '%s\n' "${red}${bold}FATAL ERROR: Could not parse stable TBB version JSON!${reset}"
      exit 1
   }
   version_check "${tbb_version_stripped}"
   # shellcheck disable=SC2154
   current_tbb_version="${tbb_version_stripped}"

   2>/dev/null scurl --output "${RecommendedTBBVersions}" "${tbb_alpha_json_url}"
   tbbversion || {
      printf '%s\n' "${red}${bold}FATAL ERROR: Could not parse alpha TBB version JSON!${reset}"
      exit 1
   }
   version_check "${tbb_version_stripped}"
   # shellcheck disable=SC2154
   current_tbb_alpha_version="${tbb_version_stripped}"

   safe-rm -f -- "${tbb_hardcoded_version_file}"
   printf '%s\n' "tbb_hardcoded_version=\"${current_tbb_version}\"" | sponge -a -- "${tbb_hardcoded_version_file}"

   safe-rm -f -- "${tbb_hardcoded_version_alpha_file}"
   printf '%s\n' "tbb_hardcoded_version=\"${current_tbb_alpha_version}\"" | sponge -a -- "${tbb_hardcoded_version_alpha_file}"

   pushd -- "${derivative_maker_source_code_dir}/packages/kicksecure/tb-updater"

   if nothing_to_commit; then
     exit 0
   fi

   git diff HEAD

   ## Interactive gate: this script is meant to be run by hand. The
   ## read blocks until the operator presses enter, giving them a
   ## chance to inspect the diff before the commit. Non-interactive
   ## runs (CI etc.) will hang here.
   true "press enter to continue"
   read -r temp

   git add -- 'usr/share/tb-updater/tbb_hardcoded_version'
   git add -- 'usr/share/tb-updater/tbb_hardcoded_version_alpha'
   git commit -m 'tbb_hardcoded_version update'

   popd

   ## Temp file is intentionally left on disk; the EXIT trap above
   ## prints its path so a developer can find and review it.
   true
}

pkg_tor_browser_version_update

true "$0: INFO: OK"
