#!/bin/bash

set -e

# Include certificate generation functions.
. /app/cert-functions.sh

# Setup default storage location, account name and accounts file path.
AZURITE_DIR="/storage"

# Check, if the AZURITE_ACCOUNTS variable is set
if [[ -z "$AZURITE_ACCOUNTS" ]]; then
    # Generate a default account
    export AZURITE_ACCOUNTS="devstoreaccount1:$(openssl rand -base64 32)"
fi

# Look up the account name from the AZURITE_ACCOUNTS variable, which is in the format "accountName:accountKey1:accountKey2;accountName2:accountKey1:accountKey2"
ACCOUNT_NAME=$(echo "$AZURITE_ACCOUNTS" | cut -f 1 -d ';' | cut -f 1 -d ':')

# Ensure /etc/hosts contains an entry the Azure endpoint names,
# so Caddy can route requests to the correct service based on the hostname.
if ! grep -qE "${ACCOUNT_NAME}\.blob\.core\.windows\.net" /etc/hosts ||
   ! grep -qE "${ACCOUNT_NAME}\.queue\.core\.windows\.net" /etc/hosts ||
   ! grep -qE "${ACCOUNT_NAME}\.table\.core\.windows\.net" /etc/hosts; then
    echo -e "\n127.0.0.1\t${ACCOUNT_NAME}.blob.core.windows.net ${ACCOUNT_NAME}.queue.core.windows.net ${ACCOUNT_NAME}.table.core.windows.net" >> /etc/hosts
fi

CADDY=true
AZURITE_SSL=""
CERT_ARGS=()
OAUTH_ARGS=()

while [[ $# -gt 0 ]]; do
    case "$1" in
        --oauth)
            OAUTH_ARGS=("--oauth" "basic")
            # Ensure Caddy is disabled when using OAuth, as Azurite does not support OAuth behind a reverse proxy.
            CADDY=""
            AZURITE_SSL=true
            shift
            ;;
        --ssl)
            AZURITE_SSL=true
            # Ensure Caddy is disabled when using Azurite's built-in SSL support.
            CADDY=""
            shift
            ;;
        --no-caddy)
            # Disable Caddy, but do not enable SSL for Azurite.
            CADDY=""
            shift
            ;;
        *)
            echo "Unknown argument: $1"
            exit 1
            ;;
    esac
done

# Ensure certificates are generated before starting Azurite or Caddy.
if [[ -n "$AZURITE_SSL" || -n "$CADDY" ]]; then
    if ! make_ca "$AZURITE_DIR"; then
        echo "Error: Failed to create CA certificate and key." >&2
        exit 1
    fi

    if ! make_server_cert "$ACCOUNT_NAME" "$AZURITE_DIR"; then
        echo "Error: Failed to create server certificate and key." >&2
        exit 1
    fi
fi

if [[ -n "$CADDY" ]]; then
    # If using Caddy, it will reverse proxy blob, queue, and table endpoints to different ports on localhost,
    # allowing simultaneous access to all services on a single HTTPS port.
    # Generate a Caddyfile configuration based on the account name and storage directory.
    sed -E "s/__ACCOUNT_NAME__/${ACCOUNT_NAME}/g; s|__AZURITE_DIR__|${AZURITE_DIR}|g" /app/Caddyfile.example > "$AZURITE_DIR/Caddyfile"
    echo "Starting Caddy server..."
    caddy start --config "$AZURITE_DIR/Caddyfile" # Use start not run, start does not block the shell process.
else
    # If not using Caddy, configure Azurite to listen on all interfaces and use the generated self-signed certificate.
    # This mode does not require Caddy, but it will not allow simultaneous access to the table and queue services on the same HTTPS port.
    if [[ -n "$AZURITE_SSL" ]]; then
        CERT_ARGS=("--key" "$AZURITE_DIR/${ACCOUNT_NAME}_key.pem" "--cert" "$AZURITE_DIR/${ACCOUNT_NAME}_cert.pem")
    fi
fi

# Start Azurite with the appropriate arguments based on the configuration.
exec node /app/azurite/src/azurite.js \
    --disableTelemetry \
    --location "$AZURITE_DIR" \
    --blobHost 0.0.0.0 --queueHost 0.0.0.0 --tableHost 0.0.0.0 \
    "${CERT_ARGS[@]}" "${OAUTH_ARGS[@]}"