#!/usr/bin/env bash
set -euo pipefail

# Inputs (typically provided by CI/CD)
IMAGE_REF="${IMAGE_REF:?missing IMAGE_REF}"           # e.g. ghcr.io/org/app:tag
ATTEST_PATH="${ATTEST_PATH:?missing ATTEST_PATH}"     # DSSE envelope file path
REKOR_URL="${REKOR_URL:-https://rekor.sigstore.dev}"
KEY_REF="${KEY_REF:-cosign.key}"                      # could be KMS / keyless etc.
OUT_META_JSON="${OUT_META_JSON:-provenance-meta.json}"

# 1) Upload DSSE envelope to Rekor with JSON output
rekor-cli upload \
  --rekor_server "${REKOR_URL}" \
  --artifact "${ATTEST_PATH}" \
  --type dsse \
  --format json > rekor-upload.json

LOG_INDEX=$(jq '.LogIndex' rekor-upload.json)
UUID=$(jq -r '.UUID' rekor-upload.json)
INTEGRATED_TIME=$(jq '.IntegratedTime' rekor-upload.json)

# 2) Compute envelope SHA256
ENVELOPE_SHA256=$(sha256sum "${ATTEST_PATH}" | awk '{print $1}')

# 3) Extract key metadata (example for local file key; adapt for Fulcio/KMS)
# For keyless/Fulcio you’d normally extract cert from cosign verify-attestation.
KEY_ID="${KEY_ID:-${KEY_REF}}"
KEY_ALGO="${KEY_ALGO:-unknown}"
KEY_ISSUER="${KEY_ISSUER:-unknown}"

# 4) Optional: resolve image digest (if not already known in CI)
IMAGE_DIGEST="${IMAGE_DIGEST:-}"
if [ -z "${IMAGE_DIGEST}" ]; then
  IMAGE_DIGEST="$(cosign triangulate "${IMAGE_REF}")"
fi

# 5) Emit provenance sidecar
cat > "${OUT_META_JSON}" <<EOF
{
  "subject": {
    "imageRef": "${IMAGE_REF}",
    "digest": {
      "sha256": "${IMAGE_DIGEST}"
    }
  },
  "attestation": {
    "path": "${ATTEST_PATH}",
    "envelopeDigest": "sha256:${ENVELOPE_SHA256}",
    "payloadType": "application/vnd.in-toto+json"
  },
  "dsse": {
    "envelopeDigest": "sha256:${ENVELOPE_SHA256}",
    "payloadType": "application/vnd.in-toto+json",
    "key": {
      "keyId": "${KEY_ID}",
      "issuer": "${KEY_ISSUER}",
      "algo": "${KEY_ALGO}"
    },
    "rekor": {
      "logIndex": ${LOG_INDEX},
      "uuid": "${UUID}",
      "integratedTime": ${INTEGRATED_TIME}
    }
  }
}
EOF

echo "Provenance metadata written to ${OUT_META_JSON}"