#!/bin/bash
# -----------------------------------------------------------------------------
# revoke-target.sh
# Sprint: SPRINT_20260125_003_Attestor_trust_workflows_conformance
# Task: WORKFLOW-002 - Create key rotation workflow script
# Description: Remove a target from the TUF repository
# -----------------------------------------------------------------------------

set -euo pipefail

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }

usage() {
    echo "Usage: $0 <target-name> [options]"
    echo ""
    echo "Remove a target from the TUF repository."
    echo ""
    echo "Arguments:"
    echo "  target-name          Name of target to remove (e.g., rekor-key-v1)"
    echo ""
    echo "Options:"
    echo "  --repo DIR           TUF repository directory (default: current directory)"
    echo "  --archive            Archive target file instead of deleting"
    echo "  -h, --help           Show this help message"
    echo ""
    echo "Example:"
    echo "  $0 rekor-key-v1 --repo /path/to/tuf --archive"
    exit 1
}

TARGET_NAME=""
REPO_DIR="."
ARCHIVE=false

while [[ $# -gt 0 ]]; do
    case $1 in
        --repo) REPO_DIR="$2"; shift 2 ;;
        --archive) ARCHIVE=true; shift ;;
        -h|--help) usage ;;
        -*)
            log_error "Unknown option: $1"
            usage
            ;;
        *)
            if [[ -z "$TARGET_NAME" ]]; then
                TARGET_NAME="$1"
            else
                log_error "Unexpected argument: $1"
                usage
            fi
            shift
            ;;
    esac
done

if [[ -z "$TARGET_NAME" ]]; then
    log_error "Target name is required"
    usage
fi

TARGETS_DIR="$REPO_DIR/targets"
TARGETS_JSON="$REPO_DIR/targets.json"

if [[ ! -d "$TARGETS_DIR" ]]; then
    log_error "Targets directory not found: $TARGETS_DIR"
    exit 1
fi

if [[ ! -f "$TARGETS_JSON" ]]; then
    log_error "targets.json not found: $TARGETS_JSON"
    exit 1
fi

# Find the target file
TARGET_FILE=""
for ext in "" ".pub" ".json" ".pem"; do
    if [[ -f "$TARGETS_DIR/${TARGET_NAME}${ext}" ]]; then
        TARGET_FILE="$TARGETS_DIR/${TARGET_NAME}${ext}"
        break
    fi
done

if [[ -z "$TARGET_FILE" ]]; then
    log_warn "Target file not found in $TARGETS_DIR"
    log_info "Continuing to remove from targets.json..."
fi

echo ""
echo "================================================"
echo "  TUF Target Revocation"
echo "================================================"
echo ""
log_info "Repository: $REPO_DIR"
log_info "Target: $TARGET_NAME"
if [[ -n "$TARGET_FILE" ]]; then
    log_info "File: $TARGET_FILE"
fi
echo ""

log_warn "This will remove the target from the TUF repository."
log_warn "Clients will no longer be able to fetch this target after sync."
read -p "Type 'REVOKE' to proceed: " CONFIRM
if [[ "$CONFIRM" != "REVOKE" ]]; then
    log_error "Aborted"
    exit 1
fi

# Remove or archive the file
if [[ -n "$TARGET_FILE" ]]; then
    if [[ "$ARCHIVE" == "true" ]]; then
        ARCHIVE_DIR="$REPO_DIR/archived"
        mkdir -p "$ARCHIVE_DIR"
        TIMESTAMP=$(date -u +%Y%m%d%H%M%S)
        ARCHIVE_NAME="$(basename "$TARGET_FILE")-revoked-${TIMESTAMP}"
        mv "$TARGET_FILE" "$ARCHIVE_DIR/$ARCHIVE_NAME"
        log_info "Archived to: $ARCHIVE_DIR/$ARCHIVE_NAME"
    else
        rm -f "$TARGET_FILE"
        log_info "Deleted: $TARGET_FILE"
    fi
fi

# Update targets.json
if command -v python3 &>/dev/null; then
    python3 - "$TARGETS_JSON" "$TARGET_NAME" << 'PYTHON_SCRIPT'
import json
import sys

targets_json = sys.argv[1]
target_name = sys.argv[2]

with open(targets_json) as f:
    data = json.load(f)

# Find and remove the target
targets = data.get('signed', {}).get('targets', {})
removed = False

# Try different name variations
names_to_try = [
    target_name,
    f"{target_name}.pub",
    f"{target_name}.json",
    f"{target_name}.pem"
]

for name in names_to_try:
    if name in targets:
        del targets[name]
        removed = True
        print(f"Removed from targets.json: {name}")
        break

if not removed:
    print(f"Warning: Target '{target_name}' not found in targets.json")
    sys.exit(0)

# Update version
if 'signed' in data:
    data['signed']['version'] = data['signed'].get('version', 0) + 1

with open(targets_json, 'w') as f:
    json.dump(data, f, indent=2)

print(f"Updated: {targets_json}")
PYTHON_SCRIPT
else
    log_warn "Python not available. Manual update of targets.json required."
    log_warn "Remove the '$TARGET_NAME' entry from $TARGETS_JSON"
fi

echo ""
log_info "Target revocation prepared."
echo ""
log_warn "NEXT STEPS (REQUIRED):"
echo "  1. Re-sign targets.json with targets key"
echo "  2. Update snapshot.json and sign with snapshot key"
echo "  3. Update timestamp.json and sign with timestamp key"
echo "  4. Deploy updated metadata to TUF server"
echo ""
log_info "Clients will stop trusting '$TARGET_NAME' after their next sync."
echo ""