#!/usr/bin/sh
set -e

# NOTICE: This file was installed by "influxdata-archive-keyring".
# This package is optional; InfluxData software will continue to
# work without it. If you prefer to rely on rpm to download keys
# automatically, you can safely uninstall this package and
# configure 'gpgkey' to point to:
#
# https://repos.influxdata.com/influxdata-archive.key
#
# This package is intended to make key rotation seamless
# as gpg keys expire.

get_rpm_version() {
    # rpm     - fedora, centos, etc
    # rpm-ndb - suse
    for package in \
        rpm        \
        rpm-ndb
    do
        if rpm -q "${package}" 1>/dev/null 2>&1 ; then
            # Unfortunately, `rpm -q` writes "package is not installed" to `stdout`
            # instead of `stderr`. So, this ensures that the package exists before
            # retrieving the package version.
            rpm -q --queryformat '%{VERSION}' "${package}"
            return 0
        fi
    done

    # no known package provides `rpm`
    exit 1
}

is_subkey_supported() {
    get_rpm_version | (
        IFS='.' read -r major \
                        minor \
                        patch
        # shellcheck disable=SC1083
        [ "${major}" -gt 4 ] || \
        { [ "${major}" -eq 4 ] && [ "${minor}" -gt 12 ]; } || \
        { [ "${major}" -eq 4 ] && [ "${minor}" -eq 12 ] && [ "${patch}" -ge 90 ]; }
    )
}

is_compat() {
    case "${1}" in
        *_compat.asc) return 0 ;;
        *)            return 1 ;;
    esac
}

repo_matches_checksum() {
    # 1 -> directory
    # 2 -> target

    # 6262c97fa - 2025-10-07 - influxdata.repo
    # b35f8a03e - 2025-10-07 - influxdata_compat.repo
    for checksum in \
        6262c97fab67eb921370e1de1aebe345880bfac3cdebb4e576f088a4897c9e90 \
        b35f8a03e20e6942e0eb4f1cfc2114c44bbf936d496dad6695f793426fc71258
    do
        if sha256sum "${1}/${2}" | grep -q "${checksum}" ; then
            return 0
        fi
    done

    return 1
}

repo_can_be_upgraded() {
    # 1 -> directory
    # 2 -> target
    if [ ! -d "${1}" ] ; then
        return 1
    fi

    if [ ! -f "${1}/${2}" ] ; then
        if grep -qr repos.influxdata.com "${1}" ; then
            cat <<EOF 1>&2 || true
W: Not updating "${1}/${2}".
W: The influxdata-archive-keyring package manages the "${2}" file,
W: but another file configures the system to use "repos.influxdata.com". To
W: have influxdata-archive-keyring manage "repos.influxdata.com", remove the
W: other file and run:
W:   /usr/lib/influxdata-archive-keyring/influxdata-keyring upgrade
W: Otherwise, to suppress this message, uninstall "influxdata-archive-keyring".
EOF
            return 1
        fi
        return 0
    fi

    if ! repo_matches_checksum "${1}" "${2}" ; then
        cat <<EOF 1>&2 || true
W: Not updating "${1}/${2}" which has been modified.
W: This file is managed by influxdata-archive-keyring, but it contains
W: modifications. To restore managed behavior, remove this file and run:
W:   /usr/lib/influxdata-archive-keyring/influxdata-keyring upgrade
W: Otherwise, to suppress this message, uninstall "influxdata-archive-keyring".
EOF
         return 1
    fi
    return 0
}

repo_can_be_removed() {
    # 1 -> directory
    # 2 -> target
    if [ ! -f "${1}/${2}" ] ; then
        return 1
    fi

    if ! repo_matches_checksum "${1}" "${2}" ; then
        echo 'I: Not removing "'"${1}/${2}"'" (has modifications)'  1>&2
        return 1
    fi

    return 0
}

repo_upgrade() {
    # 1 -> directory
    # 2 -> target
    if ! is_subkey_supported ; then
        cp -v /usr/share/influxdata-archive-keyring/influxdata_compat.repo "${1}/${2}"
    else
        cp -v /usr/share/influxdata-archive-keyring/influxdata.repo "${1}/${2}"
    fi
}

if [ "${1}" = upgrade ] ; then
    for key in /usr/share/influxdata-archive-keyring/keyrings/*.asc ; do
        # "key" expands to the original glob pattern if no matching
        # files are found. Therefore, this ensures that the file
        # actually exists before importing it into rpmkeys.
        if [ -f "${key}" ] ; then
            # If this version of rpm does not support subkeys, only
            # import the compatibility keys. The compatibility keys
            # were created by exporting the public signing keys
            # from the master key.
            if ! is_subkey_supported ; then
                if is_compat "${key}" ; then
                    rpmkeys -v --import "${key}"
                fi
            else
                if ! is_compat "${key}" ; then
                    rpmkeys -v --import "${key}"
                fi
            fi
        fi
    done

    if repo_can_be_upgraded /etc/zypp/repos.d influxdata.repo ; then
        repo_upgrade /etc/zypp/repos.d influxdata.repo
    fi
    if repo_can_be_upgraded /etc/yum.repos.d influxdata.repo ; then
        repo_upgrade /etc/yum.repos.d influxdata.repo
    fi
fi

if [ "${1}" = remove ] ; then
    if repo_can_be_removed /etc/zypp/repos.d influxdata.repo ; then
        rm -v /etc/zypp/repos.d/influxdata.repo
    fi
    if repo_can_be_removed /etc/yum.repos.d influxdata.repo ; then
        rm -v /etc/yum.repos.d/influxdata.repo
    fi
fi
