package trivy

import (
	"strconv"

	"alpha.dagger.io/alpine"
	"alpha.dagger.io/aws"
	"alpha.dagger.io/dagger"
	"alpha.dagger.io/dagger/op"
	"alpha.dagger.io/gcp"
)

// Set Trivy download source
// - AWS
// - GCP
// - Docker Hub
// - Self Hosted

// Trivy Configuration
#Config: {
	// Docker Hub / Self hosted registry auth
	basicAuth: {
		// Username
		username: dagger.#Input & {string}

		// Password
		password: dagger.#Input & {dagger.#Secret}

		// No SSL connection
		noSSL: *false | bool
	} | *null

	// AWS ECR auth
	awsAuth: aws.#Config | *null

	// GCP auth 
	gcpAuth: gcp.#Config | *null
}

// Re-usable CLI component
#CLI: {
	config: #Config

	#up: [
		if config.awsAuth == null && config.gcpAuth == null {
			op.#Load & {
				from: alpine.#Image & {
					package: bash: "=~5.1"
					package: curl: true
					package: jq:   "=~1.6"
				}
			}
		},
		if config.awsAuth != null && config.gcpAuth == null {
			op.#Load & {
				from: aws.#CLI & {
					"config": config.awsAuth
				}
			}
		},
		if config.awsAuth == null && config.gcpAuth != null {
			op.#Load & {
				from: gcp.#GCloud & {
					"config": config.gcpAuth
				}
			}
		},
		op.#Exec & {
			args: ["sh", "-c",
				#"""
					curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3 &&
					chmod +x /usr/local/bin/trivy
					"""#,
			]
		},
		// config.basicAuth case
		if config.basicAuth != null && config.awsAuth == null && config.gcpAuth == null {
			op.#Exec & {
				args: ["/bin/bash", "-c",
					#"""
						# Rename
						mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger

						# Build root of executable script
						echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy

						# Construct env string from env vars
						envs=()
						[ -n "$TRIVY_USERNAME" ] && envs+=("TRIVY_USERNAME=$TRIVY_USERNAME")
						[ -n "$TRIVY_NON_SSL" ] && envs+=("TRIVY_NON_SSL=$TRIVY_NON_SSL")

						# Append secret to env string
						[ -n "$(cat /password)" ] && envs+=("TRIVY_PASSWORD=$(cat /password)")

						# Append full command
						echo "${envs[@]}" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy

						# Make it executable
						chmod +x /usr/local/bin/trivy
						"""#,
				]
				env: TRIVY_USERNAME: config.basicAuth.username
				env: TRIVY_NON_SSL:  strconv.FormatBool(config.basicAuth.noSSL)
				mount: "/password": secret: config.basicAuth.password
			}
		},
		// config.gcpAuth case
		if config.basicAuth == null && config.awsAuth == null && config.gcpAuth != null {
			op.#Exec & {
				args: ["/bin/bash", "-c",
					#"""
						# Rename
						mv /usr/local/bin/trivy /usr/local/bin/trivy-dagger

						# Build root of executable script
						echo '#!/bin/bash'$'\n' > /usr/local/bin/trivy

						# Append full command
						echo "TRIVY_USERNAME=''" "GOOGLE_APPLICATION_CREDENTIALS=/service_key" '/usr/local/bin/trivy-dagger "$@"' >> /usr/local/bin/trivy

						# Make it executable
						chmod +x /usr/local/bin/trivy
						"""#,
				]
			}
		},
	]
}