#!/bin/bash
# ─────────────────────────────────────────────────────────────
# Dual-network development setup
# ─────────────────────────────────────────────────────────────
#
# Controls: one env var — NETWORK=corp or NETWORK=home
#
# Usage (add to ~/.zshrc):
#   export NETWORK=corp   # at work / on VPN
#   export NETWORK=home   # at home (or just unset it)
#
# Then source this file from ~/.zshrc:
#   source "$HOME/code/mygh/learning_ai_common_plat/scripts/switch-network.sh"
#
# What it sets when NETWORK=corp:
#   - http_proxy / https_proxy  → cso.proxy.att.com:8080
#   - NPM_CONFIG_REGISTRY       → AT&T JFrog npm proxy
#   - NPM_CONFIG_PROXY          → corporate proxy
#   - NPM_CONFIG_STRICT_SSL     → false (proxy TLS interception)
#   - NO_PROXY / no_proxy        → localhost,127.0.0.1 (Gitea, Cosmos, Azurite)
#   - NPM_CONFIG_NOPROXY         → localhost,127.0.0.1
#   - NODE_TLS_REJECT_UNAUTHORIZED → 0 (Node.js trusts proxy certs)
#   - PIP_TRUSTED_HOST           → pypi.org, files.pythonhosted.org
#   - GRADLE_OPTS                → JVM truststore with corporate CA cert
#                                  (truststore at ~/.gradle/ssl/gradle-cacerts.jks)
#
# What it sets when NETWORK=home:
#   - All proxy vars unset, default registries, direct internet
#
# Gradle SSL setup (one-time):
#   The corporate proxy (cso.proxy.att.com) does TLS interception.
#   Gradle's JVM needs a custom truststore with the proxy CA cert.
#   To create/recreate:
#     mkdir -p ~/.gradle/ssl
#     JAVA_HOME=$(/usr/libexec/java_home)
#     cp "$JAVA_HOME/lib/security/cacerts" ~/.gradle/ssl/gradle-cacerts.jks
#     echo | openssl s_client -connect services.gradle.org:443 \
#       -proxy cso.proxy.att.com:8080 -showcerts 2>/dev/null \
#       | awk 'BEGIN{c=0} /BEGIN CERT/{c++} c==2{print} /END CERT/&&c==2{exit}' \
#       > /tmp/corp-ca.pem
#     keytool -importcert -noprompt -trustcacerts -alias att-cso-proxy \
#       -file /tmp/corp-ca.pem \
#       -keystore ~/.gradle/ssl/gradle-cacerts.jks -storepass changeit
#
# ─────────────────────────────────────────────────────────────

_CORP_PROXY="http://cso.proxy.att.com:8080/"
_CORP_NPM_REGISTRY="https://jfrog-pkg-proxy.it.att.com/artifactory/api/npm/att-npm-proxy-group/"

_GRADLE_TRUSTSTORE="$HOME/.gradle/ssl/gradle-cacerts.jks"

if [ "${NETWORK:-home}" = "corp" ]; then
  # ── Corporate proxy ──
  export http_proxy="$_CORP_PROXY"
  export https_proxy="$_CORP_PROXY"
  export HTTP_PROXY="$_CORP_PROXY"
  export HTTPS_PROXY="$_CORP_PROXY"
  export NPM_CONFIG_REGISTRY="$_CORP_NPM_REGISTRY"
  export NPM_CONFIG_PROXY="$_CORP_PROXY"
  export NPM_CONFIG_HTTPS_PROXY="$_CORP_PROXY"
  export NPM_CONFIG_STRICT_SSL="false"
  export PIP_TRUSTED_HOST="pypi.org files.pythonhosted.org"
  export NODE_TLS_REJECT_UNAUTHORIZED="0"
  # Bypass proxy for local services (Gitea npm registry, Cosmos emulator, Azurite, etc.)
  export NO_PROXY="localhost,127.0.0.1"
  export no_proxy="localhost,127.0.0.1"
  export NPM_CONFIG_NOPROXY="localhost,127.0.0.1"
  # Gradle: trust corporate proxy CA cert (TLS interception by cso.proxy.att.com)
  if [ -f "$_GRADLE_TRUSTSTORE" ]; then
    export GRADLE_OPTS="-Djavax.net.ssl.trustStore=$_GRADLE_TRUSTSTORE -Djavax.net.ssl.trustStorePassword=changeit -Djdk.http.auth.tunneling.disabledSchemes= -Djdk.http.auth.proxying.disabledSchemes= -Djava.net.useSystemProxies=true"
  fi
else
  # ── Home / direct internet ──
  unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY 2>/dev/null
  unset NPM_CONFIG_REGISTRY NPM_CONFIG_PROXY NPM_CONFIG_HTTPS_PROXY 2>/dev/null
  unset NPM_CONFIG_STRICT_SSL NODE_TLS_REJECT_UNAUTHORIZED 2>/dev/null
  unset NO_PROXY no_proxy NPM_CONFIG_NOPROXY 2>/dev/null
  unset PIP_TRUSTED_HOST GRADLE_OPTS 2>/dev/null
fi

unset _GRADLE_TRUSTSTORE

# Quick status on new shell (only if interactive)
if [[ $- == *i* ]]; then
  if [ "${NETWORK:-home}" = "corp" ]; then
    echo "🏢 NETWORK=corp — proxy active"
  else
    echo "🏠 NETWORK=home — direct internet"
  fi
fi

unset _CORP_PROXY _CORP_NPM_REGISTRY

# ── Gitea NPM token (always, regardless of NETWORK) ──────────────
# Local Gitea registry at localhost:3300 — token for publish access.
# Reads: public without auth. Writes: need GITEA_NPM_TOKEN.
# Store token in ~/.gitea_npm_token (one line, no newline).
# Create: curl -s -u admin:PASSWORD http://localhost:3300/api/v1/users/admin/tokens \
#           -H 'Content-Type: application/json' -d '{"name":"npm"}' | jq -r '.sha1 // .token'
_GITEA_TOKEN_FILE="$HOME/.gitea_npm_token"
if [ -z "${GITEA_NPM_TOKEN:-}" ] && [ -f "$_GITEA_TOKEN_FILE" ]; then
  export GITEA_NPM_TOKEN
  GITEA_NPM_TOKEN="$(cat "$_GITEA_TOKEN_FILE")"
fi
unset _GITEA_TOKEN_FILE