#!/usr/bin/env bash
# mise description="Bundles the CLI for distribution"

set -euo pipefail

# Usage
# CERTIFICATE_PASSWORD=xxxxx CERTIFICATE_ENCRYPTION_PASSWORD=xxxx APPLE_ID=email APP_SPECIFIC_PASSWORD=xxx mise run bundle

TMP_DIRECTORY=$(mktemp -d)
KEYCHAIN_PATH=$TMP_DIRECTORY/keychain.keychain
KEYCHAIN_PASSWORD=$(uuidgen)
ENCRYPTED_CERTIFICATE_PATH=$MISE_PROJECT_ROOT/app/certificates/certificate.p12.enc
CERTIFICATE_PATH=$TMP_DIRECTORY/certificate.p12
BUILD_DIRECTORY=$MISE_PROJECT_ROOT/app/build
APP_DIRECTORY=$MISE_PROJECT_ROOT/app/app-binary
DERIVED_DATA_PATH=$BUILD_DIRECTORY/app/derived
BUILD_DIRECTORY_BINARY=$DERIVED_DATA_PATH/Build/Products/Release/Tuist.app
BUILD_ARTIFACTS_DIRECTORY=$BUILD_DIRECTORY/artifacts
BUILD_ZIP_PATH=$BUILD_ARTIFACTS_DIRECTORY/app.zip
SHASUMS256_FILE=$BUILD_ARTIFACTS_DIRECTORY/SHASUMS256.txt
SHASUMS512_FILE=$BUILD_ARTIFACTS_DIRECTORY/SHASUMS512.txt
TEAM_ID='U6LC622NKF'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

print_status() {
    echo -e "${YELLOW}$1${NC}"
}

# Remove temporary directory on exit
trap "rm -rf $TMP_DIRECTORY" EXIT

# Decrypt the certificate
print_status "Decrypting the certificate..."
openssl enc -aes-256-cbc -d -pbkdf2 -in $ENCRYPTED_CERTIFICATE_PATH -out $CERTIFICATE_PATH -pass pass:"$CERTIFICATE_ENCRYPTION_PASSWORD"

# Codesign
print_status "Code signing the Tuist App..."
if [ "${CI:-}" = "true" ]; then
    print_status "Creating a new temporary keychain..."
    security create-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN_PATH
    security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
    security default-keychain -s $KEYCHAIN_PATH
    security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN_PATH
fi
security import $CERTIFICATE_PATH -P $CERTIFICATE_PASSWORD -A

# Build
print_status "Building the Tuist App..."
tuist generate --no-binary-cache --no-open
xcodebuild clean build -workspace $MISE_PROJECT_ROOT/Tuist.xcworkspace -scheme TuistApp -configuration Release -destination generic/platform=macOS -derivedDataPath $DERIVED_DATA_PATH CODE_SIGN_IDENTITY="Developer ID Application: Tuist GmbH (U6LC622NKF)" CODE_SIGN_STYLE="Manual" CODE_SIGN_INJECT_BASE_ENTITLEMENTS="NO"
codesign --force --timestamp --options runtime --sign "Developer ID Application: Tuist GmbH (U6LC622NKF)" "$BUILD_DIRECTORY_BINARY/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate"
codesign --force --timestamp --options runtime --sign "Developer ID Application: Tuist GmbH (U6LC622NKF)" "$BUILD_DIRECTORY_BINARY/Contents/Frameworks/Sparkle.framework/Versions/B/Updater.app/Contents/MacOS/Updater"
codesign --force --timestamp --options runtime --sign "Developer ID Application: Tuist GmbH (U6LC622NKF)" "$BUILD_DIRECTORY_BINARY/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Downloader.xpc/Contents/MacOS/Downloader"
codesign --force --timestamp --options runtime --sign "Developer ID Application: Tuist GmbH (U6LC622NKF)" "$BUILD_DIRECTORY_BINARY/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Installer.xpc/Contents/MacOS/Installer"

# Notarize
print_status "Submitting the Tuist App for notarization..."
mkdir -p $BUILD_ARTIFACTS_DIRECTORY

BUILD_DMG_PATH=$BUILD_ARTIFACTS_DIRECTORY/Tuist.dmg
create-dmg --background $MISE_PROJECT_ROOT/assets/dmg-background.png --hide-extension "Tuist.app" --icon "Tuist.app" 139 161 --icon-size 95 --window-size 605 363 --app-drop-link 467 161 --volname "Tuist App" "$BUILD_DMG_PATH" "$BUILD_DIRECTORY_BINARY"
codesign --force --timestamp --options runtime --sign "Developer ID Application: Tuist GmbH (U6LC622NKF)" --identifier "io.tuist.app.tuist-app-dmg" "$BUILD_DMG_PATH"

SUBMISSION_ID=$(xcrun notarytool submit "${BUILD_DMG_PATH}" \
    --apple-id "$APPLE_ID" \
    --team-id "$TEAM_ID" \
    --password "$APP_SPECIFIC_PASSWORD" \
    --output-format json | jq -r '.id')

while true; do
    STATUS=$(xcrun notarytool info "$SUBMISSION_ID" \
        --apple-id "$APPLE_ID" \
        --team-id "$TEAM_ID" \
        --password "$APP_SPECIFIC_PASSWORD" \
        --output-format json | jq -r '.status')

    case $STATUS in
        "Accepted")
            echo -e "${GREEN}Notarization succeeded!${NC}"
            break
            ;;
        "In Progress")
            print_status "Notarization in progress... waiting 30 seconds"
            sleep 30
            ;;
        "Invalid"|"Rejected")
            echo "Notarization failed with status: $STATUS"
            xcrun notarytool log "$SUBMISSION_ID" \
                --apple-id "$APPLE_ID" \
                --team-id "$TEAM_ID" \
                --password "$APP_SPECIFIC_PASSWORD"
            exit 1
            ;;
        *)
            echo "Unknown status: $STATUS"
            exit 1
            ;;
    esac
done

# Generating shasums
print_status "Generating shasums..."
for file in "$BUILD_ARTIFACTS_DIRECTORY"/*; do
    if [ -f "$file" ] && [[ $(basename "$file") != SHASUMS* ]]; then
        shasum -a 256 "$file" | awk '{print $1 "  " FILENAME}' FILENAME=$(basename "$file") >> "$SHASUMS256_FILE"
        shasum -a 512 "$file" | awk '{print $1 "  " FILENAME}' FILENAME=$(basename "$file") >> "$SHASUMS512_FILE"
    fi
done
