#!/bin/bash

# Colors for pretty output
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

echo -e "${YELLOW}🔧 Starting YubiKey WSL Repair...${NC}"

# 1. CHECK: Is the key actually attached?
if ! lsusb -d 1050: > /dev/null; then
    echo -e "${RED}❌ Error: No YubiKey detected in Linux!${NC}"
    echo "   Please go to Windows PowerShell and run:"
    echo "   usbipd attach --wsl --busid <YOUR_ID>"
    exit 1
fi
echo -e "${GREEN}✅ YubiKey Hardware detected.${NC}"

# 2. PERMISSIONS: The "Nuclear" Polkit Fix
# This forces the smart card service to accept connections even if WSL looks "inactive"
POLICY_FILE="/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy"

if [ -f "$POLICY_FILE" ]; then
    echo "   Applying 'Nuclear' permission fix to PC/SC Policy..."
    # Backup original if not exists
    if [ ! -f "$POLICY_FILE.bak" ]; then
        sudo cp "$POLICY_FILE" "$POLICY_FILE.bak"
    fi
    # Force permissions to 'yes'
    sudo sed -i 's/<allow_any>.*<\/allow_any>/<allow_any>yes<\/allow_any>/' "$POLICY_FILE"
    sudo sed -i 's/<allow_inactive>.*<\/allow_inactive>/<allow_inactive>yes<\/allow_inactive>/' "$POLICY_FILE"
    sudo sed -i 's/<allow_active>.*<\/allow_active>/<allow_active>yes<\/allow_active>/' "$POLICY_FILE"
else
    echo -e "${YELLOW}⚠️  Warning: Polkit policy file not found. Skipping nuclear fix.${NC}"
fi

# 3. GROUP: Ensure user is in plugdev
if ! groups $USER | grep -q "plugdev"; then
    echo "   Adding $USER to plugdev group..."
    sudo usermod -aG plugdev $USER
fi

# 4. USB NODE: Force read/write permissions on the raw USB device
# This fixes the "Failed to connect" error from yubico-piv-tool
echo "   Forcing permissions on USB device node..."
lsusb -d 1050: | while read -r line; do
    BUS=$(echo "$line" | awk '{print $2}')
    DEV=$(echo "$line" | awk '{print $4}' | tr -d :)
    PATH="/dev/bus/usb/$BUS/$DEV"
    echo "   -> Unlocking $PATH"
    sudo chmod 666 "$PATH"
done

# 5. SERVICES: Restart everything to pick up changes
echo "   Restarting Smart Card Services..."
# Kill any stuck GPG agents that might hog the card
gpgconf --kill gpg-agent 2>/dev/null || true
# Restart the main daemon
sudo systemctl restart polkit
sudo systemctl restart pcscd

# 6. CONFIG CHECK: Warn if SSH config is bad
if grep -q "IdentityFile.*yubi" ~/.ssh/config; then
    echo -e "${YELLOW}⚠️  WARNING: Found 'IdentityFile' pointing to a YubiKey in ~/.ssh/config!${NC}"
    echo "   You should remove that line so SSH doesn't throw 'libcrypto' errors."
fi

# 7. FINAL TEST
echo -e "${YELLOW}🔎 Verifying connection...${NC}"
if yubico-piv-tool -a status > /dev/null 2>&1; then
    echo -e "${GREEN}🎉 SUCCESS! Your YubiKey is ready.${NC}"
    yubico-piv-tool -a status | grep "Serial Number"
else
    echo -e "${RED}❌ Status check failed.${NC}"
    echo "   Try running: yubico-piv-tool -a status"
fi