#!/bin/bash
set -e

# Parse CLI arguments
# (Thanks StackOverflow https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash)
while [[ $# -gt 0 ]]; do
  case $1 in
    --name)
      # The name of the application. Only useful for displaying in the script.
      # If not specified, will use the "name: " attribute from the pubspec.yaml
      NAME=$2
      shift
      shift
      ;;
    --not-signed)
      # Tells the script that the APKs are *NOT* signed and have to be manually
      # signed.
      ALREADY_SIGNED=n
      shift
      ;;
    --zipalign)
      # The path to the zipalign binary. If not specified, lets the shell resolve the path
      # itself.
      # Only useful with --not-signed.
      ZIPALIGN=$2
      shift
      shift
      ;;
    --apksigner)
      # The path to the apksigner binary. If not specified, lets the shell resolve the path
      # itself.
      # Only useful with --not-signed.
      APKSIGNER=$2
      shift
      shift
      ;;
    --notify-send)
      # The path to the notify-send binary. If not specified, lets the shell resolve the path
      # itself.
      # Only useful with --not-signed.
      NOTIFY_SEND=$2
      shift
      shift
      ;;
    --provider-config)
      # The path to the provider config passed to apksigner via --provider-arg.
      # Only useful with --not-signed.
      PROVIDER_CONFIG=$2
      shift
      shift
      ;;
    --no-clean)
      # Does not run "flutter clean" before running the build.
      CLEAN_BUILD=n
      shift
      ;;
    --min-sdk-version)
      # The minimum SDK version that should be able to validate the APK signature.
      # Only useful with --not-signed.
      MIN_SDK_VERSION=$2
      shift
      shift
      ;;
    --check)
      # Prints all parsed options and exits.
      JUST_CHECK=y
      shift
      ;;
    --skip-build)
      # Skips the entire build but not the signing, if --not-signed is specified. If --not-signed
      # is not specified, then the build is skipped, but the APKs are copied into the correct folder.
      # This flag expects that the build has run at least once and the correct release directory
      # already exists.
      SKIP_BUILD=y
      shift
      ;;
    --no-notification)
      # Does not create a notification when asking for the PIN of the Yubikey.
      # Only useful with --not-signed.
      SEND_NOTIFICATION=n
      shift
      ;;
    --pigeon)
      # Specifies to run `dart run pigeon --input $2`
      PIGEON_FILES="$PIGEON_FILES $2"
      shift
      shift
      ;;
    --flutter)
      # Specifies the path to the flutter binary
      FLUTTER=$2
      shift
      shift
      ;;
    *)
      echo "Unknown argument: $1"
      shift
      ;;
  esac
done

# Extract the name, if not passed
if [[ -z "$NAME" ]]; then
  NAME=$(grep -E "^name: " pubspec.yaml | cut -b 6-)
fi

# Default values
APKSIGNER=${APKSIGNER:-apksigner}
ZIPALIGN=${ZIPALIGN:-zipalign}
ALREADY_SIGNED=${ALREADY_SIGNED:-y}
MIN_SDK_VERSION=${MIN_SDK_VERSION:-24}
CLEAN_BUILD=${CLEAN_BUILD:-y}
SKIP_BUILD=${SKIP_BUILD:-n}
NOTIFY_SEND=${NOTIFY_SEND:-notify-send}
SEND_NOTIFICATION=${SEND_NOTIFICATION:-y}
FLUTTER=${FLUTTER:-flutter}

# Parse version info
version=$(grep -E "^version: " pubspec.yaml | cut -b 10-)
IFS="+" read -ra version_parts <<< "$version"
version_code="${version_parts[1]}"
release_dir="./release-${version}"

# Print a header
echo "===== ${NAME} ====="
echo "Building version ${version}"
echo "Moving APKs into ${release_dir} after build"
echo "Flutter:                   ${FLUTTER}"
echo "Clean build:               ${CLEAN_BUILD}"
echo "Pigeons to build:         ${PIGEON_FILES}"
echo "Skipping build:            ${SKIP_BUILD}"
echo "Sending notification:      ${SEND_NOTIFICATION}"
echo "APKs already signed:       ${ALREADY_SIGNED}"
if [[ "$ALREADY_SIGNED" = "n" ]]; then
  echo "Used zipalign:             ${ZIPALIGN}"
  echo "Used apksigner:            ${APKSIGNER}"
  echo "Provider config:           ${PROVIDER_CONFIG}"
  echo "Minimum SDK verifiability: ${MIN_SDK_VERSION}"
fi

if [[ "${JUST_CHECK}" = "y" ]]; then
  echo
  echo "Terminating here because --check was used"
  exit
fi

# For better readability, print an empty line
echo

# Check if we have a changelog file for that version
if [[ ! -f "./fastlane/metadata/android/en-US/changelogs/$version_code.txt" ]]; then
    echo "Warning: No changelog item for $version_code"
fi

if [[ "${SKIP_BUILD}" = "y" ]]; then
  echo "Skipping build because of --skip-build"
else
  # Create the directory
  [[ -d "${release_dir}" ]] && echo "Warning: Release directory ${release_dir} already exists"
  mkdir "${release_dir}" || true

  if [[ "${CLEAN_BUILD}" = "y" ]]; then
    # Clean flutter build
    $FLUTTER clean
  fi

  # Get dependencies
  $FLUTTER pub get

  # Build everything again
  $FLUTTER pub run build_runner build --delete-conflicting-outputs

  # Build pigeons
  for pigeon in $PIGEON_FILES; do
    $FLUTTER run pigeon --input $pigeon
  done

  # Build the release apk
  $FLUTTER build apk \
    --release \
    --split-per-abi \
    --split-debug-info="${release_dir}/debug-info"
fi

# If we have to sign, ask for the PIN upfront
if [[ "$ALREADY_SIGNED" = "n" ]]; then
  [[ "${SEND_NOTIFICATION}" = "y" ]] && ${NOTIFY_SEND} \
    --urgency normal \
    --app-name "Flutter Build" \
    --icon dialog-password \
    "Signing PIN required" \
    "The build is done and the PIN for manually signing the APKs must be entered"

  # Thanks https://geoffreymetais.github.io/code/key-signing/#scripting
  echo "Please enter Yubikey PIN code "
  stty -echo
  trap 'stty echo' EXIT
  read -p 'PIN: ' YUBI_PIN
  stty echo
  trap - EXIT
fi

# Move everything
for platform in arm64-v8a armeabi-v7a x86_64; do
  echo "Processing the $platform release..."

  raw_apk="build/app/outputs/flutter-apk/app-${platform}-release.apk"
  if [[ "$ALREADY_SIGNED" = "y" ]]; then
    # Simply copy artifacts
    cp -f "$raw_apk" "${release_dir}/${NAME}-${platform}-release.apk"
  else
    # https://developer.android.com/build/building-cmdline#sign_cmdline
    aligned_apk="${release_dir}/app-${platform}-release-aligned.apk"
    signed_apk="${release_dir}/app-${platform}-release.apk"
    ${ZIPALIGN} -p 4 "$raw_apk" "${aligned_apk}"

    # NOTE: "-J-add-exports jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED" tells the wrapper that is
    #       `apksigner` to append "--add-exports jdk.[...]" as a parameter to the Java CLI. It is in
    #       quotation marks such that it is passed with only one (1) dash (it would otherwise be "--add-exports -jdk.[...]",
    #       which is wrong).
    #       At least on NixOS, apksigner refuses to use the sun.security.pkcs11.SunPKCS11 provider because
    #       it is not exported for its unnamed class. So, we have to do a little trickery to "export" the
    #       class to apksigner.
    ${APKSIGNER} "-J-add-exports jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED" sign \
      --ks NONE \
      --ks-pass "pass:$YUBI_PIN" \
      --provider-class sun.security.pkcs11.SunPKCS11 \
      --provider-arg "${PROVIDER_CONFIG}" \
      --ks-type PKCS11 \
      --min-sdk-version "${MIN_SDK_VERSION}" \
      --max-sdk-version 34 \
      --in "${aligned_apk}" \
      --out "${signed_apk}" \
      --v1-signing-enabled \
      --v2-signing-enabled \
      --v3-signing-enabled \
      --v4-signing-enabled

    # Safety check
    ${APKSIGNER} verify --min-sdk-version "${MIN_SDK_VERSION}" "${signed_apk}"

    # Remove temporary artifact
    rm "${aligned_apk}"
  fi
done

# Prevent leaking the PIN
unset YUBI_PIN