#!/usr/bin/env bash
set -euo pipefail

# Default configuration (override via env vars).
BASE_URL="${BASE_URL:-https://participant.be.dataprovider01.sandbox-cat-dat.simpl-europe.eu}"
AUTH_BASE="${AUTH_BASE:-${BASE_URL}/auth}"
REALM="${REALM:-participant}"
USERNAME="${USERNAME:-${REGISTRY_USERNAME:-}}"
PASSWORD="${PASSWORD:-${REGISTRY_PASSWORD:-}}"
CLIENT_ID="${CLIENT_ID:-frontend-cli}"
WORKFLOW_URL="${WORKFLOW_URL:-${BASE_URL}/asset-orchestrator/v1/workflowDefinitions}"
ONLY_ACTIVE="${ONLY_ACTIVE:-true}"

TOKEN_URL="${AUTH_BASE}/realms/${REALM}/protocol/openid-connect/token"

error() {
  printf "%s\n" "$1" >&2
}

command -v jq >/dev/null 2>&1 || {
  error "jq is required"
  exit 1
}

TOKEN_RESPONSE=$(curl -sS -X POST "${TOKEN_URL}" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "grant_type=password" \
  --data-urlencode "client_id=${CLIENT_ID}" \
  --data-urlencode "username=${USERNAME}" \
  --data-urlencode "password=${PASSWORD}")

ACCESS_TOKEN=$(printf '%s' "$TOKEN_RESPONSE" | jq -r '.access_token // empty')

if [ -z "${USERNAME:-}" ] || [ -z "${PASSWORD:-}" ]; then
  error "USERNAME/PASSWORD (or REGISTRY_USERNAME/REGISTRY_PASSWORD) must be set"
  exit 1
fi

if [ -z "$ACCESS_TOKEN" ]; then
  error "Failed to obtain access token"
  exit 1
fi

TMP_BODY=$(mktemp)
trap 'rm -f "$TMP_BODY"' EXIT

HTTP_STATUS=$(curl -sS -o "$TMP_BODY" -w "%{http_code}" \
  -X GET --get "${WORKFLOW_URL}" \
  --data-urlencode "onlyActive=${ONLY_ACTIVE}" \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  -H "Accept: application/json")

BODY=$(cat "$TMP_BODY")

if [ "$HTTP_STATUS" -lt 200 ] || [ "$HTTP_STATUS" -ge 300 ]; then
  error "Workflow API call failed with HTTP ${HTTP_STATUS}"
  exit 1
fi

# Remove invalid ASCII control chars except TAB/LF/CR, then extract unique job names.
printf '%s' "$BODY" \
  | tr -d '\000-\010\013\014\016-\037' \
  | jq -r '.. | objects | .jobName? // empty' \
  | sed 's/^[[:space:]]*//; s/[[:space:]]*$//' \
  | awk 'length($0) > 0 && !seen[$0]++'