#!/usr/bin/env bash
set -euo pipefail

LOG_TAG="harresi-https-time-sync"
MIN_EPOCH="1704067200"
MAX_DRIFT_SECONDS="2"
URLS=(
  "https://1.1.1.1/cdn-cgi/trace"
  "https://1.1.1.1/"
  "https://1.0.0.1/cdn-cgi/trace"
  "https://1.0.0.1/"
)

log() {
  local message="$1"
  printf '[%s] %s\n' "$(date -Iseconds 2>/dev/null || date)" "$message"
  logger -t "$LOG_TAG" -- "$message" 2>/dev/null || true
}

require_root() {
  if [ "${EUID:-$(id -u)}" -ne 0 ]; then
    log "Este servicio debe ejecutarse como root"
    exit 1
  fi
}

date_header_with_curl() {
  local url="$1"
  curl -sS -I --max-time 10 --connect-timeout 5 "$url" 2>/dev/null \
    | awk 'BEGIN{IGNORECASE=1} /^Date:[[:space:]]*/ {sub(/^Date:[[:space:]]*/, ""); sub(/\r$/, ""); print; exit}'
}

trace_body_with_curl() {
  local url="$1"
  curl -sS --max-time 10 --connect-timeout 5 "$url" 2>/dev/null || true
}

date_header_with_wget() {
  local url="$1"
  wget --server-response --spider --timeout=10 --tries=1 "$url" 2>&1 \
    | awk 'BEGIN{IGNORECASE=1} /^[[:space:]]*Date:[[:space:]]*/ {sub(/^[[:space:]]*Date:[[:space:]]*/, ""); sub(/\r$/, ""); print; exit}'
}

trace_body_with_wget() {
  local url="$1"
  wget -qO- --timeout=10 --tries=1 "$url" 2>/dev/null || true
}

trace_body_to_epoch() {
  awk -F= 'tolower($1) == "ts" {gsub(/\r/, "", $2); sub(/\..*/, "", $2); print $2; exit}'
}

read_http_timestamp() {
  local url="$1"
  local epoch=""

  if command -v curl >/dev/null 2>&1; then
    epoch="$(trace_body_with_curl "$url" | trace_body_to_epoch || true)"
  fi
  if [ -z "$epoch" ] && command -v wget >/dev/null 2>&1; then
    epoch="$(trace_body_with_wget "$url" | trace_body_to_epoch || true)"
  fi

  printf '%s\n' "$epoch"
}

read_http_date() {
  local url="$1"
  local header=""

  if command -v curl >/dev/null 2>&1; then
    header="$(date_header_with_curl "$url" || true)"
  fi
  if [ -z "$header" ] && command -v wget >/dev/null 2>&1; then
    header="$(date_header_with_wget "$url" || true)"
  fi

  printf '%s\n' "$header"
}

date_header_to_epoch() {
  local header="$1"
  date -u -d "$header" +%s 2>/dev/null || true
}

is_valid_epoch() {
  local epoch="$1"
  [[ "$epoch" =~ ^[0-9]+$ ]] && [ "$epoch" -ge "$MIN_EPOCH" ]
}

absolute_diff() {
  local left="$1"
  local right="$2"
  local diff=$((left - right))
  if [ "$diff" -lt 0 ]; then
    diff=$((diff * -1))
  fi
  printf '%s\n' "$diff"
}

set_system_time() {
  local epoch="$1"
  local current
  local drift

  current="$(date -u +%s)"
  drift="$(absolute_diff "$epoch" "$current")"
  if [ "$drift" -le "$MAX_DRIFT_SECONDS" ]; then
    log "Reloj ya sincronizado; drift ${drift}s"
    return 0
  fi

  date -u -s "@$epoch" >/dev/null
  hwclock --systohc --utc >/dev/null 2>&1 || true
  log "Reloj sincronizado mediante HTTPS; drift aplicado ${drift}s"
}

main() {
  require_root

  local url
  local header
  local epoch
  for url in "${URLS[@]}"; do
    epoch="$(read_http_timestamp "$url")"
    if is_valid_epoch "$epoch"; then
      log "Timestamp obtenido desde $url: $epoch"
      set_system_time "$epoch"
      exit 0
    fi

    header="$(read_http_date "$url")"
    if [ -z "$header" ]; then
      log "Sin timestamp ni cabecera Date desde $url"
      continue
    fi

    epoch="$(date_header_to_epoch "$header")"
    if ! is_valid_epoch "$epoch"; then
      log "Cabecera Date no valida desde $url: $header"
      continue
    fi

    log "Fecha obtenida desde $url: $header"
    set_system_time "$epoch"
    exit 0
  done

  log "No se pudo obtener una fecha valida mediante HTTPS desde 1.1.1.1/1.0.0.1"
  exit 1
}

main "$@"
