roa2web-service-auto/scripts/restore-secrets.sh

#!/bin/bash
# ============================================================================
# ROA2WEB - Restore Environment Secrets (From Encrypted Backup)
# ============================================================================
# This script restores .env files from encrypted backups
# Usage:
#   ./scripts/restore-secrets.sh [backup-date]   # Interactive (prompts for password)
#   BACKUP_PASSWORD="your-pass" ./scripts/restore-secrets.sh [backup-date]  # Non-interactive
#
# Example: ./scripts/restore-secrets.sh 2025-01-15_10-30-00
#          ./scripts/restore-secrets.sh (uses latest backup)

set -e

# Colors for output
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

echo -e "${GREEN}=== ROA2WEB Secrets Restore Tool ===${NC}"
echo ""

# Check if openssl is installed
if ! command -v openssl &> /dev/null; then
    echo -e "${RED}Error: openssl is not installed${NC}"
    echo "Install with: sudo apt-get install openssl"
    exit 1
fi

# Check if secrets-backup directory exists
if [ ! -d "secrets-backup" ]; then
    echo -e "${RED}Error: No backups found${NC}"
    echo "Run ./scripts/backup-secrets.sh first"
    exit 1
fi

# Determine which backup to use
if [ -z "$1" ]; then
    # Use latest backup
    BACKUP_DATE=$(ls -t secrets-backup | head -1)
    echo -e "${YELLOW}Using latest backup: ${BACKUP_DATE}${NC}"
else
    BACKUP_DATE="$1"
    echo -e "${YELLOW}Using specified backup: ${BACKUP_DATE}${NC}"
fi

BACKUP_DIR="secrets-backup/${BACKUP_DATE}"

# Check if backup exists
if [ ! -d "$BACKUP_DIR" ]; then
    echo -e "${RED}Error: Backup not found: ${BACKUP_DIR}${NC}"
    echo ""
    echo "Available backups:"
    ls -1 secrets-backup
    exit 1
fi

echo ""
echo -e "${BLUE}Backup location: ${BACKUP_DIR}${NC}"
echo ""

# List encrypted files in backup
ENCRYPTED_FILES=()
ENCRYPTED_DIRS=()

for file in "${BACKUP_DIR}"/*.enc; do
    if [ -f "$file" ]; then
        filename=$(basename "$file")
        # Check if it's a tar archive (directory backup)
        if [[ "$filename" == *.tar.enc ]]; then
            ENCRYPTED_DIRS+=("$file")
        else
            ENCRYPTED_FILES+=("$file")
        fi
    fi
done

if [ ${#ENCRYPTED_FILES[@]} -eq 0 ] && [ ${#ENCRYPTED_DIRS[@]} -eq 0 ]; then
    echo -e "${RED}Error: No encrypted files found in backup${NC}"
    exit 1
fi

echo "Found in backup:"
if [ ${#ENCRYPTED_FILES[@]} -gt 0 ]; then
    echo "  📄 ${#ENCRYPTED_FILES[@]} environment file(s):"
    for file in "${ENCRYPTED_FILES[@]}"; do
        echo "     - $(basename "$file")"
    done
fi
if [ ${#ENCRYPTED_DIRS[@]} -gt 0 ]; then
    echo "  📁 ${#ENCRYPTED_DIRS[@]} directory archive(s):"
    for file in "${ENCRYPTED_DIRS[@]}"; do
        echo "     - $(basename "$file")"
    done
fi
echo ""

# Ask for confirmation
echo -e "${YELLOW}⚠️  This will overwrite existing .env files!${NC}"
read -p "Continue? (y/N): " -n 1 -r
echo ""

if [[ ! $REPLY =~ ^[Yy]$ ]]; then
    echo "Restore cancelled"
    exit 0
fi

# Get password
if [ -z "$BACKUP_PASSWORD" ]; then
    echo ""
    echo -e "${YELLOW}Enter decryption password:${NC}"
    read -s BACKUP_PASSWORD
    echo ""

    if [ -z "$BACKUP_PASSWORD" ]; then
        echo -e "${RED}Error: Password cannot be empty${NC}"
        exit 1
    fi
fi

echo ""

# Counter for restored files
RESTORED=0
FAILED=0

# Restore each file
for encrypted_file in "${ENCRYPTED_FILES[@]}"; do
    filename=$(basename "$encrypted_file" .enc)

    # Determine target path based on filename
    if [[ "$filename" == "backend-.env" ]]; then
        target="backend/.env"
    elif [[ "$filename" == "backend-.env.prod" ]]; then
        target="backend/.env.prod"
    elif [[ "$filename" == "telegram-bot-.env" ]]; then
        target="backend/modules/telegram/.env"
    elif [[ "$filename" == "telegram-bot-.env.prod" ]]; then
        target="backend/modules/telegram/.env.prod"
    else
        echo -e "${YELLOW}Skipping unknown file: $filename${NC}"
        continue
    fi

    echo -e "Decrypting: ${GREEN}$filename${NC}"
    echo -e "  Target: $target"

    # Create target directory if needed
    mkdir -p "$(dirname "$target")"

    # Decrypt
    if echo "$BACKUP_PASSWORD" | openssl enc -aes-256-cbc -d -pbkdf2 \
        -in "$encrypted_file" -out "$target" -pass stdin 2>/dev/null; then
        echo -e "  ✅ Restored successfully"
        RESTORED=$((RESTORED + 1))
    else
        echo -e "  ${RED}❌ Failed to decrypt (wrong password?)${NC}"
        FAILED=$((FAILED + 1))
    fi
    echo ""
done

# Restore directory archives
for encrypted_file in "${ENCRYPTED_DIRS[@]}"; do
    filename=$(basename "$encrypted_file" .enc)
    dir_name=$(basename "$filename" .tar)

    echo -e "Decrypting directory: ${GREEN}$dir_name${NC}"
    echo -e "  Target: $dir_name/"

    # Decrypt and extract tar archive
    if openssl enc -aes-256-cbc -d -pbkdf2 \
        -in "$encrypted_file" -pass pass:"$BACKUP_PASSWORD" 2>/dev/null | tar -xf - 2>/dev/null; then
        echo -e "  ✅ Restored successfully"
        RESTORED=$((RESTORED + 1))

        # Count restored files
        file_count=$(find "$dir_name" -type f 2>/dev/null | wc -l)
        echo -e "  📁 Extracted ${file_count} file(s)"
    else
        echo -e "  ${RED}❌ Failed to decrypt/extract (wrong password?)${NC}"
        FAILED=$((FAILED + 1))
    fi
    echo ""
done

echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
if [ $FAILED -eq 0 ]; then
    echo -e "${GREEN}✅ Restore completed successfully${NC}"
else
    echo -e "${YELLOW}⚠️  Restore completed with errors${NC}"
fi
echo ""
echo "📊 Summary:"
echo "  - Restored: ${RESTORED} files"
echo "  - Failed: ${FAILED} files"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"