#!/usr/bin/env python3
"""SSO SYSTEMIC FIXER — scans ALL nginx, fixes ALL gaps globally"""
import os,glob,re,subprocess as sp

fixes=[]
def lg(m):print(m,flush=True)

lg("SSO SYSTEMIC FIXER — scanning ALL nginx configs")

API_BLOCK="    location /api/v3/ {\n        proxy_pass http://127.0.0.1:9090;\n        proxy_set_header Host $host;\n        proxy_set_header X-Forwarded-Proto https;\n    }\n"
APP_BLOCK="    location /application/ {\n        proxy_pass http://127.0.0.1:9090;\n        proxy_set_header Host $host;\n        proxy_set_header X-Forwarded-Proto https;\n    }\n"
CB_BLOCK="    location /outpost.goauthentik.io/callback {\n        proxy_pass http://127.0.0.1:9090/outpost.goauthentik.io/callback;\n        proxy_redirect off;\n        proxy_set_header Host $host;\n        proxy_set_header X-Forwarded-Proto https;\n    }\n"
COOKIE_NEW="auth_request /outpost.goauthentik.io/auth/nginx;\n        auth_request_set $auth_cookie $upstream_http_set_cookie;\n        add_header Set-Cookie $auth_cookie;"
COOKIE_OLD="auth_request /outpost.goauthentik.io/auth/nginx;"

for nf in sorted(glob.glob("/etc/nginx/sites-enabled/*")):
    if not os.path.isfile(nf):continue
    c=open(nf).read()
    if "auth_request" not in c or "goauthentik" not in c:continue
    
    fname=os.path.basename(nf)
    changed=False
    os.system(f"chattr -i {nf} 2>/dev/null")
    
    anchor="    location /flows/ {"
    if anchor not in c:
        os.system(f"chattr +i {nf} 2>/dev/null")
        continue
    
    if "/api/v3/" not in c:
        c=c.replace(anchor, API_BLOCK+anchor)
        changed=True;fixes.append(f"{fname}: +/api/v3/")
    
    if "/application/" not in c:
        c=c.replace(anchor, APP_BLOCK+anchor)
        changed=True;fixes.append(f"{fname}: +/application/")
    
    if "/outpost.goauthentik.io/callback" not in c and "outpost.goauthentik.io" in c:
        m="    location /outpost.goauthentik.io {"
        if m in c:
            c=c.replace(m, CB_BLOCK+m)
            changed=True;fixes.append(f"{fname}: +callback")
    
    if "auth_request_set" not in c and COOKIE_OLD in c:
        c=c.replace(COOKIE_OLD, COOKIE_NEW)
        changed=True;fixes.append(f"{fname}: +cookie")
    
    if changed:
        open(nf,"w").write(c)
        lg(f"  FIXED: {fname}")
    else:
        lg(f"  OK: {fname}")
    os.system(f"chattr +i {nf} 2>/dev/null")

if fixes:
    r=sp.run(["nginx","-t"],capture_output=True,text=True,timeout=5)
    if "successful" in r.stderr:
        sp.run(["systemctl","reload","nginx"],timeout=5)
        lg(f"Nginx reloaded. {len(fixes)} fixes applied.")
    else:
        lg(f"NGINX ERROR: {r.stderr[:80]}")
else:
    lg("All configs OK. 0 fixes needed.")

for f in fixes:lg(f"  {f}")