#!/usr/bin/env python3
"""
Generate a MySQL query to update admin (or any user) password in plg_user_credentials.
Uses the same bcrypt hashing as the app, so the new password will work at login.

Usage:
  python scripts/update_admin_password_mysql.py
    # Prompts for username (default: admin) and password, prints MySQL.

  python scripts/update_admin_password_mysql.py --username admin --password 'YourNewPassword'
    # Prints MySQL for user 'admin' with the given password.

Then run the printed SQL in your MySQL client, e.g.:
  mysql -h HOST -P PORT -u USER -p DB_NAME -e "PASTE_QUERY_HERE"
"""

import argparse
import getpass
import sys

# Use same hashing as auth_service (passlib bcrypt)
try:
    from passlib.context import CryptContext
    pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
except ImportError:
    print("Install passlib and bcrypt: pip install 'passlib[bcrypt]'", file=sys.stderr)
    sys.exit(1)


def main():
    parser = argparse.ArgumentParser(
        description="Generate MySQL to set/update a user password in plg_user_credentials"
    )
    parser.add_argument("--username", "-u", default="admin", help="Username (default: admin)")
    parser.add_argument("--password", "-p", default=None, help="New password (will prompt if not set)")
    args = parser.parse_args()

    username = (args.username or "admin").strip()
    if not username:
        print("Username cannot be empty", file=sys.stderr)
        sys.exit(1)

    password = args.password
    if password is None:
        password = getpass.getpass(f"New password for '{username}': ")
        password_confirm = getpass.getpass("Confirm password: ")
        if password != password_confirm:
            print("Passwords do not match", file=sys.stderr)
            sys.exit(1)
    if len(password) < 6:
        print("Password must be at least 6 characters", file=sys.stderr)
        sys.exit(1)

    # Escape single quotes in hash for use inside MySQL single-quoted string
    password_hash = pwd_context.hash(password)
    escaped_hash = password_hash.replace("\\", "\\\\").replace("'", "\\'")

    # One query works for both insert (new) and update (existing)
    sql = (
        "INSERT INTO plg_user_credentials (username, password_hash)\n"
        f"  VALUES ('{username}', '{escaped_hash}')\n"
        "ON DUPLICATE KEY UPDATE password_hash = VALUES(password_hash);"
    )

    print("\n-- Run this in MySQL to set the password for", username)
    print("-- (Same DB as your app, e.g. boundary / LRS43)\n")
    print(sql)
    print()
    print("-- Example: mysql -h HOST -P PORT -u USER -p DB_NAME -e \"...\"")
    return 0


if __name__ == "__main__":
    sys.exit(main())