#! /bin/bash

set -e
set -o pipefail
set -u

export SCRIPTVARS=/srv/security-master.debian.org/dak/config/debian-security/vars
. $SCRIPTVARS

# And use one locale, no matter what the caller has set
export LANG=C
export LC_ALL=C

report=$queuedir/REPORT
reportdis=$queuedir/REPORT.disembargo
timestamp=$(date "+%Y-%m-%d %H:%M")
doanything=false
dopolicy=false
LOCKFILE="$lockdir/unchecked.lock"

last_changed() {
    psql -qAtc "SELECT MAX(last_changed) FROM suite WHERE archive_id=(SELECT id FROM archive WHERE name='$1')"
}

cleanup() {
    rm -f "$LOCKFILE"
}

if ! lockfile -r8 "$LOCKFILE"; then
    echo "aborting cron.unchecked because $LOCKFILE has already been locked"
    exit 0
fi
trap cleanup EXIT

old_last_changed=$(last_changed security)
old_last_changed_build=$(last_changed build-queues)

cd $unchecked
rsync -rtq --safe-links --chmod=F640,D755 --remove-source-files rsync-from-security-upload-master:/does/not/matter . || true
changes=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.changes | sed -e "s,./,," | xargs)
if [ -n "$changes" ]; then
    doanything=true
    echo "$timestamp": ${changes:-"Nothing to do in unchecked"}  >> $report
    dak process-upload -a -d "$unchecked" >> $report
fi

cd $disembargo
changes=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.changes | sed -e "s,./,," | xargs)
if [ -n "$changes" ]; then
    doanything=true
    echo "$timestamp": ${changes:-"Nothing to do in disembargo"}  >> $reportdis
    dak process-upload -a -d "$disembargo" >> $reportdis
fi

for queue in embargoed unembargoed; do
    echo "$timestamp: processing ${queue}" >> ${report}
    dak process-policy ${queue} | mail -a "X-Debian: DAK" -e -s "Automatically accepted from ${queue}" -a "From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>" team@security.debian.org
done
accepted=$(find ${queuedir}/accepted -type f -name "*.changes")
if [ -n "${accepted}" ]; then
    dopolicy=true
fi

# sync accepted files to ftpmaster
sync-accepted() {
    cd ${base}
    rsync --recursive --times --partial --remove-source-files \
          ${queuedir}/accepted/ rsync-to-ssh.upload.debian.org:/does/not/matter
}
if [ -n "${accepted}" ]; then
    sync-accepted || :
fi

# export policy queues
for queue in embargoed; do
    cd ${queuedir}/${queue}
    rm -rf export.new
    mkdir export.new
    dak export -q ${queue} -d export.new --all
    rsync -a --delete export.new/. export/.
    rm -rf export.new
    cd ${base}
done

if [ "${doanything}" = "false" ] && [ "${dopolicy}" = "false" ]; then
    echo "$timestamp": Nothing to do >> $report
    exit 0
fi

# Update stable-kfreebsd
dak update-suite oldstable oldstable-kfreebsd

# manage build queues
dak manage-build-queues -a

# clean policy and build queues to remove files from rejected uploads
dak clean-suites -a new,policy,build-queues

# publish updates build queues
dak generate-packages-sources2 -a build-queues
dak generate-releases -a build-queues >/dev/null
${scriptsdir}/update-buildd-archive ${base}/build-queues ${incoming}/debian-security-buildd
$configdir/cron.buildd

new_last_changed=$(last_changed security)
new_last_changed_build=$(last_changed build-queues)

if [[ "${old_last_changed_build}" != "${new_last_changed_build}" ]]; then
    sudo -u archvsync runmirrors -a security-buildd-pool
fi

if [[ "${old_last_changed}" != "${new_last_changed}" ]]; then
    # We had something approved from a policy queue, push out new archive
    dak dominate
    cd $configdir
    $configdir/map.sh
    dak generate-packages-sources2 -a security
    dak generate-releases -a security >/dev/null
    /srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh >/dev/null
    sudo -u archvsync runmirrors -a security
fi

cleanup
trap - EXIT