#!@runtimeShell@

test -n "$SANE_SANDBOX_DEBUG" && set -x

cliArgs=()
name=
firejailProfile=
rootPaths=()
homePaths=()
net=
dns=()
firejailFlags=()

debug() {
  [ -n "$SANE_SANDBOX_DEBUG" ] && printf "[debug] %s" "$1" >&2
}

loadProfileByPath() {
  _profArgs="$(cat $1)"
  parseArgs $_profArgs
}

tryLoadProfileByName() {
  if [ -z "$name" ]; then
    name="$1"
  fi

  _profileDirs=(@profileDirs@)
  for _profileDir in "${_profileDirs[@]}"; do
    _profile="$_profileDir/$1.profile"
    debug "try profile at path: '$_profile'"
    if [ -f "$_profile" ]; then
      loadProfileByPath "$_profile"
      break
    fi
  done

  if [ -z "$firejailProfile" ]; then
    _fjProfileDirs=(@firejailProfileDirs@)
    for _fjProfileDir in "${_fjProfileDirs[@]}"; do
      _fjProfile="$_fjProfileDir/$1.profile"
      debug "try firejail profile at path: '$_fjProfile'"
      if [ -f "$_fjProfile" ]; then
        firejailProfile="$_fjProfile"
      fi
    done
  fi
}

## parse CLI args into the variables declared above
## args not intended for this helper are put into $parseArgsExtra
parseArgs() {
  parseArgsExtra=()
  while [ "$#" -ne 0 ]; do
    _arg="$1"
    shift
    case "$_arg" in
      (--)
        # rest of args are for the CLI
        parseArgsExtra+=$@
        break
        ;;
      (--sane-sandbox-debug)
        SANE_SANDBOX_DEBUG=1
        set -x
        ;;
      (--sane-sandbox-disable)
        SANE_SANDBOX_DISABLE=1
        ;;
      (--sane-sandbox-dns)
        dns+=("$1")
        shift
        ;;
      (--sane-sandbox-firejail-arg)
        firejailFlags+=("$1")
        shift
        ;;
      (--sane-sandbox-net)
        net="$1"
        shift
        ;;
      (--sane-sandbox-home-path)
        homePaths+=("$1")
        shift
        ;;
      (--sane-sandbox-path)
        rootPaths+=("$1")
        shift
        ;;
      (--sane-sandbox-profile)
        tryLoadProfileByName "$1"
        shift
        ;;
      (*)
        parseArgsExtra+=("$_arg")
        ;;
    esac
  done
}

parseArgs "$@"
cliArgs+="${parseArgsExtra[@]}"

test -n "$SANE_SANDBOX_DISABLE" && exec "${cliArgs[@]}"

## construct firejail flags from sane-sandbox flags

for _path in "${rootPaths[@]}"; do
  firejailFlags+=("--noblacklist=$_path" "--whitelist=$_path")
done

for _path in "${homePaths[@]}"; do
  firejailFlags+=("--noblacklist="'${HOME}/'"$_path" "--whitelist="'${HOME}/'"$_path")
done

if [ -n "$net" ]; then
  firejailFlags+=("--net=$net")
fi

for _addr in "${dns[@]}"; do
  firejailFlags+=("--dns=$_addr")
done

if [ -n "$name" ]; then
  firejailFlags+=("--join-or-start=$name")
fi

# order matters: customizations (i.e. the above) must be before --profile
if [ -n "$firejailProfile" ]; then
  firejailFlags+=("--profile=$firejailProfile")
fi

PATH="$PATH:@firejail@" exec firejail "${firejailFlags[@]}" -- "${cliArgs[@]}"