#!/usr/bin/env bash
# kp-get.sh — 安全从 KeePassXC 数据库获取条目属性
# 用法: ./kp-get.sh "Entry Title" [Password|UserName|URL]
#
# 主密码优先级:
#   1. KEEPASS_MASTER 环境变量
#   2. 系统密钥环 (secret-tool, Linux desktop)
#   3. GPG 加密文件 (~/.keepass/.master.gpg)
#   4. 交互输入

set -euo pipefail

DB="${KEEPASS_DB:-$HOME/.keepass/passwords.kdbx}"
ENTRY="${1:?用法: $0 \"Entry Title\" [Password|UserName|URL]}"
ATTR="${2:-Password}"

if [[ -z "${KEEPASS_MASTER:-}" ]]; then
  KEEPASS_MASTER="$(secret-tool lookup service keepassxc account default 2>/dev/null || true)"
fi

if [[ -z "${KEEPASS_MASTER:-}" && -f "$HOME/.keepass/.master.gpg" ]]; then
  KEEPASS_MASTER="$(gpg -q -d "$HOME/.keepass/.master.gpg" 2>/dev/null || true)"
fi

if [[ -z "${KEEPASS_MASTER:-}" && -f "$HOME/.keepass/.master.enc" ]]; then
  KEEPASS_MASTER="$(openssl enc -d -aes-256-cbc -pbkdf2 -in "$HOME/.keepass/.master.enc" 2>/dev/null || true)"
fi

if [[ -z "${KEEPASS_MASTER:-}" && -f "$HOME/.keepass/.master" ]]; then
  KEEPASS_MASTER="$(cat "$HOME/.keepass/.master")"
fi

if [[ -z "${KEEPASS_MASTER:-}" ]]; then
  read -rsp "Master password: " KEEPASS_MASTER
  echo
fi

echo "$KEEPASS_MASTER" | keepassxc-cli show -q "$DB" "$ENTRY" -a "$ATTR"