#!/usr/bin/env bash
set -euo pipefail

if [ -z "${RSA_PRIVATE_KEY_BASE64:-}" ]; then
  echo "RSA_PRIVATE_KEY_BASE64 is not set"
  exit 2
fi

# Try decode base64
if echo "$RSA_PRIVATE_KEY_BASE64" | base64 -d > /tmp/rsa_key.pem 2>/dev/null; then
  :
else
  # Try replacing literal \n
  echo "Attempting to replace literal \n and write PEM"
  printf '%b' "$RSA_PRIVATE_KEY_BASE64" > /tmp/rsa_key.pem
fi

# Validate with openssl
if openssl pkey -in /tmp/rsa_key.pem -noout -text >/dev/null 2>&1; then
  echo "RSA private key is valid PEM"
  exit 0
else
  echo "RSA private key is invalid"
  echo "Preview (first 20 lines):"
  sed -n '1,20p' /tmp/rsa_key.pem
  exit 1
fi