#!/usr/bin/env sh
set -euo pipefail

. /vault/secrets/keycloak-admin-env.sh

KC_URL="http://keycloak.sso.svc.cluster.local"
ACCESS_TOKEN=""
for attempt in 1 2 3 4 5; do
  TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d "grant_type=password" \
    -d "client_id=admin-cli" \
    -d "username=${KEYCLOAK_ADMIN}" \
    -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
  ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
  if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
    break
  fi
  echo "Keycloak token request failed (attempt ${attempt})" >&2
  sleep $((attempt * 2))
done
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
  echo "Failed to fetch Keycloak admin token" >&2
  exit 1
fi

CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)"
CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"

if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
  create_payload='{"clientId":"harbor","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":false,"redirectUris":["https://registry.bstein.dev/c/oidc/callback"],"webOrigins":["https://registry.bstein.dev"],"rootUrl":"https://registry.bstein.dev","baseUrl":"/"}'
  status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "${create_payload}" \
    "$KC_URL/admin/realms/atlas/clients")"
  if [ "$status" != "201" ] && [ "$status" != "204" ]; then
    echo "Keycloak client create failed (status ${status})" >&2
    exit 1
  fi
  CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "$KC_URL/admin/realms/atlas/clients?clientId=harbor" || true)"
  CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
fi

if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
  echo "Keycloak client harbor not found" >&2
  exit 1
fi

CLIENT_CONFIG="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}" || true)"
if [ -n "$CLIENT_CONFIG" ]; then
  updated_config="$(echo "$CLIENT_CONFIG" | jq '.directAccessGrantsEnabled=true')"
  status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "${updated_config}" \
    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}")"
  if [ "$status" != "200" ] && [ "$status" != "204" ]; then
    echo "Keycloak client update failed (status ${status})" >&2
    exit 1
  fi
fi

SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
  echo "Keycloak client scope groups not found" >&2
  exit 1
fi

DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"

if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
  && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
  status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
    status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
    if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
      echo "Failed to attach groups client scope to harbor (status ${status})" >&2
      exit 1
    fi
  fi
fi

OFFLINE_SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/client-scopes?search=offline_access" | jq -r '.[] | select(.name=="offline_access") | .id' 2>/dev/null | head -n1 || true)"
if [ -n "$OFFLINE_SCOPE_ID" ] && [ "$OFFLINE_SCOPE_ID" != "null" ]; then
  if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="offline_access")' >/dev/null 2>&1 \
    && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="offline_access")' >/dev/null 2>&1; then
    status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${OFFLINE_SCOPE_ID}")"
    if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
      status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
        -H "Authorization: Bearer ${ACCESS_TOKEN}" \
        "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${OFFLINE_SCOPE_ID}")"
      if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
        echo "Failed to attach offline_access scope to harbor (status ${status})" >&2
        exit 1
      fi
    fi
  fi
fi

CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
  echo "Keycloak client secret not found" >&2
  exit 1
fi

CONFIG_OVERWRITE_JSON="$(jq -nc \
  --arg auth_mode "oidc_auth" \
  --arg oidc_name "Keycloak" \
  --arg oidc_client_id "harbor" \
  --arg oidc_client_secret "${CLIENT_SECRET}" \
  --arg oidc_endpoint "https://sso.bstein.dev/realms/atlas" \
  --arg oidc_scope "openid,profile,email,groups" \
  --arg oidc_user_claim "preferred_username" \
  --arg oidc_groups_claim "groups" \
  --arg oidc_admin_group "admin" \
  --argjson oidc_auto_onboard true \
  --argjson oidc_verify_cert true \
  --argjson oidc_logout true \
  '{auth_mode:$auth_mode,oidc_name:$oidc_name,oidc_client_id:$oidc_client_id,oidc_client_secret:$oidc_client_secret,oidc_endpoint:$oidc_endpoint,oidc_scope:$oidc_scope,oidc_user_claim:$oidc_user_claim,oidc_groups_claim:$oidc_groups_claim,oidc_admin_group:$oidc_admin_group,oidc_auto_onboard:$oidc_auto_onboard,oidc_verify_cert:$oidc_verify_cert,oidc_logout:$oidc_logout}')"

vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
vault_role="${VAULT_ROLE:-sso-secrets}"
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
vault_token="$(curl -sS --request POST --data "${login_payload}" \
  "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
  echo "vault login failed" >&2
  exit 1
fi

payload="$(jq -nc --arg value "${CONFIG_OVERWRITE_JSON}" '{data:{CONFIG_OVERWRITE_JSON:$value}}')"
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
  -d "${payload}" "${vault_addr}/v1/kv/data/atlas/harbor/harbor-oidc" >/dev/null