#!/usr/bin/env sh
set -euo pipefail

. /vault/secrets/keycloak-admin-env.sh

KC_URL="${KEYCLOAK_SERVER:-http://keycloak.sso.svc.cluster.local}"
REALM="${KEYCLOAK_REALM:-veles}"
CLIENT_ID="${KEYCLOAK_CLIENT_ID:-gitea}"
PUBLIC_BASE_URL="${GITEA_PUBLIC_BASE_URL:-https://scm.bstein.dev}"
AUTH_SOURCE_NAME="${GITEA_AUTH_SOURCE_NAME:-veles}"
TESTER_GROUP="${VELES_GITEA_TESTER_GROUP:-veles-tester}"
VAULT_SECRET_PATH="${VAULT_SECRET_PATH:-gitea/gitea-veles-oidc}"
GROUP_TEAM_MAP="${GITEA_GROUP_TEAM_MAP:-}"

ACCESS_TOKEN=""
for attempt in 1 2 3 4 5 6 7 8 9 10; do
  if curl -fsS "${KC_URL}/realms/master" >/dev/null 2>&1; then
    break
  fi
  echo "Waiting for Keycloak to be reachable (attempt ${attempt})" >&2
  sleep $((attempt * 2))
done

for attempt in 1 2 3 4 5; do
  TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d "grant_type=password" \
    -d "client_id=admin-cli" \
    -d "username=${KEYCLOAK_ADMIN}" \
    -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
  ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
  if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
    break
  fi
  echo "Keycloak token request failed (attempt ${attempt})" >&2
  sleep $((attempt * 2))
done
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
  echo "Failed to fetch Keycloak admin token" >&2
  exit 1
fi

ensure_group() {
  group_name="$1"
  groups="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/groups?search=$(printf '%s' "${group_name}" | jq -sRr @uri)" || true)"
  group_id="$(echo "$groups" | jq -r --arg name "$group_name" '.[]? | select(.name == $name) | .id' | head -n1 || true)"
  if [ -n "$group_id" ] && [ "$group_id" != "null" ]; then
    printf '%s' "$group_id"
    return
  fi
  status="$(curl -sS -o /tmp/keycloak-group-create.json -w "%{http_code}" -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "$(jq -nc --arg name "$group_name" '{name:$name}')" \
    "${KC_URL}/admin/realms/${REALM}/groups")"
  if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
    echo "Keycloak group create failed for ${group_name} (status ${status})" >&2
    cat /tmp/keycloak-group-create.json >&2 || true
    exit 1
  fi
  groups="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/groups?search=$(printf '%s' "${group_name}" | jq -sRr @uri)" || true)"
  group_id="$(echo "$groups" | jq -r --arg name "$group_name" '.[]? | select(.name == $name) | .id' | head -n1 || true)"
  if [ -z "$group_id" ] || [ "$group_id" = "null" ]; then
    echo "Keycloak group ${group_name} not found after create" >&2
    exit 1
  fi
  printf '%s' "$group_id"
}

ensure_role() {
  role_name="$1"
  role="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/roles/$(printf '%s' "${role_name}" | jq -sRr @uri)" || true)"
  if echo "$role" | jq -e --arg name "$role_name" '.name == $name' >/dev/null 2>&1; then
    printf '%s' "$role"
    return
  fi
  status="$(curl -sS -o /tmp/keycloak-role-create.json -w "%{http_code}" -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "$(jq -nc --arg name "$role_name" '{name:$name}')" \
    "${KC_URL}/admin/realms/${REALM}/roles")"
  if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
    echo "Keycloak role create failed for ${role_name} (status ${status})" >&2
    cat /tmp/keycloak-role-create.json >&2 || true
    exit 1
  fi
  role="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/roles/$(printf '%s' "${role_name}" | jq -sRr @uri)" || true)"
  if ! echo "$role" | jq -e --arg name "$role_name" '.name == $name' >/dev/null 2>&1; then
    echo "Keycloak role ${role_name} not found after create" >&2
    exit 1
  fi
  printf '%s' "$role"
}

ensure_group_role() {
  group_id="$1"
  role_json="$2"
  role_name="$(echo "$role_json" | jq -r '.name')"
  mappings="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/groups/${group_id}/role-mappings/realm" || true)"
  if echo "$mappings" | jq -e --arg name "$role_name" '.[]? | select(.name == $name)' >/dev/null 2>&1; then
    return
  fi
  status="$(curl -sS -o /tmp/keycloak-group-role.json -w "%{http_code}" -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "[$role_json]" \
    "${KC_URL}/admin/realms/${REALM}/groups/${group_id}/role-mappings/realm")"
  if [ "$status" != "200" ] && [ "$status" != "204" ]; then
    echo "Keycloak group role mapping failed for ${role_name} (status ${status})" >&2
    cat /tmp/keycloak-group-role.json >&2 || true
    exit 1
  fi
}

ensure_mapper() {
  client_uuid="$1"
  mapper_name="$2"
  mapper_payload="$3"
  mappers="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/clients/${client_uuid}/protocol-mappers/models" || true)"
  mapper_id="$(echo "$mappers" | jq -r --arg name "$mapper_name" '.[]? | select(.name == $name) | .id' | head -n1 || true)"
  if [ -n "$mapper_id" ] && [ "$mapper_id" != "null" ]; then
    mapper_payload="$(echo "$mapper_payload" | jq --arg id "$mapper_id" '. + {id:$id}')"
    status="$(curl -sS -o /tmp/keycloak-mapper.json -w "%{http_code}" -X PUT \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      -H 'Content-Type: application/json' \
      -d "${mapper_payload}" \
      "${KC_URL}/admin/realms/${REALM}/clients/${client_uuid}/protocol-mappers/models/${mapper_id}")"
  else
    status="$(curl -sS -o /tmp/keycloak-mapper.json -w "%{http_code}" -X POST \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      -H 'Content-Type: application/json' \
      -d "${mapper_payload}" \
      "${KC_URL}/admin/realms/${REALM}/clients/${client_uuid}/protocol-mappers/models")"
  fi
  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
    echo "Keycloak mapper ensure failed for ${mapper_name} (status ${status})" >&2
    cat /tmp/keycloak-mapper.json >&2 || true
    exit 1
  fi
}

ensure_client_scope() {
  scope_name="$1"
  scopes="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/client-scopes?search=$(printf '%s' "${scope_name}" | jq -sRr @uri)" || true)"
  scope_id="$(echo "$scopes" | jq -r --arg name "$scope_name" '.[]? | select(.name == $name) | .id' | head -n1 || true)"
  if [ -n "$scope_id" ] && [ "$scope_id" != "null" ]; then
    printf '%s' "$scope_id"
    return
  fi

  scope_payload="$(jq -nc --arg name "$scope_name" '{name:$name,protocol:"openid-connect",attributes:{"include.in.token.scope":"true","display.on.consent.screen":"false"}}')"
  status="$(curl -sS -o /tmp/keycloak-client-scope-create.json -w "%{http_code}" -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "${scope_payload}" \
    "${KC_URL}/admin/realms/${REALM}/client-scopes")"
  if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
    echo "Keycloak client scope create failed for ${scope_name} (status ${status})" >&2
    cat /tmp/keycloak-client-scope-create.json >&2 || true
    exit 1
  fi

  scopes="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/client-scopes?search=$(printf '%s' "${scope_name}" | jq -sRr @uri)" || true)"
  scope_id="$(echo "$scopes" | jq -r --arg name "$scope_name" '.[]? | select(.name == $name) | .id' | head -n1 || true)"
  if [ -z "$scope_id" ] || [ "$scope_id" = "null" ]; then
    echo "Keycloak client scope ${scope_name} not found after create" >&2
    exit 1
  fi
  printf '%s' "$scope_id"
}

ensure_scope_mapper() {
  scope_id="$1"
  mapper_name="$2"
  mapper_payload="$3"
  mappers="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/client-scopes/${scope_id}/protocol-mappers/models" || true)"
  mapper_id="$(echo "$mappers" | jq -r --arg name "$mapper_name" '.[]? | select(.name == $name) | .id' | head -n1 || true)"
  if [ -n "$mapper_id" ] && [ "$mapper_id" != "null" ]; then
    mapper_payload="$(echo "$mapper_payload" | jq --arg id "$mapper_id" '. + {id:$id}')"
    status="$(curl -sS -o /tmp/keycloak-scope-mapper.json -w "%{http_code}" -X PUT \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      -H 'Content-Type: application/json' \
      -d "${mapper_payload}" \
      "${KC_URL}/admin/realms/${REALM}/client-scopes/${scope_id}/protocol-mappers/models/${mapper_id}")"
  else
    status="$(curl -sS -o /tmp/keycloak-scope-mapper.json -w "%{http_code}" -X POST \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      -H 'Content-Type: application/json' \
      -d "${mapper_payload}" \
      "${KC_URL}/admin/realms/${REALM}/client-scopes/${scope_id}/protocol-mappers/models")"
  fi
  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
    echo "Keycloak client-scope mapper ensure failed for ${mapper_name} (status ${status})" >&2
    cat /tmp/keycloak-scope-mapper.json >&2 || true
    exit 1
  fi
}

ensure_client_optional_scope() {
  client_uuid="$1"
  scope_id="$2"
  scope_name="$3"
  default_scopes="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/clients/${client_uuid}/default-client-scopes" || true)"
  optional_scopes="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/clients/${client_uuid}/optional-client-scopes" || true)"

  if echo "$default_scopes" | jq -e --arg name "$scope_name" '.[]? | select(.name == $name)' >/dev/null 2>&1 \
    || echo "$optional_scopes" | jq -e --arg name "$scope_name" '.[]? | select(.name == $name)' >/dev/null 2>&1; then
    return
  fi

  status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/clients/${client_uuid}/optional-client-scopes/${scope_id}")"
  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
    status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      "${KC_URL}/admin/realms/${REALM}/clients/${client_uuid}/optional-client-scopes/${scope_id}")"
    if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
      echo "Failed to attach ${scope_name} client scope to ${CLIENT_ID} (status ${status})" >&2
      exit 1
    fi
  fi
}

TESTER_GROUP_ID="$(ensure_group "${TESTER_GROUP}")"
TESTER_ROLE="$(ensure_role "${TESTER_GROUP}")"
ensure_group_role "${TESTER_GROUP_ID}" "${TESTER_ROLE}"

CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "${KC_URL}/admin/realms/${REALM}/clients?clientId=$(printf '%s' "${CLIENT_ID}" | jq -sRr @uri)" || true)"
CLIENT_UUID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"

client_payload="$(jq -nc \
  --arg client_id "${CLIENT_ID}" \
  --arg root_url "${PUBLIC_BASE_URL}" \
  --arg callback "${PUBLIC_BASE_URL}/user/oauth2/${AUTH_SOURCE_NAME}/callback" \
  '{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$callback],webOrigins:[$root_url],rootUrl:$root_url,baseUrl:"/",attributes:{"pkce.code.challenge.method":"","post.logout.redirect.uris":($root_url + "/*")}}')"

if [ -z "$CLIENT_UUID" ] || [ "$CLIENT_UUID" = "null" ]; then
  status="$(curl -sS -o /tmp/keycloak-client-create.json -w "%{http_code}" -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "${client_payload}" \
    "${KC_URL}/admin/realms/${REALM}/clients")"
  if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
    echo "Keycloak client create failed for ${CLIENT_ID} (status ${status})" >&2
    cat /tmp/keycloak-client-create.json >&2 || true
    exit 1
  fi
  CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "${KC_URL}/admin/realms/${REALM}/clients?clientId=$(printf '%s' "${CLIENT_ID}" | jq -sRr @uri)" || true)"
  CLIENT_UUID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
fi

if [ -z "$CLIENT_UUID" ] || [ "$CLIENT_UUID" = "null" ]; then
  echo "Keycloak client ${CLIENT_ID} not found after create" >&2
  exit 1
fi

status="$(curl -sS -o /tmp/keycloak-client-update.json -w "%{http_code}" -X PUT \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  -H 'Content-Type: application/json' \
  -d "${client_payload}" \
  "${KC_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}")"
if [ "$status" != "200" ] && [ "$status" != "204" ]; then
  echo "Keycloak client update failed for ${CLIENT_ID} (status ${status})" >&2
  cat /tmp/keycloak-client-update.json >&2 || true
  exit 1
fi

groups_mapper_payload="$(jq -nc \
  '{name:"groups",protocol:"openid-connect",protocolMapper:"oidc-group-membership-mapper",consentRequired:false,config:{"full.path":"false","id.token.claim":"true","access.token.claim":"true","userinfo.token.claim":"true","claim.name":"groups","jsonType.label":"String"}}')"
roles_mapper_payload="$(jq -nc \
  '{name:"roles",protocol:"openid-connect",protocolMapper:"oidc-usermodel-realm-role-mapper",consentRequired:false,config:{"multivalued":"true","id.token.claim":"true","access.token.claim":"true","userinfo.token.claim":"true","claim.name":"roles","jsonType.label":"String"}}')"
ensure_mapper "${CLIENT_UUID}" groups "${groups_mapper_payload}"
ensure_mapper "${CLIENT_UUID}" roles "${roles_mapper_payload}"
GROUPS_SCOPE_ID="$(ensure_client_scope groups)"
ensure_scope_mapper "${GROUPS_SCOPE_ID}" groups "${groups_mapper_payload}"
ensure_client_optional_scope "${CLIENT_UUID}" "${GROUPS_SCOPE_ID}" groups

CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "${KC_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
  echo "Keycloak client secret not found for ${CLIENT_ID}" >&2
  exit 1
fi

vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
vault_role="${VAULT_ROLE:-sso-secrets}"
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
vault_token="$(curl -sS --request POST --data "${login_payload}" \
  "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
  echo "vault login failed" >&2
  exit 1
fi

payload="$(jq -nc \
  --arg client_id "${CLIENT_ID}" \
  --arg client_secret "${CLIENT_SECRET}" \
  --arg issuer "https://sso.bstein.dev/realms/${REALM}" \
  --arg auto_discovery_url "https://sso.bstein.dev/realms/${REALM}/.well-known/openid-configuration" \
  --arg auth_source_name "${AUTH_SOURCE_NAME}" \
  --arg tester_group "${TESTER_GROUP}" \
  --arg group_team_map "${GROUP_TEAM_MAP}" \
  '{data:{client_id:$client_id,client_secret:$client_secret,issuer:$issuer,openid_auto_discovery_url:$auto_discovery_url,auth_source_name:$auth_source_name,required_claim_name:"groups",required_claim_value:$tester_group,group_claim_name:"groups",restricted_group:$tester_group,group_team_map:$group_team_map}}')"

write_status="$(curl -sS -o /tmp/veles-gitea-oidc-write.json -w "%{http_code}" -X POST \
  -H "X-Vault-Token: ${vault_token}" \
  -H 'Content-Type: application/json' \
  -d "${payload}" "${vault_addr}/v1/kv/data/atlas/${VAULT_SECRET_PATH}")"
if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
  echo "Vault write failed for ${VAULT_SECRET_PATH} (status ${write_status})" >&2
  cat /tmp/veles-gitea-oidc-write.json >&2 || true
  exit 1
fi

echo "Veles Gitea OIDC client ready in Keycloak and Vault"