#!/usr/bin/env bash

function error_handler() {
  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
  exit "$2"
}
trap 'error_handler ${LINENO} $?' ERR
set -o errtrace -o errexit -o nounset -o pipefail

# this tests we can get a token from a public client and exchange it with a confidential client
# so we can see what resources that user has access to

# originally from https://medium.com/keycloak/keycloak-jwt-token-using-curl-post-72c9e791ba8c
# btw, meta config endpoint: http://localhost:7002/realms/spiffworkflow/.well-known/openid-configuration token exchange described at https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/token-exchange/token-exchange.adoc
# some UMA stuff at https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-authorization-obtaining-permission.adoc,
# though resource_set docs are elsewhere.

# ./bin/get_token # uses ciuser1 ciuser1
# ./bin/get_token ciadmin1 ciadmin1
# ./bin/get_token repeat_form_user_1 repeat_form_user_1 # actually has permissions to the resource in this script
# ./bin/get_token ciadmin1 ciadmin1 '%2Fprocess-models'

if [[ -z "${BACKEND_BASE_URL:-}" ]]; then
  # BACKEND_BASE_URL=http://localhost:7000
  BACKEND_BASE_URL=https://api.dev.spiffworkflow.org
fi
if [[ -z "${KEYCLOAK_BASE_URL:-}" ]]; then
  # KEYCLOAK_BASE_URL=http://localhost:7002
  if grep -qE "spiffworkflow.org" <<<"$BACKEND_BASE_URL" ; then
    env_domain=$(hot_sed -E 's/.*api\.(\w+\.spiffworkflow.org).*/\1/' <<<"${BACKEND_BASE_URL}")
    KEYCLOAK_BASE_URL="https://keycloak.${env_domain}"
  elif grep -qE "localhost:7000" <<<"$BACKEND_BASE_URL" ; then
    KEYCLOAK_BASE_URL="http://localhost:7002"
  fi
fi
if [[ -z "${BACKEND_CLIENT_ID:-}" ]]; then
  export BACKEND_CLIENT_ID=spiffworkflow-backend
fi
if [[ -z "${BACKEND_CLIENT_SECRET:-}" ]]; then
  export BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"  # noqa: S105
fi
USERNAME=${1-admin}
PASSWORD=${2-admin}
REALM_NAME=${3-spiffworkflow}

SECURE=false

BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64)
KEYCLOAK_URL=$KEYCLOAK_BASE_URL/realms/$REALM_NAME/protocol/openid-connect/token

>&2 echo "Using Keycloak: $KEYCLOAK_URL"
>&2 echo "realm: $REALM_NAME"
>&2 echo "client-id: $BACKEND_CLIENT_ID"
>&2 echo "username: $USERNAME"
>&2 echo "password: $PASSWORD"
>&2 echo "secure: $SECURE"


if [[ $SECURE = 'y' ]]; then
	INSECURE=
else
	INSECURE=--insecure
fi

### Basic auth test with backend
result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
 -d "username=$USERNAME" \
 -d "password=$PASSWORD" \
 -d 'grant_type=password' \
 -d "client_id=$BACKEND_CLIENT_ID" \
)
backend_token=$(jq -r '.access_token' <<< "$result")
if [[ -z "$backend_token" || "$backend_token" == "null" ]]; then
  >&2 echo "ERROR: Could not get the backend token. Received result: ${result}"
  exit 1
fi
echo "$backend_token"
# curl --fail -v "${BACKEND_BASE_URL}/v1.0/process-groups?per_page=1" -H "Authorization: Bearer $backend_token"
# curl -v -X POST "${BACKEND_BASE_URL}/v1.0/login_with_access_token?access_token=${backend_token}" -H "Authorization: Bearer $backend_token"


### Get with frontend and exchange with backend - not configured to work in keycloak atm
# result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
#  -H "Content-Type: application/x-www-form-urlencoded" \
#  -d "username=$USERNAME" \
#  -d "password=$PASSWORD" \
#  -d 'grant_type=password' \
#  -d "client_id=$FRONTEND_CLIENT_ID" \
# )
# frontend_token=$(jq -r '.access_token' <<< "$result")
#
# result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
#  -H "Content-Type: application/x-www-form-urlencoded" \
#  --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
#  -d "client_id=$BACKEND_CLIENT_ID" \
#  -d "subject_token=${frontend_token}" \
#  -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
#  -d "audience=${BACKEND_CLIENT_ID}" \
# )
# backend_token=$(jq -r '.access_token' <<< "$result")

### Check fine grain permissions - does not work currently
# URI_TO_TEST_AGAINST=${3-'%2Fprocess-models%2Fcategory_number_one%2Fprocess-model-with-repeating-form'}
# if [[ "$backend_token" != 'null' ]]; then
#   echo "backend_token: $backend_token"
#
#   echo "Getting resource set"
#   # everything_resource_id='446bdcf4-a3bd-41c7-a0f8-67a225ba6b57'
#   resource_result=$(curl -s "${BASE_URL}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=${URI_TO_TEST_AGAINST}" -H "Authorization: Bearer $backend_token")
#   # resource_result=$(curl -s "${BASE_URL}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=false&deep=true&max=-1&exactName=false&type=admin" -H "Authorization: Bearer $backend_token")
#
#   resource_id_name_pairs=$(jq -r '.[] | "\(._id):\(.name)"' <<<"$resource_result" || echo '')
#   if [[ -z "$resource_id_name_pairs" || "$resource_id_name_pairs" == "null" ]]; then
#     >&2 echo "ERROR: Could not find the resource id from the result: ${resource_result}"
#     exit 1
#   fi
#   echo $resource_id_name_pairs
#
#   echo "Getting permissions"
#   for resource_id_name_pair in $resource_id_name_pairs ; do
#     resource_id=$(awk -F ':' '{print $1}' <<<"$resource_id_name_pair")
#     resource_name=$(awk -F ':' '{print $2}' <<<"$resource_id_name_pair")
#
#     echo "Checking $resource_name"
#     curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
#       -H "Content-Type: application/x-www-form-urlencoded" \
#       -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
#       -d "audience=${BACKEND_CLIENT_ID}" \
#       --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
#       -d "permission=${resource_id}" \
#       -d "subject_token=${backend_token}" \
#       | jq .
#   done
# else
#   echo "Failed auth result: $result"
# fi