#!/usr/bin/env nix-shell
#!nix-shell -i bash -p ripgrep oath-toolkit

set -euo pipefail

FAKE_PASSWORD="f0rTkN0x1s_cool"
function kdrun {
  podman exec -it kanidm "$@"
}
echo "Resetting kanidm admin credentials"
admin_password="$(kdrun kanidmd recover-account admin | rg '.*new_password: "([^"]+)"' -r '$1')"
idm_password="$(kdrun kanidmd recover-account idm_admin | rg '.*new_password: "([^"]+)"' -r '$1')"

echo "admin password:     $admin_password"
echo "idm_admin password: $idm_password"

# start a kanidm client in the background for an hour
podman kill kanidm-client &>/dev/null || true
sleep 0.2

podman run -itd --rm \
  --network host \
  --name kanidm-client \
  -v "$PWD/client.toml:/root/.config/kanidm:ro" \
  docker.io/kanidm/tools:1.2.3 \
  bash -c 'sleep 3600' \
  >/dev/null 2>&1
sleep 0.2

function krun {
  podman exec -it kanidm-client "$@"
}

# setup sessions for both admin accounts
echo "$admin_password" | krun kanidm login -D admin
echo "$idm_password" | krun kanidm login -D idm_admin

function create_user {
  username="$1"; shift
  echo "Creating person (user) '${username}'..."
  # krun kanidm person delete "$username" --name idm_admin
  krun kanidm person create "$username" "$username user" --name idm_admin
  krun kanidm person update "$username" --legalname "$username Lastname" --mail "${username}@example.com" --name idm_admin

  # TODO: this doesn't seem to work? can't seem to commit changes
  # (
  #   sleep 0.1
  #   echo "pass"
  #   sleep 0.1
  #   echo "$FAKE_PASSWORD"
  #   sleep 0.1
  #   echo "$FAKE_PASSWORD"
  #   sleep 0.1
    # echo "totp"
    # sleep 0.1
    # echo "totpname"
    # sleep 0.25
    # totp_uri="$(rg 'TOTP URI: (.+)' /tmp/create-user-log.txt -r '$1')"
    # totp_secret="$(echo "$totp_uri" | rg '.*?secret=([^&]+).*' -r '$1')"
    # totp_code="$(oathtool --totp=SHA256 -b "$totp_secret")"
    # echo "$totp_code"
    # sleep 0.1
    # echo "commit"
    # sleep 0.1
    # echo "y"
    # sleep 0.1
    # echo "end"
    # ) | krun kanidm person credential update "$username" --name idm_admin | tee /tmp/create-user-log.txt
}

# setup loose policies for testing
krun kanidm group account-policy credential-type-minimum idm_all_persons any --name idm_admin

# some groups
app="yourcloud"
adm_group="${app}--admins"
krun kanidm group create "$adm_group" --name idm_admin

# create our OAuth 2 application
krun kanidm system oauth2 create "$app" "Yourcloud" "http://localhost:3000" --name idm_admin
krun kanidm system oauth2 update-scope-map "$app" "$adm_group" admin openid email read --name idm_admin

# TODO: expired/disabled users?
# for u in alice bob user1 user2 user3; do
#   create_user "$u"
# done
for u in gilfoyle dinesh; do
  create_user "$u"
done

# add users to groups
# krun kanidm group add-members "$adm_group" gilfoyle --name idm_admin
# krun kanidm group add-members "$adm_group" dinesh --name idm_admin