#!/bin/bash -x
# Turn on the userinfo for the roles/cient roles default protocol mapper.
# this should be so much easier, but they don't have ways to do queries?
# and they don't include jq in the keycloak container, so updating the JSON
# it banging the rocks together with sed and awk.

die() { echo >&2 "ERROR: $@" ; exit 1 ; }

SCOPE_ID=$(kcadm.sh get -r $REALM client-scopes --fields id,name --format csv --noquotes | awk -F, '/,roles$/ { print $1 }')
if [ -z "$SCOPE_ID" ]; then die "no client scope" ; fi

MAPPER_ID=$(kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models --format csv --noquotes | awk -F, '/,client roles,/ { print $1 }')
if [ -z "$MAPPER_ID" ]; then die "no mapper defined" ; fi

tee /tmp/map <<EOF
{
  "id" : "$MAPPER_ID",
  "name" : "client roles",
  "protocol" : "openid-connect",
  "protocolMapper" : "oidc-usermodel-client-role-mapper",
  "consentRequired" : false,
  "config" : {
    "user.attribute" : "foo",
    "access.token.claim" : "true",
    "userinfo.token.claim" : "true",
    "claim.name" : "resource_access.\${client_id}.roles",
    "jsonType.label" : "String",
    "multivalued" : "true"
  }
}
EOF

kcadm.sh update -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID -f /tmp/map \
	|| die "$REALM/$SCOPE_ID/$MAPPER_ID: unable to configure mapper"
kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID