#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }

DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production || die "no top levle env?"
source env.production || die "no local env?"

SECRETS="../data/hedgedoc/env.secrets"

if [ -r "$SECRETS" ]; then
	docker-compose up -d || die "hedgedoc: unable to start"
	exit 0
fi

docker-compose down 2>/dev/null

# regenerate the client secrets
CLIENT_SECRET="$(openssl rand -hex 20)"
SESSION_SECRET="$(openssl rand -hex 20)"

mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN
CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
CMD_SESSION_SECRET=$SESSION_SECRET
CMD_DOMAIN=${HEDGEDOC_HOSTNAME}
CMD_OAUTH2_AUTHORIZATION_URL=https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/protocol/openid-connect/auth
CMD_OAUTH2_TOKEN_URL=https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/protocol/openid-connect/token
CMD_OAUTH2_USER_PROFILE_URL=https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/protocol/openid-connect/userinfo
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
CMD_OAUTH2_CLIENT_ID=hedgedoc
CMD_OAUTH2_PROVIDERNAME=Keycloak
EOF

../keycloak/client-delete hedgedoc

../keycloak/client-create <<EOF || die "unable to create hedgedoc client"
{
	"clientId": "hedgedoc",
	"rootUrl": "https://$HEDGEDOC_HOSTNAME",
	"adminUrl": "https://$HEDGEDOC_HOSTNAME",
	"redirectUris": [ "https://$HEDGEDOC_HOSTNAME/*" ],
	"webOrigins": [ "https://$HEDGEDOC_HOSTNAME" ],
	"clientAuthenticatorType": "client-secret",
	"secret": "$CLIENT_SECRET",
	"defaultClientScopes": [
		"web-origins",
		"acr",
		"profile",
		"roles",
		"id",
		"email"
	],
	"optionalClientScopes": [
		"address",
		"phone",
		"offline_access",
		"microprofile-jwt"
	]
}
EOF

docker-compose up -d || die "hedgedoc: unable to start container"