#!/bin/bash
die() { echo >&2 "ERROR: $@" ; exit 1 ; }
info() { echo >&2 "$@" ; }

DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production

SECRETS="../data/keycloak/env.secrets"

if [ -r "$SECRETS" ]; then
	docker-compose up -d || die "keycloak: unable to start container"
	exit 0
fi

docker-compose down 2>/dev/null

KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)"
echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD"

mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
EOF

docker-compose up -d || die "unable to start keycloak"
echo "sleeping a minute while keycloak initializes..." 
sleep 30


info "logging into server"
docker-compose exec keycloak \
  /opt/keycloak/bin/kcadm.sh \
  config credentials \
  --server http://localhost:8080/ \
  --user admin \
  --password "$KEYCLOAK_ADMIN_PASSWORD" \
  --realm master \
|| die "unable to login"


info "Create a new realm for '$REALM'"
docker-compose exec keycloak \
  /opt/keycloak/bin/kcadm.sh \
  create realms \
  -s "realm=$REALM" \
  -s enabled=true \
|| die "unable to create realm"


# https://github.com/hedgedoc/hedgedoc/issues/56
info "Fix up a id bug"
docker-compose exec -T keycloak \
  /opt/keycloak/bin/kcadm.sh \
  create client-scopes \
  -r "$REALM" \
  -f - <<EOF || die "unable to create mapping"
 {
      "name": "id",
      "protocol": "openid-connect",
      "attributes": {
        "include.in.token.scope": "true",
        "display.on.consent.screen": "true"
      },
      "protocolMappers": [
        {
          "name": "id",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-usermodel-property-mapper",
          "consentRequired": false,
          "config": {
            "user.attribute": "id",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "jsonType.label": "String",
            "userinfo.token.claim": "true"
          }
        }
      ]
}
EOF


info "Create an admin user in realm"
docker-compose exec -T keycloak \
  /opt/keycloak/bin/kcadm.sh \
  create users \
  -o \
  --fields id,username \
  -r "$REALM" \
  -s username=admin \
  -s enabled=true \
  -s 'credentials=[{"type":"'$KEYCLOAK_ADMIN_PASSWORD'","value":"admin","temporary":false}]' \
|| die "$REALM: unable to create admin user"