#!/bin/bash

# Script complet de configuration Keycloak

KEYCLOAK_URL="http://localhost:8180"
ADMIN_USER="admin"
ADMIN_PASS="admin"
REALM_NAME="unionflow"
CLIENT_ID="unionflow-client"

echo "🔧 Configuration automatique de Keycloak..."
echo ""

# Obtenir le token
echo "1. Obtention du token admin..."
TOKEN_RESPONSE=$(curl -s -X POST "$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=$ADMIN_USER" \
  -d "password=$ADMIN_PASS" \
  -d "grant_type=password" \
  -d "client_id=admin-cli")

TOKEN=$(echo "$TOKEN_RESPONSE" | grep -o '"access_token":"[^"]*' | cut -d'"' -f4)

if [ -z "$TOKEN" ]; then
    echo "❌ Impossible d'obtenir le token admin"
    exit 1
fi
echo "✅ Token obtenu"

# Créer le realm (ignore si existe déjà)
echo ""
echo "2. Création du realm..."
curl -s -X POST "$KEYCLOAK_URL/admin/realms" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"realm\":\"$REALM_NAME\",\"enabled\":true,\"displayName\":\"UnionFlow\"}" > /dev/null 2>&1
echo "✅ Realm vérifié"

# Créer les rôles
echo ""
echo "3. Création des rôles..."
curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"SUPER_ADMIN","description":"Super admin"}' > /dev/null 2>&1

curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"ADMIN_ENTITE","description":"Admin entite"}' > /dev/null 2>&1

curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"MEMBRE","description":"Membre"}' > /dev/null 2>&1

curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"GESTIONNAIRE_MEMBRE","description":"Gestionnaire"}' > /dev/null 2>&1
echo "✅ Rôles vérifiés"

# Créer le client
echo ""
echo "4. Création du client..."
curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/clients" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"clientId\":\"$CLIENT_ID\",\"enabled\":true,\"protocol\":\"openid-connect\",\"publicClient\":false,\"directAccessGrantsEnabled\":true,\"standardFlowEnabled\":true,\"implicitFlowEnabled\":false,\"rootUrl\":\"http://localhost:8086\",\"redirectUris\":[\"http://localhost:8086/*\"],\"webOrigins\":[\"http://localhost:8086\"],\"attributes\":{\"post.logout.redirect.uris\":\"http://localhost:8086/*\"}}" > /dev/null 2>&1
echo "✅ Client vérifié"

# Récupérer l'UUID du client
echo ""
echo "5. Récupération du client UUID..."
curl -s -X GET "$KEYCLOAK_URL/admin/realms/$REALM_NAME/clients" \
  -H "Authorization: Bearer $TOKEN" > clients_temp.json

# Sauvegarder dans un fichier pour debug
cat clients_temp.json > clients_debug.json

# Extraire seulement l'entrée du client unionflow-client
# On cherche la ligne complète qui contient notre client
CLIENT_UUID=$(cat clients_temp.json | tr ',' '\n' | grep -A 10 "\"clientId\":\"$CLIENT_ID\"" | grep "\"id\":" | head -1 | grep -o '"[a-f0-9-]*"' | tr -d '"')

if [ -z "$CLIENT_UUID" ]; then
    echo "❌ Impossible de trouver le client UUID"
    echo "Contenu du fichier (premiers 500 caractères):"
    head -c 500 clients_debug.json
    exit 1
fi
echo "✅ Client UUID: $CLIENT_UUID"

# Récupérer le client secret
echo ""
echo "6. Récupération du client secret..."
SECRET_JSON=$(curl -s -X GET "$KEYCLOAK_URL/admin/realms/$REALM_NAME/clients/$CLIENT_UUID/client-secret" \
  -H "Authorization: Bearer $TOKEN")

CLIENT_SECRET=$(echo "$SECRET_JSON" | grep -o '"value":"[^"]*' | cut -d'"' -f4)

if [ -z "$CLIENT_SECRET" ]; then
    echo "❌ Impossible de récupérer le client secret"
    echo "Contenu reçu: $SECRET_JSON"
    exit 1
fi
echo "✅ Client Secret: $CLIENT_SECRET"

# Configurer le mapper de rôles
echo ""
echo "7. Configuration du mapper de rôles..."
SCOPES_JSON=$(curl -s -X GET "$KEYCLOAK_URL/admin/realms/$REALM_NAME/clients/$CLIENT_UUID/default-client-scopes" \
  -H "Authorization: Bearer $TOKEN")

SCOPE_ID=$(echo "$SCOPES_JSON" | grep -o '"id":"[^"]*"' | grep -A5 "dedicated" | head -1 | cut -d'"' -f4)

if [ -n "$SCOPE_ID" ]; then
    curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/client-scopes/$SCOPE_ID/protocol-mappers/models" \
      -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type: application/json" \
      -d '{"name":"realm-roles","protocol":"openid-connect","protocolMapper":"oidc-usermodel-realm-role-mapper","config":{"multivalued":"true","userinfo.token.claim":"true","id.token.claim":"true","access.token.claim":"true","claim.name":"roles","jsonType.label":"String"}}' > /dev/null 2>&1
    echo "✅ Mapper configuré"
else
    echo "⚠️  Scope non trouvé, mapper à configurer manuellement"
fi

# Créer l'utilisateur test
echo ""
echo "8. Création de l'utilisateur test..."
curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/users" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"username":"test@unionflow.dev","email":"test@unionflow.dev","firstName":"Test","lastName":"User","enabled":true,"emailVerified":true}' > /dev/null 2>&1

# Récupérer l'ID de l'utilisateur
USER_JSON=$(curl -s -X GET "$KEYCLOAK_URL/admin/realms/$REALM_NAME/users?username=test@unionflow.dev" \
  -H "Authorization: Bearer $TOKEN")

USER_ID=$(echo "$USER_JSON" | grep -o '"id":"[^"]*' | head -1 | cut -d'"' -f4)

if [ -n "$USER_ID" ]; then
    # Définir le mot de passe
    curl -s -X PUT "$KEYCLOAK_URL/admin/realms/$REALM_NAME/users/$USER_ID/reset-password" \
      -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type: application/json" \
      -d '{"type":"password","value":"test123","temporary":false}' > /dev/null 2>&1
    echo "✅ Utilisateur créé (test@unionflow.dev / test123)"

    # Récupérer et assigner les rôles
    ROLES_JSON=$(curl -s -X GET "$KEYCLOAK_URL/admin/realms/$REALM_NAME/roles" \
      -H "Authorization: Bearer $TOKEN")

    ROLE_MEMBRE=$(echo "$ROLES_JSON" | grep -B2 '"name":"MEMBRE"' | grep '"id"' | grep -o '"id":"[^"]*' | cut -d'"' -f4)
    ROLE_ADMIN=$(echo "$ROLES_JSON" | grep -B2 '"name":"ADMIN_ENTITE"' | grep '"id"' | grep -o '"id":"[^"]*' | cut -d'"' -f4)

    if [ -n "$ROLE_MEMBRE" ]; then
        curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/users/$USER_ID/role-mappings/realm" \
          -H "Authorization: Bearer $TOKEN" \
          -H "Content-Type: application/json" \
          -d "[{\"id\":\"$ROLE_MEMBRE\",\"name\":\"MEMBRE\"}]" > /dev/null 2>&1
        echo "  ✅ Rôle MEMBRE assigné"
    fi

    if [ -n "$ROLE_ADMIN" ]; then
        curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/users/$USER_ID/role-mappings/realm" \
          -H "Authorization: Bearer $TOKEN" \
          -H "Content-Type: application/json" \
          -d "[{\"id\":\"$ROLE_ADMIN\",\"name\":\"ADMIN_ENTITE\"}]" > /dev/null 2>&1
        echo "  ✅ Rôle ADMIN_ENTITE assigné"
    fi
else
    echo "⚠️  Utilisateur non trouvé"
fi

# Sauvegarder dans .env
echo ""
echo "9. Sauvegarde de la configuration..."
cat > .env << EOF
# Configuration Keycloak générée automatiquement
# Date: $(date)

KEYCLOAK_CLIENT_SECRET=$CLIENT_SECRET
UNIONFLOW_BACKEND_URL=http://localhost:8085

# Informations de connexion pour tests
# Username: test@unionflow.dev
# Password: test123
EOF

echo "✅ Fichier .env créé"

# Résumé
echo ""
echo "========================================================"
echo "✅ Configuration terminée avec succès!"
echo "========================================================"
echo ""
echo "📋 Résumé:"
echo "   - Realm: $REALM_NAME"
echo "   - Client ID: $CLIENT_ID"
echo "   - Client Secret: $CLIENT_SECRET"
echo "   - Utilisateur: test@unionflow.dev / test123"
echo ""
echo "🚀 Prochaines étapes:"
echo "   1. Lancez: ./start-local.sh (ou start-local.bat)"
echo "   2. Accédez à: http://localhost:8086"
echo "   3. Connectez-vous avec test@unionflow.dev / test123"
echo ""